Chapter

3
MANAGING THE INTERNAL
AUDITING ACTIVITY
CASAŃA, GAGTO, MANZANO
WHO MANAGES IAA?

Chief Audit Executive

(CAE)
WHO MANAGES IAA? CONT.

• Internal Auditing Charter

• Definition of Internal Auditing

• Code of Ethics

• Standards(IIA)
DIVERSITY OF IAA MANAGEMENT

• With or Without CAE

• Size of an entity
• Small
• Large
WHEN IS IAA EFFECTIVELY MANAGED?

WHEN…

• …the purpose and responsibility included in the

internal audit charter are achieved.

• …IAA conforms with the Definition of Internal

Auditing and the Standard.

• …the individuals who are part of the IAA

demonstrate conformance with Code of Ethics and
Standards.
HOW TO EFFECTIVELY MANAGE IIA?

It is the CAE’s job.

• Possess a comprehensive knowledge and

understanding about his role laid down under the
Revised Corporate Code of Good Governance, the
internal audit charter, the IIA’s Professional Practices
Framework, and the Code of Ethics for Inter
Auditors.
RESPONSIBILITIES OF THE CAE

• PLANNING
• COMMUNICATION AND APPROVAL
• RESOURCE MANAGEMENT
• POLICIES AND PROCEDURES
• COORDINATION
• REPORTING TO THE BOARD AND SENIOR
MANAGEMENT
PLANNING

Planning for the internal audit activity should be

consistent with its charter and with the goals of the
organization.

The CAE should develop risk-based plans to

determine the priorities of the internal audit activity.
PLANNING CONT.

Planning Process

• Goals—accomplishable, measurable

• Engagement work schedules—what, when,

where, how activity is performed
• Staffing plans and financial budgets

• Activity reports
COMMUNICATION AND APPROVAL

Annual submission of the CAE of the summary of the

internal auditing activity’s work schedule, staffing
plans, and financial budgets to senior management
for approval and to the board of directors for
information.
RESOURCE MANAGEMENT

It is the management of human resources of the

internal auditing activity,
• Financial budgeting
• Staffing plans

Skills required of internal auditors

• Knowledge, skills, and other competencies
needed to perform their individual responsibilities
(IIA Standards 1210)
RESOURCE MANAGEMENT CONT.

Competency Framework of Internal Auditing(CFIA)

- it delineates the “attributes of a competent

auditing function, in the light of global ‘best practice
and capabilities required of key role-takers in a
competent internal auditing function.”
POLICIES AND PROCEDURES

These are to guide the internal auditing activity.

COORDINATION

Practice Advisory 2050

The CAE should share information and

coordinate activities with other internal and external
providers for relevant assurance and consulting
services to ensure proper coverage and minimize
duplication of efforts.
COORDINATION

Practice Advisory 2050

The CAE should share information and

coordinate activities with other internal and external
providers for relevant assurance and consulting
services to ensure proper coverage and minimize
duplication of efforts.

CAE should make regular evaluations of coordination

between internal and external auditors.
OUTSOURCING THE INTERNAL AUDIT ACTIVITY
OR USE OF EXTERNAL SERVICE PROVIDERS

Internal audit activity may use external services

providers or internal resources that are qualified in
disciplines.
OUTSOURCING THE INTERNAL AUDIT ACTIVITY
OR USE OF EXTERNAL SERVICE PROVIDERS CONT.

External Service Provider is a person or firm

independent of the organization, who has special
knowledge, skill, and experience in a particular
discipline. It may be used by internal audit activity,
among other things.
• Achievement of the objectives in management work
schedule
• Audit activities
• Valuation of assets
• Determination of quantities or physical condition of
certain assets
• Measuring the work completed and to be
completed on contract in progress
OUTSOURCING THE INTERNAL AUDIT ACTIVITY
OR USE OF EXTERNAL SERVICE PROVIDERS CONT.

• Fraud and security investigations

• Determination of amounts by using specialized
methods
• Interpretation of legal, technical and regulatory
requirements
• Evaluation of internal audit’s quality assurance and
improvement program in conformance with the
standards.
• Mergers and acquisitions
• Consulting on risk management and other matters
OUTSOURCING THE INTERNAL AUDIT ACTIVITY
OR USE OF EXTERNAL SERVICE PROVIDERS CONT.

Competency, Independence, and Objectivity of an

external service provider
• CAE needs to consider the competence,
independence, and objectivity of the external service
provider as it relates to the particular assignment to be
performed.
• CAE determines that it possesses the necessary
knowledge, skills, and other competencies to perform
the engagement:
• Professional Certification, license or other recognition
• Membership of the external service provider in an
appropriate professional organization
• The reputation of the external service provider
• The experience in the type of work being considered.
OUTSOURCING THE INTERNAL AUDIT ACTIVITY
OR USE OF EXTERNAL SERVICE PROVIDERS CONT.

• Extent of education and training received

• The knowledge and experience in the industry in
which the organization operates
• CAE assesses the independence and objectivity by
considering:
• The financial interest it may have in the organization
• The personal or professional affiliation it may have
to the board, senior management, or others within
the organization.
• The extent of ongoing services
• Compensation or other incentives
OUTSOURCING THE INTERNAL AUDIT ACTIVITY
OR USE OF EXTERNAL SERVICE PROVIDERS CONT.

Scope of the external service provider’s work

To ascertain that the scope of work is adequate

for the purposes of the internal audit activity, the CAE
obtains sufficient information regarding the external
service provider’s work.
QUALITY ASSURANCE AND IMPROVEMENT
PROGRAM (QAIP)

It is designed to enable an evaluation of the internal

audit activity’s conformance with the Definition of
Internal Auditing and the Standards and an
evaluation of whether internal auditors apply the
code of ethics.

It provides reasonable assurance that internal

auditing work is performed in accordance with its
charter.
QUALITY ASSURANCE AND IMPROVEMENT
PROGRAM (QAIP) CONT.

Requirements of the QAIP

Internal assessments
1. Ongoing monitoring of the performance of the
internal audit activity
2. Periodic reviewed performed through self-
assessment or by other persons within the
organization with sufficient knowledge of internal
auditing practices
QUALITY ASSURANCE AND IMPROVEMENT
PROGRAM (QAIP) CONT.

External assessments
It must be conducted at least once every five
years by a qualified, independent reviewer or review
team from outside organization.
CAE must discuss with the board:

•The need for more frequent external assessments

•The qualifications and independence of external
reviewer or review team, including any potential
conflict of interest.
REPORTING TO SENIOR MANAGEMENT AND
THE BOARD

• The Chief Audit Executive (CAE) must report

periodically to Senior Management and the Board on
the internal audit activities, purpose, authority,
responsibility, and performance relative to its plan.

• The report must also include significant risk

exposures and control issues including fraud risks,
governance issues and other matters needed or
requested by senior management and the board.
REPORTING TO SENIOR MANAGEMENT AND
THE BOARD CONT.

WHAT ARE SIGNIFICANT RISKS EXPOSURES AND

CONTROL ISSUES?

• conditions that according to the CAE’s

judgment could adversely affect the organization
and its ability to achieve its objectives.
REPORTING TO SENIOR MANAGEMENT AND
THE BOARD CONT.

The CAE’s reporting and communication to senior

management and the board must include the
following:
• The audit charter
• Independence of internal audit activity
• The audit plan and the progress against the
plan
• Results of audit activities
• Conformance with the Code of Ethics and
Standards, and any significant conformance
issues.
REPORTING TO SENIOR MANAGEMENT AND
THE BOARD CONT.

THE INTERNAL AUDIT CHARTER

Purpose, Authority and Responsibility
The purpose, authority and responsibility of the
internal audit activity must be formally defined in an
internal audit charter, consistent with the Definition of
Internal Auditing, Code of Ethics and the Standards.
REPORTING TO SENIOR MANAGEMENT AND
THE BOARD CONT.

The Internal Audit Charter should define the following:

• The scope of services and work to be

performed
• The objectives of internal audit activity
• Authority to access records personnel and
physical properties in the organization
• The accountability of internal audit activity, and
• The responsibility of internal audit activity.
REPORTING TO SENIOR MANAGEMENT AND
THE BOARD CONT.

THE INTERNAL AUDIT COMMITTEE (IAC)

Audit Committee is the governance body that is charged
with oversight of the organizations audit and control
functions.

FUNCTIONS OF AUDIT COMMITTEE

1. Assist the Board in the performance of its oversight
responsibility
2. Provides oversight over Management’s activities
3. Perform oversight functions over the corporations
internal and external auditors
4. Review the annual internal audit plan
REPORTING TO SENIOR MANAGEMENT AND
THE BOARD CONT.

5. Discuss with the external auditor the nature,

scope, and expenses of the audit
6. Organize an internal audit department , and
consider the appointment of an independent internal
auditor and the terms and conditions of its
engagement and removal
7. Monitor and evaluate the adequacy and
effectiveness of the corporation’s internal control
system
8. Review the reports submitted by the internal
and external auditors