The Internal Audit Handbook - The Business Approach to Driving Audit Value
By Hans Beumer
()
About this ebook
The Internal Audit Handbook combines the Volumes I, II and III of Driving Audit Value in a comprehensive internal audit handbook. This Driving Audit Value Bundle integrates the best practice strategies of the internal audit function, internal audit engagement and the internal audit risk management into one definitive, practical and extensive reference manual of 740 pages.
This handbook is a must-have for all internal audit professionals who want to elevate their performance far above the expectations of their board and management. Follow the business approach to internal auditing for maximising the internal audit added value and minimising the internal audit risks, based on proven strategy models.
Hans Beumer was CAE for 16 years and has a Master degree in Business Economics and was educated and trained as Dutch CPA, CIA, CISA, CRMA and CFE. He published 4 books and 8 articles on the topic of best practice internal audit.
Read more from Hans Beumer
Kumano Kodo - Ebook Rating: 0 out of 5 stars0 ratingsThe 7 Leadership Habits of Highly Effective Chief Audit Executives - Inspiring Excellence in Leading the Internal Audit Function Rating: 0 out of 5 stars0 ratingsThe Global Traveller Series: 20,000 km by Train Rating: 0 out of 5 stars0 ratingsSWISS CAMINO - Volume II: Central Switzerland Rating: 0 out of 5 stars0 ratingsSWISS CAMINO - Volume III: South-West Switzerland Rating: 0 out of 5 stars0 ratingsSwiss Camino - Volume I: North-East Switzerland Rating: 0 out of 5 stars0 ratingsJapan’s Travel Culture – Second Edition: The Definite Guide to the Cultural Particularities of Travelling in Japan Rating: 0 out of 5 stars0 ratingsSuccess for Everyone - Follow the Universal Success Cycle to realise Wealth and Abundance and the Life of your Dreams Rating: 0 out of 5 stars0 ratingsTravel Guide to Self-Actualization, Ebook Rating: 0 out of 5 stars0 ratingsHappiness for Everyone: Applying a Universal Happiness Formula to the Four Sources of Happiness Rating: 0 out of 5 stars0 ratings
Related to The Internal Audit Handbook - The Business Approach to Driving Audit Value
Related ebooks
Forensic Accounting A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsPractice Aid: Enterprise Risk Management: Guidance For Practical Implementation and Assessment, 2018 Rating: 0 out of 5 stars0 ratingsHardening by Auditing: A Handbook for Measurably and Immediately Improving the Security Management of Any Organization Rating: 0 out of 5 stars0 ratingsCOSO Internal Control A Complete Guide - 2021 Edition Rating: 0 out of 5 stars0 ratingsCOSO A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsCertified Internal Control Auditors A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsSarbanes Oxley Internal Controls A Complete Guide - 2021 Edition Rating: 0 out of 5 stars0 ratingsSeparation Of Duties A Complete Guide - 2021 Edition Rating: 0 out of 5 stars0 ratingsExternal Audit Staff A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsRisk Based Internal Auditing A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsAuditors A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsPerformance audit A Complete Guide Rating: 0 out of 5 stars0 ratingsExecutive Roadmap to Fraud Prevention and Internal Control: Creating a Culture of Compliance Rating: 4 out of 5 stars4/5The Executive’S Guide to Internal Auditing Rating: 0 out of 5 stars0 ratingsInternal Auditor A Complete Guide - 2021 Edition Rating: 0 out of 5 stars0 ratingsAuditing Information Systems and Controls: The Only Thing Worse Than No Control Is the Illusion of Control Rating: 0 out of 5 stars0 ratingsAuditor's Guide to IT Auditing Rating: 5 out of 5 stars5/5Continuous auditing Third Edition Rating: 0 out of 5 stars0 ratingsAudit Process A Complete Guide - 2019 Edition Rating: 0 out of 5 stars0 ratingsOperational Risk Management System A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsAuditing and Reporting A Complete Guide Rating: 0 out of 5 stars0 ratingsExternal Audit A Complete Guide - 2021 Edition Rating: 0 out of 5 stars0 ratingsInformation Systems Auditing: The IS Audit Testing Process Rating: 1 out of 5 stars1/5Enterprise Risk Management Applications A Complete Guide Rating: 0 out of 5 stars0 ratingsAudit and Review Complete Self-Assessment Guide Rating: 0 out of 5 stars0 ratingsHardening by Auditing: A Handbook for Measurably and Immediately Iimrpving the Security Management of Any Organization Rating: 0 out of 5 stars0 ratingsInternal control A Complete Guide - 2019 Edition Rating: 5 out of 5 stars5/5
Business For You
The Intelligent Investor, Rev. Ed: The Definitive Book on Value Investing Rating: 4 out of 5 stars4/5The Richest Man in Babylon: The most inspiring book on wealth ever written Rating: 5 out of 5 stars5/5How to Write a Grant: Become a Grant Writing Unicorn Rating: 5 out of 5 stars5/5Crucial Conversations: Tools for Talking When Stakes are High, Third Edition Rating: 4 out of 5 stars4/5Becoming Bulletproof: Protect Yourself, Read People, Influence Situations, and Live Fearlessly Rating: 4 out of 5 stars4/5The Book of Beautiful Questions: The Powerful Questions That Will Help You Decide, Create, Connect, and Lead Rating: 4 out of 5 stars4/5Your Next Five Moves: Master the Art of Business Strategy Rating: 5 out of 5 stars5/5Emotional Intelligence: Exploring the Most Powerful Intelligence Ever Discovered Rating: 5 out of 5 stars5/5Confessions of an Economic Hit Man, 3rd Edition Rating: 5 out of 5 stars5/5Robert's Rules Of Order Rating: 5 out of 5 stars5/5Carol Dweck's Mindset The New Psychology of Success: Summary and Analysis Rating: 4 out of 5 stars4/5The Everything Guide To Being A Paralegal: Winning Secrets to a Successful Career! Rating: 5 out of 5 stars5/5Tools Of Titans: The Tactics, Routines, and Habits of Billionaires, Icons, and World-Class Performers Rating: 4 out of 5 stars4/5Crucial Conversations Tools for Talking When Stakes Are High, Second Edition Rating: 4 out of 5 stars4/5Law of Connection: Lesson 10 from The 21 Irrefutable Laws of Leadership Rating: 4 out of 5 stars4/5The Five Dysfunctions of a Team: A Leadership Fable, 20th Anniversary Edition Rating: 4 out of 5 stars4/5Just Listen: Discover the Secret to Getting Through to Absolutely Anyone Rating: 4 out of 5 stars4/5Collaborating with the Enemy: How to Work with People You Don’t Agree with or Like or Trust Rating: 4 out of 5 stars4/5Capitalism and Freedom Rating: 4 out of 5 stars4/5Real Artists Don't Starve: Timeless Strategies for Thriving in the New Creative Age Rating: 4 out of 5 stars4/5Set for Life: An All-Out Approach to Early Financial Freedom Rating: 4 out of 5 stars4/5The Catalyst: How to Change Anyone's Mind Rating: 4 out of 5 stars4/5
Reviews for The Internal Audit Handbook - The Business Approach to Driving Audit Value
0 ratings0 reviews
Book preview
The Internal Audit Handbook - The Business Approach to Driving Audit Value - Hans Beumer
The Internal Audit Handbook
THE BUSINESS APPROACH
TO DRIVING AUDIT VALUE
HANS BEUMER
ALSO AVAILABLE FROM HANS BEUMER
Driving Audit Value (Vol. III): Audit Engagement Strategy
Driving Audit Value (Vol. II): Audit Risk Management
Driving Audit Value (Vol. I): Audit Function Strategy
Success for Everyone
Happiness for Everyone
Kumano Kodo
Thailand
20’000 km by Train
Visit www.hansbeumer.com
COPYRIGHT
HB Publications
Zug, Switzerland
www.hansbeumer.com
Text Copyright © Hans Beumer 2017
Figures and Tables Copyright © Hans Beumer 2017
- Parts I, II and III have been published as a separate book in January 2017 with the title Audit Function Strategy (Driving Audit Value, Vol. I), ISBN 978-3-906861-13-5 and ISBN 978-3-906861-14-2, Copyright © Hans Beumer 2017.
- Parts IV, V and VI have been published as a separate book in July 2017 with the title Audit Engagement Strategy (Driving Audit Value, Vol. III), ISBN 978-3-906861-18-0 and ISBN 978-3-906861-19-7, Copyright © Hans Beumer 2017.
- Parts VII, VIII, IX and X have been published as a separate book in March 2017 with the title Audit Risk Management (Driving Audit Value, Vol. II), ISBN 978-3-906861-15-9 and ISBN 978-3-906861-17-3, Copyright © Hans Beumer 2017.
Cover Stock Media Copyright © Shutterstock 2017
International Professional Practices Framework and International Standards for the Professional Practice of Internal Auditing, available at: https://global.theiia.org/standards-guidance. Lake Mary, FL: Copyright © 2017 by The Institute of Internal Auditors, Inc. All rights reserved.
All rights reserved. No part of this book may be reproduced by any mechanical, photographic, or electronic process, or in the form of a phonographic recording, nor may it be stored in a retrieval system, transmitted, or otherwise be copied for public or private use without the express written permission of the publisher, except for the use of brief quotations in a book review.
First edition published in July 2017
This book is available as:
-Hardcover: ISBN 978-3-906861-20-3
-EBook: ISBN 978-3-906861-21-0
Printed and distributed by Lulu Press, Inc.
This book is not intended to provide personalised business advice. It offers the viewpoints and extensive experience of the Author, but the views expressed should not be taken as instructions or commands. The reader is responsible for his or her decisions and actions for the business of internal audit and related topics. The Author and Publisher expressly disclaim any liability, loss, damage, or risk, business, personal or otherwise, that is incurred as a consequence, directly or indirectly, of the use and application of any of the contents of this book
CONTENTS
FOREWORD
BOOK STRUCTURE
PART I - AUDIT FUNCTION STRATEGIC MODEL
Where were the Auditors?
Where were the internal auditors?
Risks, mitigations, monitoring
No risk, no reward
Focus, focus, focus
Audit Added Value
Audit Function Strategic Models
Audit Added Value Tree©
Increasing Audit Value Tree©
Decreasing Audit Cost Tree©
Annual Audit Planning Model©
PART II - AUDIT FUNCTION VALUE DRIVERS
Audit Function Value Driver 1: Audit Value
IPPF’s audit value requirements
Understanding customer expectations
Measuring actual audit value
Customer value proposition
Managing customer expectations
Customer expectations as value driver
Audit Function Value Driver 2: Audit Cost
IPPF’s audit cost requirements
Cost efficiency: reducing the cost of the internal audit function
Planning efficiency: reducing the cost per audit person-day
Audit efficiency: reducing the cost per audit engagement
Right-sizing the internal audit function
Audit cost as value driver
PART III - AUDIT FUNCTION VALUE ENABLERS
Audit Function Value Enabler 1: Internal Audit Charter
IPPF’s requirements for the internal audit charter
Organisation
Authority
Independence
Objectivity
Responsibility
Compliance
CAE roles beyond the boundaries of the internal audit charter
Internal audit charter as value enabler
Audit Function Value Enabler 2: Understanding the Business and Company
IPPF’s requirements for understanding the business and company
Industry
Business model
Business process maturity
Product life cycle
Regulatory environment
Financial statements
Goals, strategies and objectives
Structure and organisation
Business operations
Management tools, technologies and reporting systems
History of significant issues
Management style, turnover, incentive schemes, pressure, culture and ethics
Understanding the business and company as value enabler
Audit Function Value Enabler 3: Annual Audit Plan
IPPF’s annual audit planning requirements
Time coverage
COSO-ERM framework
Coordination
Audit resources
Understanding the business and company
Business objectives
Audit universe
Risk assessments
Progress reporting and follow-up audit work
Putting the plan together
Plan review and approval
Why it matters to perform strategy-related audit work
Annual audit plan as value enabler
Audit Function Value Enabler 4: Coordination
IPPF’s coordination requirements
Audit committee/board
Management
Audit team
External audit
Risk Management
Other corporate functions
Audit assurance strategy of the audit committee
Coordination as value enabler
Audit Function Value Enabler 5: Reporting
IPPF’s reporting requirements
Generic value enablers
Audit committee reporting
Annual audit plan report
Audit engagement report
Knowledge sharing report
Performance reporting
Progress reporting
Annual report of the internal audit function
Reporting as value enabler
Audit Function Value Enabler 6: Performance Management
IPPF’s performance management requirements
Performance management cycle
Performance targets
People
Price
Product
Process
Audit function balanced scorecard
Performance management as value enabler
PART IV - AUDIT ENGAGEMENT STRATEGIC MODEl
Soll and Ist
Process and Project
Audit Engagement Strategic Models
Beumer Audit Engagement Strategic Model©
Audit Engagement Value Drivers Model©
Audit Engagement Value Enablers Model©
PART V - AUDIT ENGAGEMENT VALUE DRIVERS
Audit Engagement Value Driver 1: Identifying Significant Risks
IPPF’s requirements for identifying significant risks
Standardisation
Process for identifying significant risks
Step 1: What are the key enablers for identifying significant risks?
Step 2: What is significant?
Step 3: Is it a process or substance issue?
Step 4: How to scope for identifying significant risks?
Step 5: How to develop the work programme for identifying significant risks?
Step 6: How to report the identified significant risks?
Identifying significant risks as value driver
Audit Engagement Value Driver 2: Agreeing on Risk Mitigations
IPPF’s requirements for agreeing on risk mitigations
Standardisation
Process for agreeing on risk mitigations
Step 1: What are the key enablers for agreeing on the risk mitigations?
Step 2: What are the appropriate risk mitigation measures?
Step 3: To what level must the risks be reduced?
Step 4: Who should be responsible for the risk mitigations?
Step 5: How to determine the appropriate due dates of the risk mitigations?
Step 6: How to resolve disagreements?
Agreeing on risk mitigations as value driver
Audit Engagement Value Driver 3: Monitoring Progress of Agreed Risk Mitigations
IPPF’s requirements for monitoring progress of agreed risk mitigations
Standardisation
Process for monitoring progress of agreed risk mitigations
Step 1: What are the key enablers for monitoring progress?
Step 2: What assurance needs to be provided?
Step 3: What is the appropriate type of progress monitoring?
Step 4: How to do the progress monitoring?
Step 5: How to handle cancelled, delayed, changed or incomplete mitigations?
Step 6: How to report the results of progress monitoring?
Monitoring progress of agreed risk mitigations as value driver
PART VI - AUDIT ENGAGEMENT VALUE ENABLERS
Audit Engagement Value Enabler 1: Resource Planning
IPPF’s requirements for resource allocation
Standardisation
Process for engagement resource planning
Step 1: What is the management activity to be audited?
Step 2: What type of audit work must be performed?
Step 3: What are the available audit resources?
Step 4: How to handle resource shortfalls?
Step 5: What are the audit resources at the time of the audit engagement?
Step 6: How to do the annual time-scheduling of the engagements?
Step 7: How to do the time-scheduling within the engagements?
Example
Resource planning as value enabler
Audit Engagement Value Enabler 2: Engagement Planning
IPPF’s requirements for engagement planning
Standardisation
Process for engagement planning coordination and logistics
Step 1: What needs to be coordinated with management?
Step 2: What needs to be organised logistically?
Example
Engagement planning coordination and logistics as value enabler
Audit Engagement Value Enabler 3: Audit Objective
IPPF’s requirements for engagement objective
Standardisation
Process for determining audit objective
Step 1: Why to audit?
Step 2: What is the required level of assurance?
Step 3: What is the subject matter of assurance?
Step 4: What are the objectives of assurance?
Example
Engagement objective as value enabler
Audit Engagement Value Enabler 4: Understanding the Subject Matter
IPPF’s requirements for understanding the subject matter
Standardisation
Process for understanding the subject matter
Step 1: What are the process characteristics?
Step 2: What are the sources of information?
Step 3: Why understand two levels?
Example
Understanding the subject matter as value enabler
Audit Engagement Value Enabler 5: Subject Matter Risk Assessment
IPPF’s requirements for risk assessment
Standardisation
Process for subject matter risk assessment
Step 1: What are the subject matter’s inherent risks?
Step 2: What are the subject matter’s control risks?
Subject Matter Risk Indicators Model
Step 3: What are the risks in the 2nd lines of defence relating to the subject matter?
Step 4: How to use the results from the risk assessment?
Example
Risk assessment as value enabler
Audit Engagement Value Enabler 6: Audit Scoping
IPPF’s requirements for engagement scoping
Standardisation
Process for engagement scoping
Step 1: What to audit?
Step 2: Where to audit?
Step 3: Who to audit?
Step 4: What period to audit?
Example
Engagement scoping as value enabler
Audit Engagement Value Enabler 7: Work Programme
IPPF’s requirements for engagement work programme
Standardisation
Process for developing work programme
Step 1: What are the objectives that need to be tested?
Step 2: What types of audit tests are available?
Step 3: What audit tests are allocated to the objectives?
Step 4: What items from the population need to be tested?
Step 5: What time is allocated to each audit test?
Example
Engagement work programme as value enabler
Audit Engagement Value Enabler 8: Audit Execution
IPPF’s requirements for engagement execution
Standardisation
Process for engagement execution
Step 1: What are the execution objectives?
Step 2: How to achieve the execution objectives?
Step 3: What audit evidence is needed?
Step 4: What are the working paper requirements?
Engagement execution as value enabler
Audit Engagement Value Enabler 9: Audit Report
IPPF’s requirements for engagement reporting
Standardisation
Process for the final audit engagement reporting
Step 1: What is the structure of the report body?
Step 2: What audit results are included in the report body?
Step 3: What is the structure of the executive summary?
Step 4: What audit results are included in the executive summary?
Step 5: How to word the audit opinion?
Step 6: How to resolve disagreements?
Step 7: Who needs to receive the report?
Example
Audit report as value enabler
Audit Engagement Value Enabler 10: Performance Management
IPPF’s requirements for performance management
Standardisation
Process for performance management
Step 1: What are the engagement performance targets?
Step 2: How to achieve the performance targets?
Step 3: What are the engagement detection risks?
Audit Engagement Detection Risk Indicators Model
Step 4: How to mitigate the engagement detection risks?
Audit Engagement Detection Risk Mitigations Model
Example
Performance management as value enabler
PART VII - AUDIT RISK MANAGEMENT STRATEGIC MODEL
Audit Risk Management Strategic Models
Beumer Audit Risk Management Model©
Audit Assurance Risk Management Model©
Audit Process Risk Management Model©
Risk Appetite
CAE’s risk appetite
Board’s risk appetite
3rd Line of Defence
Audit function inherent risk
Audit function control risk
Audit Function Risk Indicators Model
Audit risk mitigation
PART VIII - AUDIT OBJECTIVES
Audit Function Objectives
Audit Objectives Catalogue©
Audit Objectives Tree©
PART IX - AUDIT RISKS
Audit Risks
IPPF’s audit risk definitions
Audit added value risk definition
Audit risk categories
Audit Risks Catalogue©
Audit Risks Portfolio©
Audit Assurance Risks
Audit Assurance Risk Tree©
Audit Process Risks
Audit Process Risk Tree©
Audit Risk 1: Value Risks
Risk of low support
Risk of low approved resources
Risk of low use of the audit products
Audit Risk 2: Focus Risks
Audit Risk 3: Execution Risks
Risk of poor execution
Risk of overlooking significant issues
Risk of agreeing no or wrong audit issue risk mitigation measures
Risk of wrong audit engagement conclusions
Risk of over-valuing small issues
Risk of overlooking scope limitations
Audit Risk 4: Performance Risks
Risk of high audit costs
Risk of low effectiveness
Risk of low efficiency
Audit Risk 5: Reporting Risks
Risk of low reporting quality
Risk of insufficient reporting tailoring
Risk of insufficient reporting
Audit Risk 6: Compliance Risks
Risk of non-compliance with audit charter and policies
Risk of non-compliance with IIA requirements
Risk of non-compliance with company policies
PART X - AUDIT RISK MITIGATIONS
Audit Risk Mitigations
Audit risk mitigation categories
Audit Risk Mitigation Catalogue©
Audit Assurance Risk Mitigations
Audit Assurance Risk Mitigations Tree©
Audit Process Risk Mitigations
Audit Process Risk Mitigations Tree©
Audit Risk Mitigation 1: Value Risk Mitigations
Risk mitigation of low support
Risk mitigation of low approved resources
Risk mitigation of low use of the audit products
Audit Risk Mitigation 2: Focus Risk Mitigations
Risk mitigation of focus of annual audit plan
Risk mitigation of focus of audit engagements
Audit Risk Mitigation 3: Execution Risk Mitigations
Risk mitigation of poor execution
Risk mitigation of overlooking significant issues
Risk mitigation of agreeing no or wrong audit issue risk mitigation measures
Risk mitigation of wrong audit engagement conclusions
Risk mitigation of over-valuing small issues
Risk mitigation of overlooking scope limitations
Audit Risk Mitigation 4: Performance Risk Mitigations
Risk mitigation of high audit costs
Risk mitigation of low effectiveness
Risk mitigation of low efficiency
Audit Risk Mitigation 5: Reporting Risk Mitigations
Risk mitigation of low reporting quality
Risk mitigation of insufficient reporting tailoring
Risk mitigation of insufficient reporting
Audit Risk Mitigation 6: Compliance Risk Mitigations
Risk mitigation of non-compliance with audit charter and policies
Risk mitigation of non-compliance with IIA requirements
Risk mitigation of non-compliance with company policies
VOL. I OF DRIVING AUDIT VALUE: AUDIT FUNCTION STRATEGY
VOL. II OF DRIVING AUDIT VALUE: AUDIT RISK MANAGEMENT
VOL. III OF DRIVING AUDIT VALUE: AUDIT ENGAGEMENT STRATEGY
ABOUT THE AUTHOR
FOREWORD
The Internal Audit Handbook differs from all the other books about internal audit, in the way it combines the theoretical knowledge with the practical experiences of a seasoned CAE:
This is the first and only handbook that develops a focused strategy for achieving the highest level of audit added value of the internal audit function. The handbook reflects on the internal audit activities from an entirely new perspective by defining the added value and how this added value can be attained through value drivers and value enables.
The internal audit strategic models provide transparency for the main success principles for the key internal audit activities, presenting a unique new frame of reference for understanding, deploying and realising the internal audit strategies.
No other professional internal audit literature covers the topic of internal audit risk management as this handbook. Just like your company’s management needs to manage their risks, the internal audit function needs to manage its risks in achieving the internal audit strategies and objectives. The Beumer Audit Risk Management Model© provides a ground-breaking new approach to understand, identify, measure and mitigate the internal audit risks at both the audit function level and the audit engagement level.
On 740 pages, this handbook follows the business approach to internal auditing based on the practical experiences, examples, tips and foremost solutions, from an experienced CAE. The content of this book draws upon 28 years of business experience, of which 16 years as leader of internal audit functions of globally operating corporations.
The Internal Audit Handbook is the best practice guide for implementing a value-added internal audit strategy. Follow the strategic principles and become successful in achieving the highest objectives of the internal audit department. Apply the fundamental success principles described in this handbook and your audit function will generate the desired added value.
Figure 1 – Beumer Internal Audit Strategy Model©
This is the fourth book of the series on internal audit best practices called Driving Audit Value. The first three books in the series are:
1. Audit Function Strategy: Driving Audit Value Volume I. Volume I was published in January 2017. See the book preview and the global endorsements on pages 731 to 734.
2. Audit Risk Management: Driving Audit Value Volume II. Volume II was published in March 2017 See the book preview on pages 735 and 736.
3. Audit Engagement Strategy: Driving Audit Value Volume III. Volume III was published in July 2017 See the book preview on pages 737 and 738.
The Internal Audit Handbook combines the Volumes I, II and III of Driving Audit Value in a comprehensive internal audit handbook. This Driving Audit Value Bundle integrates the best practice strategies of the internal audit function, internal audit engagement and the internal audit risk management into one definitive and extensive reference manual.
Read to advance your life,
drs. Hans Beumer
July 2017
BOOK STRUCTURE
There is a certain way to organise, plan, direct and execute the internal audit activities that lets the audit function achieve its added value. The best practice methodologies and strategies for attaining the highest level of added value are presented in three distinct sections:
Internal Audit Function Strategy
Internal Audit Engagement Strategy
Internal Audit Risk Management
Managing internal audit function strategy
Figure 2 - Book structure of PART I, II, III
PART I: Audit Function Strategic Model
Part I determines the reasons for needing an internal audit function strategy and shows how the chapters and elements of the audit value drivers and the audit value enablers fit together. These are summarised in the Audit Added Value Tree©, Increasing Audit Value Tree©, Decreasing Audit Cost Tree© and Annual Audit Planning Model©. These models connect all 48 individual elements of the value enablers and the two value drivers, and shows the relationships between the individual building blocks in the audit function strategy models.
PART II: Audit Function Value Drivers
Part II proves that Audit Value and Audit Cost are the primary audit added value drivers of the audit function. In two chapters, efficient, effective and practical guidance is provided to maximise the added value of each subject.
PART III: Audit Function Value Enablers
Part III presents the six most significant value enablers for the audit function: Audit Charter, Understanding the Business and Company, the annual audit plan, coordination, reporting, and performance management. In six chapters, practical guidance is provided to maximise the value of each subject.
Managing internal audit engagement strategy
Figure 3 - Book structure of PART IV, V, VI
PART IV: Audit Engagement Strategic Model
Part IV presents the Beumer Audit Engagement Strategic Model©. This model shows the comprehensive audit engagement framework for maximising the added value of the audit engagements. The model connects 3 value drivers to 10 value enablers. The Audit Engagement Value Drivers Model© shows how the 3 key value drivers can be achieved in 18 defined and focused steps. The Audit Engagement Value Enablers Model© shows how the 10 key value enablers can be achieved in 39 steps.
PART V: Audit Engagement Value Drivers
Part V shows why identifying the significant risks, agreeing on the risk mitigation, and monitoring the progress of this risk mitigation, are the three primary value drivers of the audit function. Everything the audit function does must ultimately result in providing assurance that management knows the significant risks to their business, and are appropriately reducing the impact of these risks to a level that is within the risk appetite of the board. The chapter Identifying Significant Risks explains how this can be achieved in 6 defined steps. A further 6 clear steps result in Agreeing on Risk Mitigations, and Monitoring Progress of Agreed Risk Mitigations is achieved in 6 steps.
PART VI: Audit Engagement Value Enablers
Part VI presents the 10 most significant value enablers for the internal audit engagements: resource planning (2 steps); engagement planning (2 steps); engagement objectives (4 steps); understanding the subject matter (3 steps); risk assessment of the subject matter (4 steps); engagement scoping (4 steps); engagement work programme (5 steps); engagement execution (fieldwork) (4 steps); engagement report (7 steps); engagement performance management (4 steps). In 10 chapters, these topics are analysed and efficient, effective and practical guidance is provided to maximise the value enabling capacity of each subject, by following the defined steps.
Managing internal audit risks
Figure 4 - Book structure of PART VII, VIII, IX, X
PART VII: Audit Risk Management
Part VII presents the Beumer Audit Risk Management Model©. This model provides the comprehensive audit risk management framework for driving the audit risk identification, measurement and mitigation. The model connects 60 audit risks, in 6 audit risk categories, to 30 audit objectives. Depending on the risk appetite and the audit risk prevention, the CAE can choose from 66 audit risk mitigation measures for reducing the audit risks to an acceptable level. The Audit Assurance Risk Management Model© and the Audit Process Risk Management Model© show the relationships between the objectives, the risks and the risk mitigation, as the individual building blocks of the strategy model. The Audit Function Risk Indicators Model© enables the CAE to quickly grasp the risk profile of the audit function.
PART VIII: Audit Objectives
Part VIII describes the 6 main audit objective categories for value, focus, execution, performance, reporting, and compliance. The Audit Objectives Catalogue© captures the 30 audit objectives in the structure of the 6 audit objective categories, split into the audit assurance objectives and the audit process objectives.
PART IX: Audit Risks
Part IX defines the audit risk and explains the nature and details of the 60 individual audit risks, captured in the 6 main audit risk categories: value risk, focus risk, execution risk, performance risk, reporting risk, and compliance risk. The Audit Assurance Risk Tree© shows the 33 audit assurance related risks, whereas the Audit Process Risk Tree© presents the 27 audit process related risks. For each of the 6 audit risk categories, a risk matrix matches the audit risks from the Audit Risks Catalogue© to the audit objectives from the Audit Objectives Catalogue©. Additionally, a risk map matches the audit risks from the Audit Risks Catalogue© to the audit function’s customer value proposition.
PART X: Audit Risk Mitigation
Part X presents the Audit Risk Mitigation Catalogue©, listing the 66 risk mitigation measures, divided into the Audit Assurance Risk Mitigation Tree© (36 measures), and the Audit Process Risk Mitigation Tree© (30 measures). Part X elaborately describes the 66 individual risk mitigation measures and matches the risk mitigations to the risk categories in a risk mitigation matrix.
PART I - AUDIT FUNCTION STRATEGIC MODEL
Figure 5 – PART I: Audit function strategic model
Where were the Auditors?
Major corporate scandals 2010-2016
VOLKSWAGEN EMISSIONS SCANDAL
September 2015 – The US Environmental Protection Agency caught VW cheating on diesel emissions tests to falsely pass the maximum allowed levels. Diesel models had software installed to fraudulently show that the cars were more environmental friendly than they actually were. More than 11 million cars had to be refitted, regulatory fines amounted to more than $15 billion, civil and criminal suits cost further billions. High profile managers and the CEO were dismissed.
FIFA CORRUPTION SCANDAL
May 2015 – The FBI indicted the FIFA organisation and officials with racketeering, fraud, corruption, and with paying millions of dollars in bribes to influence FIFA elections, locations for hosting the World Cup, sponsorship contracts, broadcasting rights, and more.
BP OIL SPILL SCANDAL
April 2010 – The Deepwater Horizon rig explosion caused the largest environmental disaster of the 21st Century. Oil and gas producer BP had the worst health, safety and environment practices, which caused damages and cost by far exceeding $25 billion, and destructed shareholder value by more than $100 billion.
YAHOO HACKING SCANDAL OF 1 BILLION USER ACCOUNTS
December 2016 – Yahoo disclosed that a data breach exposed the private information of more than 1 billion user accounts. It related to a theft of names, email addresses, telephone numbers, birthdates, and unrecognisable passwords, as well as encrypted and non-encrypted security questions and answers.
WELLS FARGO SCANDAL OF FAKE ACCOUNTS
September 2016 – Over the period 2011-2016, Retail Banking employees created 1.5 million phoney deposit accounts and issued 0.5 million fake credit cards, without the knowledge or permission of the related customers. Employees resorted to fraud in order to meet challenging growth quotas. The bank paid $185 million in fines and fired 5’300 employees.
OLYMPUS ACCOUNTING AND BRIBERY SCANDAL
October 2011 - Olympus hid $1.7 billion in losses over a period of 13 years and admitted to paying kickbacks and foreign bribery.
The company paid more than $0.5 billion to settle criminal and civil investigations.
PETROBRAS CORRUPTION SCANDAL
March 2014 – Executives and key management of Brazil’s state-owned Oil & Gas Company were accused of bribery of officials as well as siphoning off money for their own use. In criminal investigations, more than 80 managers and politicians were charged with money laundering and bribery of more than $8 billion.
LIBOR RIGGING SCANDAL
June 2012 – Criminal investigations into the manipulation of interest rates spread to 10 countries and involved more than 20 major banks. Total fines reached more than $10 billion.
Where were the internal auditors?
These eight examples represent some of the major scandals, bribery, corruption, fraud, and non-compliance cases in the period 2010-2016. In each of these cases, you can rightfully ask Where were the internal auditors?
The answers to this question can be manifold:
during the planning of the audit engagement, the auditors insufficiently coordinated with the board and executive management about their business, risk and control concerns: BP, Petrobras, Yahoo.
The audit function did not have the topics in their audit universe, as other assurance providers covered these topics:
External Audit: Olympus
Compliance and EHS departments: BP, VW
IT security: Yahoo
The audit function did have the topics in their audit universe, but:
did not assess the risks correctly: VW, BP, Petrobras, Wells Fargo, Yahoo
did not have an appropriate focus: Petrobras, FIFA, BP, Yahoo
did not have the right auditor skills: could be all of them
had scope limitations or insufficient support: FIFA, Petrobras
The audit function did audit the related topics, but:
the work programme was not focusing on the right key controls or risks: Libor, Olympus, Wells Fargo, Yahoo
insufficiently skilled auditors were allocated to the audit: Libor, Wells Fargo, Yahoo
the auditors did not have access to the staff, systems or information they needed to achieve the audit objective: FIFA, Petrobras, Olympus
the auditors did not understand the transactions: Libor, Wells Fargo
the auditors relied too much on single audit tests, such as interviews and other tests with a very weak evidence: Libor, Wells Fargo, BP, FIFA
did not identify the issues: Libor, Wells Fargo, Yahoo
did not have management agree on effective risk mitigation: BP, Yahoo
did not follow-up to ascertain that their recommended risk mitigation actions were indeed implemented by management: Yahoo, BP, Libor
management hid the problems: Olympus, Petrobras
The audit function did raise the relevant issues, but:
management did not support the audit function: FIFA
management did not implement risk mitigation: BP, Yahoo
We will never know the real reasons for these companies’ audit functions inability to successfully identify these issues and have management mitigate those risks. For the internal audit functions of these companies, it is already too late. Their effectiveness will probably have been seriously questioned, and this might have resulted in the dismissal of the CAE, downsizing or upsizing of the audit function, combined with a refocus of the audit function’s and audit engagement’s strategies and objectives. However, for your company’s audit function a similar scandal can be avoided by applying the key success principles contained in this Internal Audit Handbook.
Risks, mitigations, monitoring
When you analyse the issues of these eight cases, a clear trend can be identified. In all these scandals three engagement related topics stand out:
1. The audit engagements did not have the appropriate focus and as a result were not able to identify the significant risks.
2. If the audit engagements did identify the significant risks, they were ineffective in agreeing with management on the appropriate risk mitigating measures and their urgency of implementation.
3. An ineffective monitoring of the progress of the risk mitigations resulted in the materialisation of the risks before they could have been prevented or reduced.
The boards of these organisations must have expected their internal audit functions to do their jobs: identify the significant risks, agree with management on the appropriate risk mitigations, and monitor management’s implementation of the risk reductions.
Meeting these three expectations are the key value drivers for any audit engagement and represent the core of the audit strategic models.
No risk, no reward
The primary objective of the audit function must be to add value. This means that the CAE must be value driven, as she aims to mitigate the business risks that may keep the company from reaching its objectives. Some CAEs’ first objective, however, is to limit the risks of the audit function. They are driven by their personal risk-aversion, by creating a comfort zone, and not do anything that may antagonise management or put them in the spotlight (low risk-appetite). However, the CAE needs to be willing to take some risks to achieve bigger audit results. Had the internal audit functions in the above examples taken some bigger risks in addressing the scandalous topics, perhaps they could have prevented these from occurring, or they could have been timely mitigated before being exposed. The CAE needs to understand her audit risks and manage them, to achieve big audit results.
The CAE can provide significant added value to the company, while at the same time reducing her audit risks. She can create a win-win (for the company and herself), but she needs to follow the guidance in this handbook to realise this. Her appetite for the added value of the internal audit function must lead the way, as the audit risks are a result of the selection of the audit engagements that add to that value. It should not be done the other way around, by letting her appetite for the audit risks determine which added value audits are going to be undertaken. The CAE must find the appropriate trade-off between the level of the audit risk and the potential for generating audit value.
Focus, focus, focus
To be able to add value to the organisation, the CAE must ensure that she does not have:
a lack of support from the process owners, local management, executive management and the board, as a result of which the board limits the approved resources and the audit products are not utilised.
a mismatch between the risk profile and the main business strategies and objectives of the company or subject matter, and the focus of the annual audit plan or the audit engagement.
a negative input – output ratio, if the costs of the audit function and the audit engagements are considered to be too high compared to the value generated.
To be able to add value to the organisation, the CAE must ensure that she does not issue:
an unqualified, satisfactory, audit opinion/report, without reporting any significant issues, whereas significant issues do exist in the audited subject matter.
a qualified, unsatisfactory, audit opinion/report, pointing out significant issues, whereas the issues are either not significant, or do not exist in the audited subject matter.
a full scope audit opinion/report on the audited subject matter, whereas she should not issue such an opinion/report based on significant limitations in the audit scope or the audit execution.
Understanding, identifying, measuring, and proactively managing the audit strategy, objectives and risks are necessary for ensuring the audit function’s and the CAE’s success in the company. The Internal Audit Handbook creates an innovative framework for managing the internal audit function and preventing your company’s name to be included in the listing of where were the auditors?
.
Audit Added Value
The internal audit function should be run as a business. In a simplified formula, business value creation has two components: the input it needs to create value, and the output generated by the input, being the value:
Figure 6 – Business value creation
Value Destruction = Input > Output
Value Creation = Output > Input
When substituting input with cost, and output with value, and where the difference between the two is the reduced or added value, then the simple formula looks as follows:
Figure 7 - Audit value creation
Audit Value Destruction = Audit Cost > Audit Value
Audit Value Creation = Audit Value > Audit Cost
This formula shows that the added value component has two levers: audit cost and audit value. Decreasing the audit cost will lead to a larger added value, just as increasing the audit value will.
Figure 8 - Audit Added Value Drivers
The added value of the internal audit function can be maximised by minimising the cost of audit (as input factor), while at the same time maximising the quality and quantity of the value (as output factor).
Audit Function Strategic Models
Audit Added Value Tree©
The Audit Added Value Tree© shows the link between the 2 audit value drivers described in PART II and the 6 audit value enablers analysed in PART III.
Figure 9 – Audit Added Value Tree©
Increasing Audit Value Tree©
The Increasing Audit Value Tree© shows that the 47 individual elements of the 6 value enablers drive the increase of the audit value. Five of these elements relating to the customer value proposition are explored in PART II; the other 42 elements are described and analysed in the six chapters of Part III.
Figure 10 – Increasing Audit Value Tree©
Decreasing Audit Cost Tree©
The Decreasing Audit Cost Tree© shows how the 17 individual elements of the value enablers drive the reduction of the audit cost. These are described in PART II.
Figure 11 – Decreasing Audit Cost Tree©
Annual Audit Planning Model©
The complete Annual Audit Planning Model© shows how the 48 individual elements of the 6 value enablers contribute to the value-added focus at the internal audit function level. Each of these elements is elaborately analysed and discussed in the six chapters of Part III in this book.
Figure 12 – Annual Audit Planning Model©
PART II - AUDIT FUNCTION VALUE DRIVERS
Figure 13 – PART II: Audit function value drivers
Audit Function Value Driver 1: Audit Value
Figure 14 - Six elements of audit function value driver 1: audit value
This chapter that audit value is the most important added value driver of the internal audit function.
The audit function does not perform its duties for itself, but for its customers. Therefore, only the customers of the internal audit function can define the value of the internal audit activities. This means that the target audit value is based on their expectations, and the actual, realised, audit value is the extent to which those targets (expectations) have been met.
The chapter starts with analysing the IPPF’s (International Standards for the Professional Practice of Internal Auditing) requirements for adding value. This is followed by an elaborate analysis of the customers’ expectations, ways to measure the audit value, the formulation of a customer value proposition, the topic of managing the target audit value, and a summary of audit value being a direct value driver.
IPPF’s audit value requirements
The IPPF makes strong statements about the added value of the internal audit function. Performance standard 2000 – Managing the Internal Audit Activity clearly states that the CAE must make sure that the audit function adds value to the company. Adding value can be achieved by:
taking into account the company’s strategies, objectives, and risks
. According to the standard 2010 – Planning, this can be accomplished by developing risk-based annual audit plans (but also risk-based engagement plans) for which the CAE needs to obtain an understanding of the company’s strategies, key business objectives, associated risks, and risk management processes
. The Implementation Guides and Supplemental Guidance relating to the standards 2100 – Nature of Work, 2110 – Governance, 2120 - Risk Management and 2130 – Control frequently refer to these topics.
enabling the improvement of the efficiency and effectiveness of governance, risk management, and control processes
. Performance standard 2100 – Nature of Work continues to describe that this must be based on a systematic, disciplined, and risk-based approach
and that the internal audit function must be proactive and the results of their work should offer management and the board new insights and consider future impact
. Standard 2110 – Governance, 2120 - Risk Management and 2130 – Control further detail each of the three topics.
providing assurance for the relevant topics, with objectivity. The standards also allow the internal audit function to add value through consulting engagements. The Implementation Guides and Supplemental Guidance elaborate on independent, objective and relevant assurance. The IPPF defines the assurance services as an internal auditor’s objective assessment of evidence to provide opinions or conclusions
.
The above points are reflected in the definition of internal auditing as promulgated by The IIA (Institute of Internal Auditors), and reflect their description of the value proposition of the Internal audit function:
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
Understanding customer expectations
Customers’ expectations need to be derived from understanding who the customers are and then obtaining information from these customers about their expectations of the internal audit function. Internal audit’s customers are usually:
the board of directors, its audit committee,
corporate executive management,
divisional/business unit management,
local management and process owners,
other corporate functions,
outside customers.
The primary expectations of each of these key customer groups are described in the following sections.
Expectations of the audit committee/board
Expectations of the audit committees and boards may vary from company to company. Some will have high expectations of the internal audit function, while others will have more modest expectations. A complete set of high expectations can be as follows:
The internal audit function must have all the required competencies (quality) and resources (quantity) for fulfilling its strategy and role.
The internal audit function must be efficient and effective in executing its audit work.
The internal audit function must apply best practice processes and procedures and have the professional attitude of objectivity, independence and respect when conducting the audit work. The internal audit function must be innovative and continuously improve its services, products and processes.
All plans and work results must be coordinated and agreed with management before they are brought to the attention of the board.
The internal audit function should provide risk-based assurance that the company has efficient and effective processes and procedures in place for: achieving its objectives; identifying and managing its risks; controlling its operations; governing compliance with the internal policies and directives, and external laws and regulations. The board expects the internal audit function to identify and cover the emerging risks and appropriately handle the changing business risks and priorities.
The board expects the internal audit function to closely coordinate and cooperate with the other assurance providers, such as external audit, but also with the legal, compliance and risk management functions.
The internal audit function should support the board by monitoring that management is timely and completely implementing the strategic initiatives.
The internal audit function should ensure that all identified issues are supported by timely, adequate and effective risk mitigation. They expect the internal audit function to follow-up and provide assurance that the risks have indeed been mitigated as expected.
The board expects the CAE to have a good understanding of the business and operations, to be communicative, to be critical and analytical in his thinking, and have good relationships with management. The CAE must be a leader and speak the language of the board, management and business.
The internal audit function is their ear on the ground
. Because the board is not involved in the affairs of the daily operations in headquarters and the businesses, the CAE is expected to be a good information source during the formal and informal communications.
In summary, the internal audit function can add value to the board by:
ensuring competent and a sufficient level of resources;
having efficient and effective internal audit function processes;
maintaining a best practice internal audit function, compliant with the IPPF of The IIA, and ensuring a high acceptance and good reputation with executive management and the businesses;
coordinating all the plans and work results with management before bringing them to the attention of the board;
providing assurance on the effectiveness and efficiency of the businesses’ risk management, internal controls, governance and compliance to achieve the business objectives;
closely coordinating the audit work with the other assurance providers;
supporting the board in their supervision over the implementation of the strategic initiatives;
ensuring that all the audit issues are supported by risk mitigation, and providing assurance that these risks have indeed been mitigated as expected;
speaking the language of management and the board;
being a source of information for the board in better understanding the company’s management, culture, atmosphere, challenges, operations and businesses.
Expectations of executive management
The expectations of corporate executive management (such as the CEO and CFO) will also vary from company to company. They will have two main expectations of the internal audit function: no surprises, and audit assurance over risk management and internal control processes, to help them achieve the company’s objectives (whether at low-level or high-level). A complete set of high expectations can be as follows:
Executive management does not like surprises. It implies that whenever the internal audit function raises significant audit issues in their draft reports (which are likely going to attract the attention of the board), they will want to be informed before the audit report is formally issued. This enables them to: assess whether the auditor’s opinions and ratings indeed reflect the proper perspective (on impact and significance of the issues); call lower management into responsibility; and prepare for questioning by the board.
They also expect that the internal audit function has its focus on those topics which provide them with the biggest levers to make improvements to the control systems and the businesses. This means that the annual audit plan should focus on those topics where executive management has the biggest worries. Risks that matter, together with emerging risks, must be in focus.
The internal audit function must provide assurance that the businesses have efficient and effective processes and procedures in place for achieving its objectives, identifying and managing its risks, controlling its operations, and governing compliance with the internal policies and directives, and external laws and regulations.
All identified issues should be supported by timely, adequate and effective risk mitigation. They expect the internal audit function not only to identify the topics for improvement but also to ensure that responsible management has agreed to the necessary risk mitigation measures. Executive management expects the internal audit function to follow-up and provide assurance that the risks have indeed been mitigated as expected.
They expect the internal audit function to stay within their financial and FTE budget and comply with all the corporate policies, procedures and practices (e.g., for travel and hiring of staff).
They expect the internal audit function to be efficient and effective and make use of technology to increase the cost-efficiency and audit effectiveness.
Executive management may also expect the internal audit function to be a talent pool and training ground for the future managers and executives. They may expect a two-year rotational cycle for business managers to gain experience through best practice auditing, or the internal audit function could offer management-trainees a 6-month programme. This could work both ways: the auditors rotating into the business and the business managers switching into the internal audit function.
In summary, the internal audit function can add value to executive management by:
coordinating the audit focus to match their priorities;
providing assurance on the effectiveness and efficiency of the businesses’ risk management, internal controls, governance and compliance, to help them achieve their business objectives;
ensuring that all the audit issues are supported by risk mitigation, and providing assurance that these risks have indeed been mitigated as expected;
having efficient and effective internal audit function processes;
timely discussing the significant audit issues before formally releasing the audit reports to the board;
staying within the budget and complying with all relevant corporate policies;
providing training in project management, analytical thinking, report writing, and other experiences for the high potentials.
Expectations of divisional/business unit management
Divisional/business unit management also have expectations:
They want the internal audit function to have a focus on the key entities in their division/business unit, to make suggestions to improve the controls over and in their businesses and to ensure that the identified weaknesses have effective actions for improvement.
They want to be able to influence where and when the auditors are going, already during the annual audit planning phase. Usually, the business units cannot see how much audit time is spent in their unit compared to the other business units. It is difficult for them to assess whether the audit efforts are fairly spread over the divisions of the company. However, the CAE can see this, and he will need to measure, monitor, and manage this. He needs to make sure that the audit efforts are allocated commensurate the risk profile and size of the units.
Business unit management expects that the audit results are discussed with them before they are passed on to executive management and the board. They want to make sure that they understand the reasoning of the internal audit function when it comes to the solutions and conclusions. They will ensure that the solutions and conclusions are consistent with the business unit perspectives on the subject matters. Furthermore, business unit management will usually quickly consider whether a problem in one entity may also exist in their other entities.
In summary, the internal audit function can add value to divisional/business unit management by:
coordinating the audit focus and timing for all the entities within the business unit, and ensuring that the audit efforts are commensurate the risk profile and size of entities;
providing assurance on the effectiveness and efficiency of their risk management and internal controls, to help them achieve their business objectives;
coordinating the audit conclusions and risk mitigating actions before passing the draft reports to higher management levels.
Expectations of local management and process owner
Local management and the process owner expect the internal audit function to make recommendations to improve their internal control systems and their risk management processes.
Generally speaking, local management wants to receive a positive audit rating and often they will do everything to avoid a negative audit report. This means that they may become tough negotiators on the wording of the conclusions and the audit rating. Sometimes they will discuss at lengths to prevent a negative message. This means that politics quite often plays an important role. The internal audit function must find an appropriate way to handle this, without reducing its objectivity and independence.
Local management expects that internal audit points out the weaknesses in the processes, while they also expect to be able to avoid a negatively worded audit report. They expect that the internal audit function not only identifies the weaknesses but also offers the practical, cost-efficient and concrete solutions for remediating the weaknesses.
Further, they expect to be treated fairly and with respect. This means that, during the regular audit engagements, the representatives of the internal audit function cannot act as police officers, walking around the local office with a facial expression of disapproval. The auditors cannot project the image of a know-it-all. They might know certain internal control, governance and risk management technical aspects better than the local employees, but they should not believe (or create the perception) that they know the business better than them.
Local management expects to be able to review and comment on the draft audit report before it is sent to the higher echelons in the organisation.
Local management will want the audit efforts to be reasonable with respect to the process, unit or department that is audited. For example, doing a financial audit at the time of a month-end closing is usually not appreciated. Allocating three audit resources to review a department consisting of four people is not appreciated either. Their expectation is being able to continue to perform their operational duties while the audit work is ongoing. Significant hindrance of their operational work during busy times can have a severe negative impact on the reputation of the Internal audit function and is value destructing.
In summary, the internal audit function can add value to local management and the process owner by:
finding an appropriate balance between the audit efforts and the capacities and availability of local staff and management;
providing assurance on the effectiveness and efficiency of their risk management and internal controls, to help them achieve their local business objectives;
reporting the facts and keeping opinions to a minimum in the audit reports;
agreeing on the audit reports and risk mitigating actions before passing the draft reports to higher management levels.
Expectations of other corporate functions
There are also other assurance providers, inside the organisation, that have expectations. You can think of the company’s compliance function, the forensic investigations team (in the case that they are not part of the Internal audit function responsibility), the tax compliance, the EHS and the trade control function.
There may be more internal corporate customers such as Risk Management, Group Accounting and Reporting, Treasury, Legal, IT department, Project Management Office, and Controlling. All these functions may have certain expectations of the internal audit function as well. The list may seem endless, but it is crucial for the CAE to enter into a dialogue with all these functions about the interfaces of internal audit with their teams.
The internal audit function can add value to the other corporate functions by:
reviewing compliance (within local businesses and operations) with the corporate governance policies and directives issued by each of these functions;
providing assurance on the roll-out of specific projects, or the effectiveness and efficiency of their internal controls and processes;
supporting the functions with the development of governance policies and procedures, as well as the design of control systems.
Expectations of outside customers
Other assurance providers, outside the company, will also have expectations, for example, the external auditor. Additionally, the stakeholders such as the shareholders, the legislators, the regulators and the public interest groups could also have specific expectations.
For example, the internal audit function can add value to the external auditor by:
discussing the scoping and coverage with the external auditor to avoid duplications or gaps in the audit assurance;
reviewing the financial statements, and the internal control systems over the financial reporting, for those entities that are outside the coverage of the external auditor.
The regulators may have particular expectations of and influence on the scope of work and the responsibilities of the Internal audit function, as well. This happens foremost in the financial services or banking industry.
Measuring actual audit value
Theoretical
Objectively quantifying the target or actual audit value is difficult. Hitherto, no efficient and objective models or methodologies have been developed for this purpose. For the support of cost reallocation (transfer-pricing) models, some companies calculate the benefits based on the value of the risk mitigation. However, how to assess the value of an assurance outcome when the audit work identified no significant issues? It becomes very judgemental to measure this value and use it as an objective performance indicator. I am intentionally refraining from developing, designing and presenting such a quantitative model in this book. Such a model would be extremely theoretical and would probably find very few followers in the real business world. Academically it might be interesting, but without a practical application it is useless. The content of this book provides best practice and practical guidance for driving the audit value. A purely theoretical calculation model has no place here.
Practical
Many tools are available for measuring the target and actual audit value:
satisfaction and quality surveys
the annual audit plan
management or board requests
implementation of the risk mitigating
the contribution to the business
realisation of the personal bonus objectives of the CAE
the balanced scorecard
These tools can be explained as follows:
Satisfaction and quality surveys to the audit committee/board, executive management and other management levels, including the process owner. These surveys can be used to reveal the actual performance against their expectations. They can be based on a scoring system (e.g., from 1 to 10, or from poor to excellent), which can be used to calculate a percentage of achievement, the quantified measurement of fulfilling the target audit value. The surveys can be designed in such a way that they address the key expectations of each level.
When the annual audit plan is developed in a best practice way, it may serve as a target for the audit value. Developing the plan through coordination would enable the internal audit function to reach the board’s and management’s expectation of having the right focus towards the strategies and business objectives. Timely and completely implementing the plan would enable meeting the expectations of having the right focus. Measurement of the plan focus could be done through the surveys, whereas measurement of the plan execution can be done by calculating the percentage of implementation.
Receiving regular management or board requests, for the audit of business topics with an emerging or immediate importance, can also be a good measure that they value the internal audit function. Receiving too many requests, however, is a sign that the annual audit plan is developed through insufficient coordination with the board and management (and is a sign of weakness).
The timely and complete implementation of the risk mitigating measures, resulting from the audit engagements, can be measured through the follow-up and progress reporting. Such reporting can analyse the nature and number of the risk mitigation and business improvements realised through management’s implementation of the audit recommendations. It is easy to calculate the statistics for implementation rates for each entity, business unit, and department. A high implementation rate would indicate a high achievement of the target audit value.
Giving an overview of the contribution to the business, for example in the annual report of the internal audit function. In such an overview the risk profile coverage, the audit universe coverage, and the primary control and business issues identified through the audit work can be presented. This can clearly show the nature and importance of the audit findings over the year, showing that the internal audit function effectively addressed the significant business risks.
The level of realisation of the personal bonus objectives of the CAE is also a good indicator of how well he (and the internal audit function) achieved the target audit value set for him.
The performance metrics of the balanced scorecard provide useful measurements of the actual achievement versus the target value, for example for the efficiency and effectiveness of the internal audit function’s processes.
Customer value proposition
The overall objective of the internal audit function must be to maximise the impact of the audit work. One way of maximising the impact is to provide assurance to the board and executive management that the major risks of the company are effectively and efficiently managed and mitigated. In case that the audit work comes to a conclusion that (some of) the major risks are not being managed well enough, the audit process must ensure that management implements the concrete, practical and focused actions sufficient to mitigate these risks. The internal audit function’s review of management’s activities to reach their objectives has two essential aspects:
Review of management’s plans and actions necessary to achieve the objectives (are the plans/actions sufficient?).
Review of management’s handling of any possible deviations, risks and opportunities, which may prevent or bolster the achievement of the objectives (are the corrective actions sufficient?).
Therefore, the focus in the audit lies on reviewing management’s continuing actions for the goal achievement, as well as on their handling of corrective measures to counter any risks. Opportunities may cause management to overshoot their objective, therefore these are less often a subject of review. The internal audit function often only concentrates on the downside risks, not on the upside potentials.
It can be said that the primary role of the internal audit function is to protect the shareholder value, through assurance activities on the risk control structure of the business organisation. One could further elaborate that the internal audit function’s efforts are targeted to:
Provide independent business risk assessments and solutions;
Support the achievement of business objectives by providing (reasonable) assurance that business risks are controlled in a cost-beneficial manner;
Act as a change agent for optimising the efficiency and effectiveness of business processes, internal control systems, risk management, governance and compliance processes;
Educate the organisation on the development and use of cost-efficient risk management and the promotion of best practices for controlling the business;
Create an environment to promote the professional auditors’ development and a talent pool for supporting the development of the high potentials.
The following tables provide summaries of the target audit value and their appropriate measurement systems, for each of the six major customer groups:
Table 1 –Expectations of the six major customer groups:
target audit value and measure of achievement