Internal Audit: Why it s important

Similar documents
Quality Assurance Checklist

Guidance for audit committees. The internal audit function

Effective Internal Audit in the Financial Services Sector

the role of the head of internal audit in public service organisations 2010

The Framework for Quality Assurance

Internal Audit Charter

INTERNAL AUDIT CHARTER AND TERMS OF REFERENCE

INTERNAL AUDITING S ROLE IN SECTIONS 302 AND 404

ROLES AND RESPONSIBILITIES The roles and responsibilities expected of teachers at each classification level are specified in the Victorian Government

august09 tpp Internal Audit and Risk Management Policy for the NSW Public Sector OFFICE OF FINANCIAL MANAGEMENT Policy & Guidelines Paper

Risk management systems of responsible entities: Further proposals

INTERNAL AUDIT FRAMEWORK

Public Sector Internal Audit Standards. Applying the IIA International Standards to the UK Public Sector

Internal Audit Framework

The Compliance Universe

Public Sector Internal Audit Standards. Applying the IIA International Standards to the UK Public Sector

Internal Audit Terms of Reference

Internal Audit Standards

Quality Assurance. Policy P7

SECTION B DEFINITION, PURPOSE, INDEPENDENCE AND NATURE OF WORK OF INTERNAL AUDIT

Internal Audit Charters

EUROPEAN CONFEDERATION OF INSTITUTES OF INTERNAL AUDITING (IVZW)

SAI GLOBAL LIMITED Risk Management Policy

OAC Presentation to UNESCO Member States

APES 325 Risk Management for Firms

Internal Audit Charter. Version 1 (7 November 2013)

CRO Forum Paper on the Own Risk and Solvency Assessment (ORSA): Leveraging regulatory requirements to generate value. May 2012.

U & D COAL LIMITED A.C.N BOARD CHARTER

Corporate Governance Statement 21 October 2015

INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS)

Risk & Compliance Committee Charter. HCF Life Insurance Company Pty Limited (ACN ) (the Company )

Public Sector Internal Audit Standards

European Investment Bank. Charter for Internal Audit

CORPORATE GOVERNANCE STATEMENT

Good Practice Guide: the internal audit role in information assurance

Internal Auditing Guidelines

INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS)

How quality assurance reviews can strengthen the strategic value of internal auditing*

Risk & Compliance Committee Charter. HCF Life Insurance Company Pty Ltd (ACN ) (the Company )

Reporting Service Performance Information

Internal Auditing: Assurance, Insight, and Objectivity

AN OVERVIEW OF THE QUALITY ASSURANCE OF SCQF CREDIT RATING BODIES

Positioning the internal audit function within the Solvency II framework Key challenges. Ludovic Bardon Senior Manager Audit Deloitte Luxembourg

Macquarie Group Limited Board Charter

Effective Internal Audit in the Financial. Services Sector. Non Executive Directors (NEDs) and the Management of Risk

Practice guide. quality assurance and IMProVeMeNt PrograM

Securing Information in an Outsourcing Environment (Guidance for Critical Infrastructure Providers) Executive Overview Supplement.

Guide to Internal Audit

Compliance Review Report Internal Audit and Risk Management Policy for the New South Wales Public Sector

Internal Audit and supervisory expectations building on progress

Financial Management Framework >> Overview Diagram

QUALITY ASSURANCE POLICY

Final Draft Guidance on Audit Committees

1. This bulletin, which contains the Charter of the Office of Internal Oversight Services (IOS) of

What Every Director. How to get the most from your internal audit. Endorsed by

Establishing a Quality Assurance and Improvement Program

Risk Management Policy

Audit, Business Risk and Compliance Committee Charter Pact Group Holdings Ltd (Company)

POSITION PAPER Improving cooperation between internal and external audit

The Institute of Internal Auditors 247 Maitland Avenue Altamonte Springs, FL USA

OFFICE OF THE CONTROLLER AND AUDITOR-GENERAL Te Mana Arotake THE RELATIONSHIP BETWEEN INTERNAL AND EXTERNAL AUDIT IN THE PUBLIC SECTOR

The Company intends to follow the ASX CGC P&R in all respects other than as specifically provided below.

Internal Audit Manual

NCR Corporation Board of Directors Corporate Governance Guidelines Revised January 20, 2016

South East Water Corporation Finance Assurance and Risk Management Committee Charter

COBIT 5 Introduction. 28 February 2012

Department of Infrastructure and Planning: Governance Framework for Infrastructure Delivery Special Purpose Vehicles

Information Security: Business Assurance Guidelines

Corporate Governance Guidelines

MCH LEADERSHIP SKILLS SELF-ASSESSMENT

From ICAAP/ORSA to ERM: Board and Senior Management Oversight. Leon Bloom, Partner, Deloitte & Touche LLP lebloom@deloitte.ca

Health and Safety Policy and Procedures

Solvency Assessment and Management: Pillar II Sub Committee Governance Task Group Discussion Document 81 (v 3)

The post holder will be guided by general polices and regulations, but will need to establish the way in which these should be interpreted.

Corporate Governance Statement

BOARD OF EDUCATION OF BALTIMORE COUNTY OFFICE OF INTERNAL AUDIT - OPERATIONS MANUAL INTERNAL AUDIT OPERATIONS MANUAL

NHS ISLE OF WIGHT CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY POLICY

PACIFIC ISLANDS FORUM SECRETARIAT FEMM BIENNIAL STOCKTAKE 2012

Audit Committee Institute Assessment of audit committees

Issue date: 25 June Board of Directors Charter

AUDIT AND RISK ASSESSMENT COMMITTEE TERMS OF REFERENCE

1. Trustees annual report

Exposure Draft: Improving the Structure of the Code of Ethics for Professional Accountants Phase 1

Information Governance Management Framework

CHECKLIST OF COMPLIANCE WITH THE CIPFA CODE OF PRACTICE FOR INTERNAL AUDIT

IMMUNOGEN, INC. CORPORATE GOVERNANCE GUIDELINES OF THE BOARD OF DIRECTORS

How To Manage A Corporate Council

Audit, Risk Management and Compliance Committee Charter

THE UNIVERSITY OF EDINBURGH PROGRAMME SPECIFICATION FOR MA HONOURS ACCOUNTING AND FINANCE 1

Board Charter. HCF Life Insurance Company Pty Ltd (ACN ) (the Company )

The Big Assurance Picture

Key functions in the system of governance Responsibilities, interfaces and outsourcing under Solvency II

Internal Audit Quality Assessment Framework

Statement of responsibilities of auditors and audited bodies: Local authorities, NHS bodies and small authorities.

RISK BASED AUDITING: A VALUE ADD PROPOSITION. Participant Guide

Tel (03) Fax (03) ACIIA ADVOCACY PROJECT ASIAN STOCK EXCHANGE PERSPECTIVES ON INTERNAL AUDIT

CONSIDERATIONS WHEN SELECTING AN AUSTRALIAN FINANCIAL SERVICES (AFS) LICENSEE

Standards for the Professional Practice of Internal Auditing

MALAYSIAN CODE ON CORPORATE GOVERNANCE

2012 Audit Plan. Finance, Audit and Facilities Committee Board of Regents. November 2011 ATTACHMENT

Transcription:

Internal Audit: Why it s important This information sheet provides guidance to assist organisations to determine whether to have an internal audit function, and to ensure the quality of internal audit services. Internal Audit has become an important element in the assurance environment of many organisations and a valuable tool and contributor to managing risk more effectively. This applies to both the corporate sector and the public sector. The increased importance of Internal Audit has been reflected in the most recent revision of the ASX Corporate Governance Principles and Recommendations (3 rd edition, 2014) which has adopted the position that if listed organisations do not have an internal audit function, they need to explain the reason ( if not, why not ). Additionally, the Australia Prudential Regulation Authority (APRA) has a mandated requirement for internal audit for financial institutions. Many Governments also require Internal Audit functions to be established. This information sheet explains: 1. What is internal audit? 2. The assurance environment 3. Why is internal audit important? 4. What does internal audit do? 5. How can internal audit be independent? 6. What is the scope of internal audit work? 7. What guides internal audit work? 8. Is internal audit mandated? 9. What does contemporary internal audit look like? 10. How can internal audit services be delivered? 11. What do good practice internal audit services feature? 12. How is the quality of internal audit work assured? 13. Where can I get more information? This information sheet is relevant to: Boards of directors. Audit committee members. Heads of organisations. Corporate sector. Public sector. Page 1

1. What is internal audit? Internal audit is a key pillar of good governance. It provides the board of directors, the audit committee, the chief executive officer, senior executives and stakeholders with an independent view on whether the organisation has an appropriate risk and control environment, whilst also acting as a catalyst for a strong risk and compliance culture within an organisation. Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Source: The International Standards for the Professional Practice of Internal Auditing issued by the Institute of Internal Auditors Internal audit work is risk based and encompasses both financial and non financial operations of the organisation. The head of internal audit is generally called the chief audit executive. 2. The assurance environment Organisations have a range of activities to provide assurance to the board of directors, the audit committee, the chief executive officer, and stakeholders that the organisation is effectively governed. Many organisations uses a Combined Assurance 3 Lines of Defence model to define their assurance environment: The 1 st line of defence originates or initiates risk, and is responsible for managing the risks and having in place mechanisms to demonstrate controls are working effectively. The 2 nd line of defence monitors, reviews and tests effectiveness of 1 st line control and management of risks. The 3 rd line of defence independently evaluates and gives an opinion on the adequacy and effectiveness of both 1 st line and 2 nd line risk management approaches. This approach demonstrates how assurance activities co ordinate to provide assurance to the board of directors, the audit committee, the chief executive officer, and stakeholders. Whilst it will be different for every organisation, the concept can generally be illustrated as shown in the following diagram. This shows where internal audit sits in the organisation assurance environment. Combined Assurance - 3 Lines of Defence 1 st Line of Defence 2 nd Line of Defence 3 rd Line of Defence Management Controls Management of Risk Independent Assurance The Institute of Internal Auditors Australia factsheet Page 2

Real Time Focus Real Time Focus + Review of 1 st Line Review of 1 st Line and 2 nd Line Management Controls Review governance and compliance Implement improvements Risk Management Technical Compliance Regulatory Compliance Work Health Safety Environment Confirm governance and compliance Recommend improvements Internal Audit External Audit Regulators Independently confirm governance and compliance Recommend improvements 3. Why is internal audit important? As shown in the 3 Lines of Defence diagram, internal audit is a key component in the assurance structure of an organisation. Whilst all assurance mechanisms are important, co ordination of the various assurance activities will provide a holistic assurance environment. Internal audit features prominently in that assurance environment. Internal Audit is a cornerstone of good corporate governance in organisations and can play an important role to improve management and accountability, both financial and non financial. Internal audit can be a pivotal activity to provide assurance to the board of directors, the audit committee, and the chief executive officer, and stakeholders that the organisation is governed effectively. 4. What does internal audit do? Organisations establish an independent internal audit function to provide continuous review of the effectiveness of risk management, control, and governance processes. Internal audit does this by: Providing independent, unbiased assessment of the operations of the organisation. Providing management with information on the effectiveness of risk management, control and governance processes. Acting as a catalyst for improvement in risk management, control and governance processes. Being an adviser that tells management what it needs to know, when it needs to know it. The purpose of internal audit is to support the board of directors, the audit committee and the chief executive officer by: The Institute of Internal Auditors Australia factsheet Page 3

Reviewing achievement of organisation objectives. Assessing if decisions are properly authorised. Assessing reliability and integrity of information. Reviewing assets are safeguarded. Assessing compliance with laws, regulations, policies and contracts. Assessing efficiency, effectiveness and economy of business activities. Reviewing opportunity for fraud and corruption. Following up previous audits to assess if remedial action has been effectively implemented. Looking for better ways of doing things. 5. How can internal audit be independent? Whilst internal audit is a part of the organisation, reporting structures are put in place to make it independent from the mainstream organisation. The internal audit function is established by authority of the board of directors (corporate sector) or the head of the organisation (public sector) and its responsibilities are defined in an internal audit charter which is approved by the audit committee. Internal audit is authorised: Full, free, and unrestricted access to all records, data, personnel, and assets at the time they are relevant for performance of its work. Free and unrestricted access to the chair of the audit committee. Good practice reporting arrangements for internal audit are: Functionally for operations to the audit committee through the chair. Administratively to the chief executive officer. Functional reporting generally involves the audit committee: Reviewing and approving the internal audit charter. Approving all decisions regarding performance evaluations, appointment, or removal of the chief audit executive. Reviewing and approving the strategic internal audit plan, often for a 3 year period. Reviewing and approving the annual internal audit plan. Approving any changes to the annual internal audit plan. Reviewing reports from internal audit on the results of internal audit engagements, audit related activities, and other important matters. Meeting privately with the chief audit executive at least once each year without the chief executive officer present. Making enquiries of the chief audit executive to determine whether there are scope or budget limitations that impede the execution of internal audit responsibilities. Administrative reporting to the chief executive officer generally includes: The Institute of Internal Auditors Australia factsheet Page 4

Internal audit resources and annual budget. Provision of corporate services to internal audit including office accommodation, computers and equipment. Human resource administration, including performance evaluations. These reporting arrangements are shown in the following diagram: Board of Directors Chief Executive Officer Internal Audit administrative reporting Audit Committee Functional reporting for Internal Audit operations Internal Audit (Chief Audit Executive) 6. What is the scope of internal audit work? The scope of internal audit work embraces the wider concept of corporate governance and risk, recognising that controls exist in organisations to manage risks and promote effective and efficient governance and performance. The types of internal audit work will generally encompass: Assurance services objective examination of evidence for the purpose of providing an independent assessment of risk management, control and governance processes. Consulting services advisory and related client activities, the nature and scope of which are agreed upon with the client and which are intended to add value and improve business operations. Value adding services focusing on efficiency and effectiveness to improve processes and the economical use of finances and resources. 7. What guides internal audit work? The internal audit charter approved by the audit committee will provide the in house guidance for internal audit work. For the conduct of its work, internal audit is required to conform to the following mandatory requirements contained in the International Professional Practices Framework (IPPF) issued by The Institute of Internal Auditors (IIA): The Definition of Internal Auditing. The Code of Ethics. The Institute of Internal Auditors Australia factsheet Page 5

The International Standards for the Professional Practice of Internal Auditing. 8. Is internal audit mandated? The most recent revision of the ASX Corporate Governance Principles and Recommendations (3 rd edition, 2014) has adopted the position that if listed organisations do not have an internal audit function, they need to explain the reason ( if not, why not ). Under the Principles and Recommendations, if the board of a listed entity considers that a Council recommendation is not appropriate to its particular circumstances, it is entitled not to adopt it. If it does so, however, it must explain why it has not adopted the recommendation the if not, why not approach. Principle 7 states in part: Principle 7 Recognise and manage risk Recommendation 7.3 A listed entity should disclose: (a) if it has an internal audit function, how the function is structured and what role it performs; or (b) if it does not have an internal audit function, that fact and the processes it employs for evaluating and continually improving the effectiveness of its risk management and internal control processes. Commentary An internal audit function can assist a listed entity to accomplish its objectives by bringing a systematic, disciplined approach to evaluating and continually improving the effectiveness of its risk management and internal control processes. If a listed entity has an internal audit function, the head of that function ideally should have a direct reporting line to the board or to the board audit committee to bring the requisite degree of independence and objectivity to the role. The Australia Prudential Regulation Authority (APRA) has mandated a requirement for internal audit for financial institutions in prudential standard CPS 510 Governance: Internal audit 92. An APRA regulated institution must have an independent and adequately resourced internal audit function. If an institution does not believe it is necessary to have a dedicated internal audit function, it must apply to APRA to seek an exemption from this requirement, setting out reasons why it believes it should be exempt. APRA may approve alternative arrangements for an institution where APRA is satisfied that they will achieve the same objectives. In a public sector context, many Governments require Internal Audit functions to be established. 9. What does contemporary internal audit look like? Contemporary internal audit will generally have the following characteristics: Lives within the organisation it audits. The Institute of Internal Auditors Australia factsheet Page 6

Seeks to provide assurance to the audit committee and management on the effectiveness of risk management, control and governance processes. Seeks to add value and help improve the organisation. Is independent of the organisation functions it audits. Functionally reports to an audit committee for its operations. Reports to the chief executive officer for its administration. Is led by a chief audit executive. Performs its work in accordance with the internal audit standards. Provides assurance services, and may also provide consulting services. May perform various types of auditing compliance, financial, ICT, integrated audit, etc. May perform operational audits to review efficiency, effectiveness and economy of business activities. 10. How can internal audit services be delivered? There are a number of models that can be used to deliver internal audit services to an organisation: In house Internal audit services are provided exclusively or predominately by in house employees of the organisation. Internal audit is managed in house by an employee of the organisation. Co sourced Internal audit services are provided by a combination of in house employees and service providers. Internal audit is managed in house by an employee of the organisation. Outsourced with in house management Internal audit services are provided by service providers contracted to the organisation for this purpose. Internal audit is managed in house by an employee of the organisation. 100% Outsourced Internal audit services are provided by service providers contracted to the organisation for this purpose. The service provider also manages the internal audit function. Project management of the service provider contract is done in house by an employee of the organisation. It is a generally accepted principle that the external auditor should not also provide internal audit services to the same organisation. 11. What do good practice internal audit services feature? Good practice internal audit services will generally include: The Institute of Internal Auditors Australia factsheet Page 7

Risk based Internal audit work is risk based and client focused. Independence and positioning Internal audit is operationally independent from the activities it audits. Internal audit is appropriately positioned in the organisation governance framework to ensure its work complements the work of other internal and external assurance and review providers. Internal audit planning and work Internal audit has a well developed business strategy that clearly articulates its role and responsibilities. Internal Audit is business focused, with comprehensive and balanced audit plans linked to the organisation strategy and current and emerging risks. Internal audit undertakes its audits in accordance with the internal audit standards. There is active management of service providers contracted to provide internal audit services. Resourcing Internal audit has sufficient resources, with access to internal auditors with the necessary skills, experience and personal attributes to achieve what is expected of it. Technical and subject matter experts will be brought in for technical internal audit engagements. Communication and reporting Internal audit has the confidence of key stakeholders including the board of directors, the audit committee, the chief executive officer, and senior management. Internal audit provides reports and other services, based on efficient and effective work practices that are valued by stakeholders. Internal audit provides an annual report of its work, including an assessment of the effectiveness of the organisation control system. Internal audit advises the audit committee and management of patterns, trends and systemic issues identified from its work. Internal audit facilitates communication between external audit and management of the organisation. Internal audit regularly informs the audit committee of progress in the implementation of agreed internal audit and external audit recommendations. Review and improvement Internal audit disseminates lessons learned arising out of its work to relevant areas of the organisation. Internal audit is subject to periodic assessment and review as part of a continuous improvement process. The Institute of Internal Auditors Australia factsheet Page 8

12. How is the quality of internal audit work assured? Internal audit is required to maintain a quality assurance and improvement program that includes: Ongoing internal assessments, for example: Working paper reviews. Actual versus budgeted analysis for time spent on internal audit engagements. Audit customer feedback surveys from management after each internal audit engagement. Performance evaluations. Results of internal audit performance measures. Periodic internal assessments usually performed annually: Review of the internal audit charter for conformance with the internal audit standards. Self assessment of conformance with the internal audit standards External Assessments conducted at least once every five years by a qualified, independent assessor or assessment team from outside the organisation. It is a requirement of the internal audit standards for the results of the quality assurance and improvement program to be reported to the audit committee and senior management. 13. Where can I get more information? Contact the Institute of Internal Auditors Australia at www.iia.org.au or 02 9267 9155 Contact the Institute of Internal Auditors Global at www.theiia.org For a copy of the internal audit standards, go to: https://na.theiia.org/standards-guidance/pages/standards-and-guidance- IPPF.aspx For a copy of Prudential Standard CPS 510 Governance issued by APRA, go to: http://www.apra.gov.au/crossindustry/documents/final-prudential-standard- CPS-510-Governance-(January-2014).pdf For a copy of the ASX Corporate Governance Principles and Recommendations (3 rd edition, 2014), go to: http://www.asx.com.au/documents/asx-compliance/cgc-principles-andrecommendations-3rd-edn.pdf The Institute of Internal Auditors Australia factsheet Page 9

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information