STUDY UNIT THREE

INTERNAL AUDIT ROLES I

3.1 Nature of Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
3.2 Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.3 Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
This study unit is the first of two that address the nature of work of internal auditors. Their work is
defined in the pronouncements of The IIA. They elaborate on the description of the services performed
by the internal audit activity provided in the Definition of Internal Auditing. The definition stresses the
improvement of governance, risk management, and control processes. However, the internal auditors
work regarding control is such a vital part of their responsibilities that it is treated separately in Study
Units 5 and 6.
Core Concepts
I The IAAs work focuses on the governance, risk management, and control processes of the
organization.
I Governance is the structure implemented by the board to inform, direct, manage, and monitor the
activities of the organization toward the achievement of its objectives.
I The IAA assesses and makes appropriate recommendations for improving governance.
I The CAE establishes and maintains a system to monitor the disposition of results communicated to
management.
I Compliance is conformity and adherence to policies, plans, procedures, laws, regulations,
contracts, or other requirements.
3.1 NATURE OF WORK
This subunit is brief but important. It includes one General Performance Standard. Standard 2100
reflects the scope of work described in the definition of internal auditing. The outline provides broad
guidance regarding the management process and its relationship to internal auditing.
2100 Nature of Work
The internal audit activity must evaluate and contribute to the improvement of governance, risk
management, and control processes using a systematic and disciplined approach.
1. Internal audit work encompasses a systematic, disciplined approach to evaluating and
improving the effectiveness of governance, risk management, and control processes.
Internal auditors provide reasonable assurance that these processes are functioning as
intended and will enable the organizations objectives and goals to be met.
a. They also provide recommendations for improving the organizations operations, in
terms of both efficient and effective performance. Senior management and the board
also might provide general direction as to the scope of work and the activities to be
audited.
1
Copyright 2009 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
Adequacy of Processes
2. This is present if management has planned and organized (designed) them to provide
reasonable assurance that the organizations risks have been managed effectively and that
its objectives and goals will be achieved efficiently and economically (Glossary).
a. Efficient performance accomplishes objectives and goals in an accurate, timely, and
economical fashion.
b. Economical performance accomplishes objectives and goals with minimal use of
resources (cost) proportional to the risk exposure.
c. Reasonable assurance is provided if the most cost-effective measures are taken in
the design and implementation stages to reduce risks and restrict expected
deviations to a tolerable level.
d. Thus, the organizing (design) process begins with the establishment of objectives
and goals. This is followed by interrelating concepts, activities, and people to operate
together to achieve the established objectives and goals.
Effectiveness of Processes
3. This is present if management directs them to provide reasonable assurance that the
organizations objectives and goals will be achieved.
a. In addition to accomplishing the objectives and planned activities, management
directs by authorizing activities and transactions, monitoring resulting performance,
and verifying that the organizations processes are operating as designed.
Objectives of Management
4. Management is responsible for the sustainability of the whole organization and
accountability for its actions and performance to the stakeholders. The primary objectives
of the overall management process are to achieve
a. Relevant and reliable financial and operating information.
b. Effective and efficient use of resources.
c. Safeguarding of assets.
d. Compliance with laws, regulations, ethical and business norms, and contracts.
e. Identification of risks and use of effective strategies to control them.
f. Established objectives and goals.
5. Management plans, organizes, and directs performance to provide reasonable assurance
that objectives and goals will be achieved. Management periodically reviews its objectives
and goals and modifies its processes to accommodate changes in internal and external
conditions.
a. Management also establishes and maintains an organizational culture, including an
ethical climate that fosters control.
Control
6. Control is any action taken by management, the board, and others to manage risk and
increase the likelihood that established objectives and goals will be achieved. Controls
may be preventive (to deter undesirable events from occurring), detective (to detect and
correct undesirable events which have occurred), or directive (to cause or encourage a
desirable event to occur).
2 SU 3: Internal Audit Roles I
Copyright 2009 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
Auditor Roles
7. Internal auditors evaluate the whole management process of planning, organizing, and
directing to determine whether reasonable assurance exists that objectives and goals will
be achieved.
a. Internal auditors need to be alert to actual or potential changes in internal or external
conditions that affect the ability to provide assurance from a forward-looking
perspective. In those cases, internal auditors need to address the risk that
performance may deteriorate.
8. Internal audit evaluations, in the aggregate, provide information to appraise the overall
management process. All business systems, processes, operations, functions, and
activities within the organization are subject to the internal auditors evaluations. Internal
auditing provides reasonable assurance that managements
a. Risk management activities are effective.
b. Internal control is effective and efficient.
c. Governance process is effective by establishing and preserving values, setting goals,
monitoring activities and performance, and defining the measures of accountability.
3.2 GOVERNANCE
Governance is the combination of processes and structures implemented by the board to inform,
direct, manage, and monitor the activities of the organization toward the achievement of its objectives
(Glossary). It is a fundamental element of the Definition of Internal Auditing. This subject is covered in
two General Performance Standards, one Specific Performance Standard, two Assurance
Implementation Standards, two Consulting Implementation Standards, and two Practice Advisories.
2110 Governance
The internal audit activity must assess and make appropriate recommendations for improving
the governance process in its accomplishment of the following objectives:
G Promoting appropriate ethics and values within the organization;
G Ensuring effective organizational performance management and accountability;
G Communicating risk and control information to appropriate areas of the organization;
and
G Coordinating the activities of and communicating information among the board, external
and internal auditors, and management.
SU 3: Internal Audit Roles I 3
Copyright 2009 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
1. Governance encompasses all organizational activities. Thus, its processes provide overall
direction for risk management activities. Internal control activities are in turn a key
element of risk management. They implement the organizations risk management
strategies.
a. Governance also may be viewed as having two major components: strategic direction
and oversight.
Strategic Direction
2. This involves determining (a) the business model, (b) overall objectives, (c) the approach to
risk taking (including the risk appetite), and (d) the limits of organizational conduct.
Oversight
3. This is the governance component with which internal auditing is most concerned. It is also
the component to which risk management and control activities are most likely to be
applied. The elements of oversight are the following:
a. The board has responsibilities to stakeholders.
b. Senior management and risk owners have roles that are performed through risk
management activities.
c. Assurance activities are performed internally and externally.
Board
4. The board is the source of overall direction to, and the authority of, management. It also
has the ultimate responsibility for oversight.
a. Another responsibility is to identify stakeholders, whether directly involved with the
business (employees, customers, and suppliers), indirectly involved (investors), or
having influence over the business (regulators and competitors).
1) The board must determine the expectations of stakeholders and the outcomes
that are unacceptable. Outcomes may be (a) financial (e.g., EPS or tax
exposures), (b) compliance-based (e.g., breaches of the code of conduct or
involvement in lawsuits, (c) operational (e.g., efficient use or protection of
assets), or (d) strategic (e.g., brand strength or customer satisfaction).
Management
5. Management performs day-to-day governance functions. Senior management carries out
board directives (within specified tolerance levels for unacceptable outcomes) so as to
achieve organizational objectives.
a. Senior management must understand (1) the boards expectations, (2) the authority
delegated, (3) tolerance for unacceptable outcomes, and (4) reporting requirements.
b. Thus, senior management determines where specific risks are to be managed, who
will be risk owners (managers responsible for specific day-to-day risks), and how
specific risks will be managed.
4 SU 3: Internal Audit Roles I
Copyright 2009 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
c. A risk committee may be created to (1) identify key risks, (2) connect them to risk
management processes, and (3) delegate them to risk owners. This committee also
considers whether tolerance levels delegated to risk owners align with the
organizations risk appetite.
d. Senior management establishes reporting requirements for risk owners related to
their risk management activities.
e. Governance expectations, including tolerance levels, must be periodically
reevaluated. The result may be changes in risk management activities.
RMA
6. Risk owners (a) evaluate the adequacy of the design of risk management activities
(RMA) and the organizations ability to carry them out as designed; (b) determine whether
RMA are operating as designed; (c) establish monitoring activities; and (d) ensure that
information to be reported to senior management and the board is accurate, timely, and
available.
Assurance
7. Assurance activities are most often performed by the internal audit activity. External
assurance may be provided by external auditors, consultants, or industry groups.
Principles
8. The following are 18 governance principles stated in a publication by The IIA:
a. A properly organized and functioning board with the correct number of members; an
appropriate committee structure; established meeting protocols; independent
judgment; and periodically reaffirmed membership.
b. Board members having appropriate qualifications and experience, with a clear
understanding of their role in governance, a sound knowledge of operations, and an
independent and objective mindset.
c. A board with sufficient authority, funding, and resources to conduct independent
inquiries.
d. An understanding by executive management and the board of the operating structure,
including structures that impede transparency.
e. An organizational strategy against which the success of the organization and the
contributions of individuals are measured.
f. An organizational structure that supports accomplishing strategic objectives.
g. A governing policy for the operation of key activities.
h. Clear, enforced lines or responsibility and accountability.
i. Effective interaction among the board, management, external and internal auditors,
and any other assurance providers.
j. Appropriate oversight by management, including establishment and maintenance of
strong controls.
k. Compensation policies and practices especially for senior management that are
consistent with the organizations ethical values, objectives, strategy, and control
environment and that encourage appropriate behavior.
l. Communication and reinforcement throughout the organization of an ethical culture,
organizational values, and appropriate tone at the top, including an environment that
allows employee feedback without fear of retaliation and monitors and investigates
potential conflicts of interest.
m. Effective use of internal auditors, ensuring their independence, the adequacy of their
resources and scope of activities, and the effectiveness of operations.
n. Clear definition and implementation of risk management policies, processes, and
accountabilities.
SU 3: Internal Audit Roles I 5
Copyright 2009 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
o. Effective use of external auditors, ensuring their independence and the adequacy of
their resources and scope of activities.
p. Transparent disclosure of key information to stakeholders.
q. Disclosure of governance processes, comparing them with recognized national codes
or best practices.
r. Oversight of related party transactions and conflicts of interest.
2110.A1 The internal audit activity must evaluate the design, implementation, and
effectiveness of the organizations ethics-related objectives, programs, and activities.
Forms, Etc.
9. An organization may use various legal forms, structures, strategies, and procedures to
ensure that it
a. Complies with societys legal and regulatory rules.
b. Satisfies the generally accepted business norms, ethical principles, and social
expectations of society.
c. Provides overall benefit to society and enhances the interests of the specific
stakeholders in both the long- and short-term.
d. Reports fully and truthfully to its stakeholders, including the public, to ensure
accountability for its decisions, actions, and performances.
Process
10. The way in which an organization meets its responsibilities is commonly referred to as its
governance process. The board and senior management are accountable for the
effectiveness of the governance process.
Practices
11. Governance practices reflect the organizations unique, dynamic culture and largely
depend on it for effectiveness. The culture (a) sets values, objectives, and strategies;
(b) defines roles and behaviors; (c) measures performance; and (d) specifies
accountability.
a. Thus, the culture determines the degree of sensitivity to social responsibility.
12. Because of the complexity and dispersion of decision-making in most organizations, each
individual should be encouraged to be an ethics advocate, whether officially or informally.
a. Codes of conduct and vision statements may be issued to state (1) the
organizations values and goals, (2) the behavior expected, and (3) the strategies for
maintaining a culture consistent with legal, ethical, and societal responsibilities.
b. Some organizations have designated a chief ethics officer.
13. Internal auditors may have an active role in support of the organizations ethical culture.
Roles may include chief ethics officer, member of an ethics council, or assessor of the
ethical climate.
a. In some circumstances, the role of chief ethics officer may conflict with the
independence attribute of the internal audit activity.
b. The role of, and advice given by, the IAA will depend on the maturity of the
governance system. In a less mature system, the IAA emphasizes compliance with
policies, procedures, laws, etc. It also will address the basic risks to the
organization. In a more mature governance system, the IAAs emphasis is on
optimizing structure and practices.
6 SU 3: Internal Audit Roles I
Copyright 2009 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
Ethical Culture
14. The internal audit activity may periodically assess the ethical climate of the organization
and the effectiveness of its processes in achieving legal and ethical compliance. Internal
auditors may therefore evaluate the effectiveness of the following elements of an ethical
culture:
a. A formal Code of Conduct and related statements and policies (including procedures
covering fraud and corruption)
b. Frequent demonstrations of ethical attitudes and behavior by influential leaders.
c. Explicit strategies to support the ethical culture
d. Confidential reporting of alleged misconduct
e. Regular declarations by employees, suppliers, and customers about the
requirements of ethical behavior
f. Clear delegation of responsibilities for providing counsel, investigation, and
reporting
g. Easy access to learning opportunities
h. Personnel practices that encourage contributions by employees
i. Regular surveys of employees, suppliers, and customers to determine the state of
the ethical climate
j. Regular reviews of the processes that undermine the ethical culture
k. Regular reference and background checks
2110.A2 The internal audit activity must assess whether the information technology
governance of the organization sustains and supports the organizations strategies and
objectives.
2110.C1 Consulting engagement objectives must be consistent with the overall values and
goals of the organization.
2500 Monitoring Progress
The chief audit executive must establish and maintain a system to monitor the disposition of
results communicated to management.
Practice Advisory 2500-1: Monitoring Progress
1. To effectively monitor the disposition of results, the chief audit executive (CAE)
establishes procedures to include:
G The time frame within which managements response to the engagement
observations and recommendations is required.
G Evaluation of managements response.
G Verification of the response (if appropriate).
G Performance of a follow-up engagement (if appropriate).
G A communications process that escalates unsatisfactory responses/actions,
including the assumption of risk, to the appropriate levels of senior management
or the board.
SU 3: Internal Audit Roles I 7
Copyright 2009 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
2. If certain reported observations and recommendations are significant enough to require
immediate action by management or the board, the internal audit activity monitors
actions taken until the observation is corrected or the recommendation is
implemented.
3. The internal audit activity may effectively monitor progress by:
G Addressing engagement observations and recommendations to appropriate
levels of management responsible for taking action.
G Receiving and evaluating management responses, including the proposed
action plan, to engagement observations and recommendations during the
engagement or within a reasonable time after the engagement results are
communicated. Responses are more useful if they include sufficient information
for the CAE to evaluate the adequacy and timeliness of proposed actions.
G Receiving periodic updates from management to evaluate the status of its efforts
to correct observations or implement recommendations.
G Receiving and evaluating information from other organizational units assigned
responsibility for follow-up or corrective actions.
G Reporting to senior management or the board on the status of responses to
engagement observations and recommendations.
PA Summary
G The CAE establishes procedures to monitor the disposition of reported results. They
include (1) a time frame for managements response, (2) an evaluation and
verification of the response (if appropriate), (3) a follow-up (if appropriate), and (4) a
communications process for sending unsatisfactory responses to senior
management or the board.
G Observations and recommendations needing immediate action are monitored until
corrected or implemented.
G Observations and recommendations are addressed to managers responsible for
taking action.
G Management responses are received and evaluated during the engagement or within a
reasonable time afterward. Responses need to be sufficient for the CAE to evaluate
the adequacy and timeliness of proposed action.
G Management gives periodic updates.
G Information is received and evaluated from other units involved in follow-up or
correction.
G The status of responses is reported to senior management or the board.
8 SU 3: Internal Audit Roles I
Copyright 2009 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
2500.A1 The chief audit executive must establish a follow-up process to monitor and
ensure that management actions have been effectively implemented or that senior
management has accepted the risk of not taking action.
Practice Advisory 2500.A1-1: Follow-Up Process
1. Internal auditors determine whether management has taken action or implemented
the recommendation. The internal auditor determines whether (a) the desired results
were achieved or (b) senior management or the board has assumed the risk of not
taking action or implementing the recommendation.
2. Follow-up is a process by which internal auditors evaluate the adequacy, effectiveness,
and timeliness of actions taken by management on reported observations and
recommendations, including those made by external auditors and others. This
process also includes determining whether senior management or the board has
assumed the risk of not taking corrective action on reported observations.
3. The internal audit activitys charter should define the responsibility for follow-up. The
chief audit executive (CAE) determines the nature, timing, and extent of follow-up.
The CAE considers the following factors:
G Significance of the reported observation or recommendation.
G Degree of effort and cost needed to correct the reported condition.
G Effect of the failure of corrective action.
G Complexity of the corrective action.
G Time period involved.
4. The CAE is responsible for scheduling follow-up activities as part of developing
engagement work schedules. Scheduling of follow-up is based on the risk and
exposure involved, as well as the degree of difficulty and the significance of timing in
implementing corrective action.
5. The CAE may judge that managements oral or written response indicates that action
taken is sufficient when weighed against the relative importance of the observation or
recommendation. In such a case, internal auditors may follow up as part of the next
engagement.
6. Internal auditors ascertain whether actions taken on observations and
recommendations remedy the underlying conditions. Follow-up activities should be
appropriately documented.
PA Summary
G Auditors follow up by determining whether (1) management has taken action or
implemented the recommendation and achieved the desired results, or (2) senior
management or the board has assumed the risk of not doing either.
G Follow-up addresses the adequacy, effectiveness, and timeliness of actions on
reported observations and recommendations, including those by other auditors.
G The IAAs charter defines responsibility for follow-up. The CAE determines its
nature, timing, and extent after considering (1) the significance of what is reported,
(2) the effort and cost of correction, (3) the effect of failure of correction, (4) the
complexity of correction, and (5) the time involved.
G If action already taken suffices, follow-up may be part of the next engagement.
G Auditors verify that actions remedy underlying conditions.
G The CAE includes follow-up as part of the work schedule. Scheduling depends on the
risk involved and the difficulty and timing of corrective action.
SU 3: Internal Audit Roles I 9
Copyright 2009 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
2500.C1 The internal audit activity must monitor the disposition of results of consulting
engagements to the extent agreed upon with the client.
2600 Resolution of Senior Managements Acceptance of Risks
When the chief audit executive believes that senior management has accepted a level of
residual risk that may be unacceptable to the organization, the chief audit executive must
discuss the matter with senior management. If the decision regarding residual risk is not
resolved, the chief audit executive must report the matter to the board for resolution.
Follow-Up
1. The internal auditor should
a. Receive all replies by the engagement client to the engagement communications
b. Evaluate the adequacy of those replies
c. Be convinced that the action taken will cure the defects
2. The internal auditor is in the best position to carry out this responsibility. (S)he is
a. Better acquainted with the facts than senior management or other control centers in
the organization.
b. More objective than the operating manager who must take the corrective action.
3. The responsibility for determining whether corrective action is adequate should be coupled
with the authority to evaluate the adequacy of replies to engagement communications.
The internal auditor should
a. Report to management when corrective actions are not timely or effective.
b. Submit periodic reports to management on open engagement observations and
recommendations.
4. The adequacy of a response depends on the circumstances in each case. In general, a
satisfactory response
a. Addresses itself to the complete problem, not just to specific items included in the
internal auditors sample.
b. Shows that action also has been taken to prevent a recurrence of the deficient
condition.
5. In evaluating the reply, the internal auditor should be satisfied that the action promised is
actually taken. The auditor should
a. Obtain copies of revised procedures issued to correct conditions.
b. Make any field tests needed to provide assurance that the condition has been
corrected.
6. A formal system should be designed to keep engagements open until adequate corrective
action is assured. For example,
a. Provisions should be made for formal opening and closing of engagements.
b. The internal auditors should issue a formal statement of closure, supported by
copies of replies to engagement communications and explanations of the action
taken to ensure the adequacy and effectiveness of corrective measures.
1) Closure reports are directed to the chief audit executive.
c. Engagements should not be removed from the IAAs open engagements listing until
all required corrective actions have been taken and evaluated.
10 SU 3: Internal Audit Roles I
Copyright 2009 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
3.3 COMPLIANCE
1. Internal auditors assess compliance in specific areas as part of their role in organizational
governance. They also conduct follow-up and report on managements response to
regulatory body reviews. Given the scope of governmental regulation, these duties of
internal auditors have great importance. Compliance is defined in the Glossary and
covered in two Assurance Implementation Standards.
Caution Internal auditors are encouraged to consult legal counsel in all matters
involving legal issues. Requirements may vary significantly in different jurisdictions.
2. The Glossary provides the following definition of compliance:
Adherence to policies, plans, procedures, laws, regulations, contracts, or other
requirements.
2120.A1 The internal audit activity must evaluate risk exposures relating to the
organizations governance, operations, and information systems regarding the:
G Reliability and integrity of financial and operational information;
G Effectiveness and efficiency of operations;
G Safeguarding of assets; and
G Compliance with laws, regulations, and contracts.
2130.A1 The internal audit activity must evaluate the adequacy and effectiveness of
controls in responding to the risks within the organizations governance, operations, and
information systems regarding the:
G Reliability and integrity of financial and operational information;
G Effectiveness and efficiency of operations;
G Safeguarding of assets; and
G Compliance with laws, regulations, and contracts.
Programs
3. Compliance programs assist organizations in preventing inadvertent employee violations,
detecting illegal activities, and discouraging intentional employee violations. They also can
help (a) prove insurance claims, (b) determine director and officer liability, (c) create or
enhance corporate identity, and (d) decide the appropriateness of punitive damages.
a. Internal auditors need to evaluate an organizations regulatory compliance
programs.
b. The CAE should meet with regulators to provide relevant information or receive advice
on necessary compliance.
Standards
4. The organization should establish compliance standards and procedures to be followed
by its employees and other agents who are reasonably capable of reducing the prospect of
criminal conduct. They should include the following:
a. The entity should have a clearly written, straightforward, and fair business code of
conduct that provides guidance to employees on relevant issues and is user-
friendly.
b. An organizational chart should identify personnel responsible for compliance
programs.
c. Financial incentives should not reward misconduct.
d. International organizations should have a compliance program on a global basis that
reflects local conditions and laws.
SU 3: Internal Audit Roles I 11
Copyright 2009 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
Responsibility
5. Specific high-level personnel who are properly empowered and supplied with necessary
resources should have overall responsibility for the compliance program.
a. Senior management also should be involved.
b. High-level personnel have substantial control of the entity or a substantial role in
making policy.
c. Compliance personnel should have adequate access to senior management, and the
chief compliance officer should report directly to the CEO.
Applicant Screening
6. Due care should be used not to delegate authority to those with a tendency to illegality.
a. Applications should inquire about criminal convictions or discipline by licensing
boards.
b. All applicants should be screened in a lawful manner that does not infringe upon
privacy rights. The purpose is to detect evidence of past wrongdoing, especially
that within the organizations industry.
Communication
7. Standards and procedures, including readily available ethics-related documents, should
be communicated effectively, preferably in an interactive format and on multiple
occasions.
a. Training programs and publications are typical methods. The best training allows
employees to practice new techniques and use new information.
b. Compliance information should be conveyed through a variety of available media.
Moreover, the program should be presented to different sets of employees, targeting
the information to the areas important to each functional group and its job
requirements. For example, environmental compliance information should be
directed to those departments, such as manufacturing or real property management,
that have an increased likelihood of violating or detecting violations of such laws and
regulations.
c. New employees should receive basic compliance training as part of their orien-
tation, and agents of the entity should be given a presentation specifically for them.
1) Agents should understand the entitys core values and that their actions will be
monitored.
d. Organizations also should require employees to certify periodically that they have
read, understood, and complied with the code of conduct. This information should be
relayed annually to senior management and the board.
Monitoring and Reporting
8. Monitoring and auditing systems for detecting illegal or unethical behavior and employee
hotline reporting systems should be used. The best prevention is to coordinate multiple
monitoring and auditing systems as opposed to relying on one system or on an
independently functioning system(s).
a. For example, the internal audit plan should be given appropriate resources and apply
to all of the entitys businesses. Also, it should include a review of the compliance
program.
1) The review considers (a) effectiveness of written materials, (b) employee receipt
of communications, (c) handling of violations, (d) fairness of discipline,
(e) observance of any protections afforded to informants, and (f) fulfillment of
compliance unit responsibilities.
12 SU 3: Internal Audit Roles I
Copyright 2009 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
b. Attorney-client and attorney work-product privileges protect certain information
disclosed to (or produced by) an attorney from being used by an adverse party in a
legal proceeding. An attorney monitoring the hotline is best able to protect the
privileges. However, employees may have little confidence in such hotlines or in
write-in reports or an off-site ombudsperson. But they may have confidence in
hotlines answered by an in-house representative and backed by a
nonretaliation policy. Though steps should be taken to protect anonymity, a hotline
cannot ensure it.
c. An on-site ombudsperson is more effective if (s)he (1) reports directly to the chief
compliance officer or the board, (2) can keep the names of informants secret,
(3) provides guidance to informants, and (4) undertakes follow-up to ensure that
retaliation has not occurred.
d. An ethics questionnaire should be sent to each employee asking whether the
employee is aware of kickbacks, bribes, or other wrongdoing.
e. Compliance standards should be consistently enforced by adequate, fair, case-
specific discipline.
1) Punishment should be appropriate to the offense, such as a warning, loss of
pay, suspension, transfer, or termination.
2) The program should provide for the discipline of managers and other
responsible persons who knew or should have known of misconduct and did
not report it. Failure to do so indicates a lack of due diligence. As a result, a
court may rule that (a) the program is not effective, and (b) the organization is
therefore legally liable for giving authority to persons with a tendency to commit
crimes.
f. Termination or other discipline of employees may be limited by (1) whistleblower
laws; (2) exceptions to the employee-at-will doctrine; (3) employee or union contracts;
and (4) employer responsibilities with regard to discrimination, wrongful discharge,
and employer good faith doctrines.
g. Employee discipline should be thoroughly documented so that the entity will be able
to prove that it made its best effort to collect information and took appropriate action.
h. After detection, the response should be appropriate and designed to prevent other
similar offenses.
1) In some circumstances, an appropriate response could require self-reporting
the violation to the government, cooperation with investigations, and the
acceptance of responsibility.
a) But an effective compliance program and appropriate responses could
result in more lenient punishment.
i. Failure to detect or prevent a serious violation could indicate that the compliance
program needs to be restructured. One change that may be required could be the
replacement or transfer of compliance personnel.
SU 3: Internal Audit Roles I 13
Copyright 2009 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
3.4 SUMMARY
1. The internal audit activity evaluates and contributes to the improvement of risk management,
control, and governance processes using a systematic and disciplined approach.
2. The IAA evaluates the adequacy and effectiveness of governance, risk management, and
control processes. These processes should provide reasonable assurance that objectives
will be met.
3. Management is responsible for the sustainability of the organization and is accountable to
stakeholders. Thus, it plans, organizes, and directs and establishes an organizational
culture.
4. Because the IAA evaluates the whole management process, its work extends to all systems,
processes, operations, functions, and activities.
5. The internal audit activity must assess and make appropriate recommendations for
improving the governance process in its accomplishment of the following objectives:
a. Promoting appropriate ethics and values within the organization.
b. Ensuring effective organizational performance management and accountability.
c. Communicating risk and control information to appropriate areas of the organization.
d. Coordinating the activities of and communicating information among the board,
external and internal auditors, and management.
6. The chief audit executive must establish and maintain a system to monitor the disposition of
results communicated to management. Thus, the chief audit executive must establish a
follow-up process to monitor and ensure that management actions have been effectively
implemented or that senior management has accepted the risk of not taking action.
7. Internal auditors assess compliance in specific areas as part of their role in organizational
governance. They also conduct follow-up and report on managements response to
regulatory body reviews.
14 SU 3: Internal Audit Roles I
Copyright 2009 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com