Print | Reprint

Twenty Questions For Directors To Ask Internal Auditors

By Dan Swanson, Compliance Week Columnist — May 9, 2006

ABOUT COMPLIANCE WEEK Compliance Week content is normally restricted to paying subscribers only. However, this article was made available to you through a special arrangement with KPMG. For full access to Compliance Week every week, click here to become a subscriber.

he internal audit department’s unique position within a company provides management and audit committee members with valuable assistance, by giving objective assurance on governance, risk management and control processes. Audit committees, of course, are responsible for providing oversight to the internal audit efforts within the organization—so how audit committees work with their internal audit staff is crucial to the success of the entire internal audit operation.

As one of the cornerstones of corporate governance (along with the board of directors, senior management and external auditing), internal auditing can provide strategic, operational and tactical value to an organization’s operations. For example, internal auditing is:

• A resource to the board and management for helping to ensure the entire organization has the resources, systems, and processes for operating an efficient and effective organization.

• An assurance service for management and the board that confirms adequate controls are in place. By ensuring that qualified professional reviews and tests are performed, the board and management can advance their goals of overseeing the organization’s operations and helping to ensure continuous improvement and success.

• An independent validation that the organization’s efforts are proactive and effective against current and emerging threats.

ABOUT THE AUTHOR

Dan Swanson is a 26-year internal audit veteran, who most recently was director of professional practices at the Institute of Internal Auditors. Prior to the IIA, Swanson was an independent management consultant for more than 10 years. Swanson has completed audit projects for more than 30 different organizations, spending almost 10 years in government auditing, at the federal, provincial, and municipal levels, and the rest in the private sector, mainly in the financial services, transportation, and health sectors. He has completed nearly 100 internal audits in his career including: operational audits, system audits, financial audits, value-for-money audits, comprehensive audits, and many more. He has completed almost 50 IT conversion audits and a dozen comprehensive audits of the information technology function. The author of more than 70 articles on internal auditing, Swanson is currently a freelance writer and independent management consultant at an eponymous firm. Contact Information Swanson can be reached via the Web at www.securitybenchmark.com. Click Here For Swanson’s Previous Column.

Without question, fostering a strong internal audit department should be a high priority for the audit committee. Audit committee members should have input to the leadership and activities of their internal audit team as well as oversee the internal audit team’s performance. The Institute of Internal Auditors’ briefing paper, “Internal Audit Standards: Why They Matter,” provides a summary of typical audit committee responsibilities for oversight of internal audit functions, and discusses how audit committees can forge closer ties with their internal auditors. And at companies where an internal audit function has not been formally established, these questions can be discussed with senior management to deliver that same sense of urgency.

Questions To Ask

How to get started? The IIA has another briefing paper, “20 Questions Directors Should Ask Of Internal Audit,” to help audit committees develop a better understanding of their expectations and the chief auditing executive’s duties. (The questions themselves, organized into six categories, are listed below, left.)

The first important area to explore is what the role and mandate of the internal audit department should be—that is, what services it should provide and what priorities the function should have. The internal audit charter should support the audit committee’s responsibilities, and the long-term internal audit plan should present the assurance plans for the organization and the audit committee.

20 QUESTIONS

The excerpt below is from "20 Questions Directors Should Ask about Internal Audit," published by The Institute of Internal Auditors: A. Internal audit's role and mandate 1. Should we have an Internal Audit function? 2. What should our Internal Audit function do? 3. What should be the mandate of the Internal Audit function? B. Internal audit relationships 4. What is the relationship between Internal Auditing and the Audit Committee? 5. To whom does Internal Auditing report administratively? C. Internal audit resources 6. How is the Internal Audit function staffed? 7. How does Internal Auditing get and maintain the expertise it needs to conduct its assignments? 8. Are the activities of Internal Auditing appropriately coordinated with those of the external auditors? D. Internal audit process 9. How is the Internal Audit plan developed? 10. What does the Internal Audit plan not cover? 11. How are Internal Audit findings reported? 12. How are corporate managers required to respond to Internal Audit findings and recommendations? 13. What services does Internal Auditing provide in connection with fraud? 14. How do you assess the effectiveness of your Internal Audit function? E. Closing questions 15. Does Internal Auditing have sufficient resources? 16. Does the Internal Audit function get appropriate support from the CEO and senior management team? 17. Are you satisfied that this organization has adequate internal controls over its major risks? 18. Are there any other matters that you wish to bring to the Audit Committee’s attention? 19. Are there other ways in which Internal Auditing and the Audit Committee could support each other? F. Audit committee overall assessment 20. Are we (the Audit Committee) satisfied with our Internal Audit function? Source Institute Of Internal Auditors

The second important area to explore is the relationship of the audit committee with the internal audit function. Here the key issues are whether the internal audit activities are supported by the audit committee (for example, ensuring appropriate organizational status and sufficient resources) and what influence management has on the internal audit function through its organizational structure. If the internal audit department reports administratively to a level deep down in the organization, experience has shown its work could be adversely affected by senior management.

A third topic is resources. Does internal auditing have the appropriate level of resources, and the right skill sets to do its job well? If not, auditing of the organization and the depth of analysis can be inappropriate. Investment in internal audit activities is worthwhile, but a regular dialogue on what level of support works best between the audit committee and the chief internal auditor ensures a healthy internal audit function.

Discussions around internal audit processes are useful to ensure the internal audit function is adopting best practices, improving itself, and—most important—tackling the right projects in the right ways. Just as external auditors evaluate business areas during financial audits, audit committee members must be confident that internal auditing is always improving too.

Finally, the results of the internal audit efforts should be regularly reviewed, and an overall determination made about whether the audit committee is satisfied with the information and performance it receives from internal auditing.

Directors must satisfy themselves that the answers they receive are appropriate, and that the internal audit function works. Increased communication between the audit committee and the leadership of the internal audit function is the first step, certainly, but meaningful dialogue is necessary to support the internal audit function and take it to the next level of success.

A robust internal audit function strengthens corporate performance and provides assurance to the audit committee and the board that the organization is doing all the things it should be doing. The audit committee also needs to provide effective oversight of this important function—and the resources and questions highlighted today will support efforts to do just that. As Eleanor Bloxham, chief executive of the Corporate Governance Alliance and adviser to companies and boards, puts it: “A close relationship between audit committees and internal audit isn’t optional; it’s the lynchpin of an organization’s safety and soundness.”

---