In addition to establishing a charter, mission and/or vision, and internal audit plan
the CAE is responsible for establishing and maintaining independence, objectivity, proficiency, and due professional care within the internal audit function
Organization Independence states, "The chief audit executive must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities
the internal audit activity must be free from interference in determining the scope of internal auditing, performing work, and communicating results
Internal auditors must have an impartial, unbiased attitude and avoid any conflict of interest.”
If independence or objectivity is impaired in fact or appearance, the details of the impairment must be disclosed to appropriate parties
Impairment to organizational independence and individual objectivity may include, but is not limited to:
Personal conflict of interest,
Restrictions on access to records,
Personnel, and properties, and
Resource limitations, such as funding.
Proficiency and Due Professional Care
engagements must be performed with proficiency and due professional care.
internal auditors must possess the knowledge, skills, and other competencies needed to perform
Due Professional Care:
internal auditors must apply the care and skill expected of a reasonably prudent and competent internal auditor
A comprehensive internal audit plan includes both the assurance services and consulting services necessary to assess how effectively the organization is managing the risks that threaten its business objectives.
maximum effectiveness is achieved when the risk assessment process is completed annually at the beginning of, or prior to, an organization's fiscal year.
nEstablishment of goals,
nStaffing schedules, and
Communication & Approval
After the internal audit plan has been established, the CAE must present it for approval to: Senior management, and The board (typically the audit committee).
should include:Resource requirements, Significant interim changes, and The potential implications of resource limitations
nA significant consideration in implementing an internal audit function's plan is how to
nIt is the CAE's responsibility to "ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan.”
nRight sizing is an important concept in the staffing and scheduling of an internal audit
nIt is important to achieve and maintain a balance of knowledgeable and skilled staff
to complete the internal audit plan, without putting undue stress on the staff by creating oppressive workloads, while simultaneously maintaining a reasonable financial budget.
Staff development is of particular importance for an internal audit function due to the requirements placed on it regarding proficiency and due professional care This is done primarily through ongoing training and mentoring, as well as continued professional education
Coordinating Assurance Efforts
The most common form of such collaboration is with the independent outside auditors.
Coordination outlines the circumstances under which the internal audit function can use work performed by the independent outside auditors.
Coordinating efforts is important because of the increase in effectiveness and efficiencies that can be gained
In the three lines of defense model, the organizational layers the avenues through which they gain assurance tat risks facing them are mitigated to a level within their risk appetite.
The CAE has the responsibility to "report periodically to senior management and the board on the internal audit activity’s purpose, authority, responsibility, and performance relative to its plan. Reporting must also include significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by senior management and the board"
Governance requires the internal audit function to "assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:
Promoting appropriate ethics and values within the organization;
Ensuring effective organizational performance management and accountability;
Communicating risk and control information to appropriate areas of the organization; and
Coordinating the activities of and communicating information among the board, [independent outside] and internal auditors, and management."
Generally defined, risk management is a participatory process designed to identify, document, evaluate, communicate, and monitor the most significant uncertainties facing an organization requiring risk mitigation or exploitation of opportunities to successfully achieve business objectives.
Risk management is most effective when senior management is actively engaged in the process in a way in which contributors step back from their specific area/department (silo) and consider the risks confronting the organization as a whole.
internal audit function should not assume management roles:
Set the organization's risk appetite,
Make decisions on appropriate risk responses, or
Assume ownership (be accountable for) the risk management processes.
the internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement."
Quality Assurance & Improvement
Quality assurance is the process of assuring that an internal audit function operates according to a set of standards defining the specific elements that must be present to ensure that the findings of the internal audit function are legitimate