Overseeing the

internal audit
The audit committee guide series

Effective audit
committees are critical
to the quality of financial
reporting and the proper
conduct of business. This
guide is one of a series
that is meant to help audit
committees meet their
oversight and fiduciary
responsibilities.
Trent Gazzaway, National Managing Partner
of Audit Services

Contents
2 Audit committee responsibility
4 Internal audit tests
6 Internal audit role for ERM
7 Audit committee responsibility
for ERM
8 Oversight and reporting
9 Grant Thorntons internal
audit services
12 Suggested reading
13 Offices of Grant Thornton LLP

The audit committee guide series has been adapted from The Audit Committee
Handbook, Fifth Edition, published by John Wiley & Sons and available for
purchase at www.GrantThornton.com/ACHandbook and through major
online booksellers and bookstores nationwide.

Although less clearly mandated than external audit supervision, the audit
committee does have responsibility for overseeing the planning, execution and
reporting process of the internal audit function.
Internal auditors work the middle ground between management, the audit
committee and the external auditor, maintaining objectivity in their review
of operations and of risk management, control, and governance processes.
According to the New York Stock Exchanges (NYSE) rules: Listed companies
must maintain an internal audit function to provide management and the audit
committee with ongoing assessments of the companys risk management processes
and system of internal control. A company may choose to outsource this function
to a third party service provider other than its independent auditor.1

How will financial reform impact your company?

The regulatory landscape is changing for companies and their audit committees. Go to
www.GrantThornton.com/FinancialReform to review Grant Thorntons outline of key financial
reform issues and actions you can take to guide your company through them: Financial reform:
What public companies and their audit committees need to know about the Dodd-Frank Act.
Visit our Audit Committee Resource Center at www.GrantThornton.com/AuditCommittees for relevant
and timely information that companies and their audit committees need to know.

See NYSE Rule 303A.07(d).

Overseeing the internal audit 1

Audit committee responsibility

Internal audit typically reports to the audit committee, which is responsible

for overseeing the internal audit planning, execution and reporting process.
More specifically, the audit committee is responsible for:2
1. reviewing and approving the internal audit activitys charter;
2. ensuring communication and reporting lines between the head
of internal auditing and the audit committee;
3. reviewing internal audit staffing and ensuring that the function
has the necessary resources;
4. reviewing and assessing the annual internal audit plan;
5. overseeing the coordination of the internal auditor with the external auditor;
6. reviewing periodic reports on the results of the internal auditors work;
7. reviewing managements responsiveness to internal audits findings and
recommendations; and
8. monitoring and assessing internal audit effectiveness.
The audit committees responsibility extends to understanding internal audit
plans and tests, as well as broader risk evaluation initiatives of Enterprise Risk
Management.

See IIA, Audit Committee Briefing Internal Audit Standards: Why They Matter, 4. Available at www.theiia.org/
download.cfm?file=83632.

2 Overseeing the internal audit

The Institute of Internal Auditors (IIA) defines

internal audit as an independent, objective assurance
and consulting activity designed to add value and
improve an organizations operations. It helps an
organization accomplish its objectives by bringing
a systematic, disciplined approach to evaluate and
improve the effectiveness of risk management,
control, and governance processes.
Source: The IIAs International Professional Practices Framework (IPPF)

Overseeing the internal audit 3

Internal audit tests

Internal audit plans typically cover financial reporting, operational efficiency and
compliance with laws, regulations and corporate policies. As business accelerates
and becomes more complex, internal auditors must be better able to identify and
address potential problems expeditiously. Regardless of the type of audit being
performed, good analytical tools, risk assessment methodologies, training and
planning are important to the internal audit function.
Financial reporting audits

Financial reporting audits test the efficacy of internal control over financial
reporting (ICFR). Internal auditors develop a testing plan in much the same
way external auditors do, by:3
assessing and prioritizing risks to financial reporting objectives;
understanding how the internal control systems address those risks,
and identifying key controls;
determining what information is necessary to conclude on the effectiveness
of those controls; and
designing and executing appropriate tests.
The audit committee (or management) may also request of internal auditors:
interim financial audits, distributed internally, for improving the reliability
of information used for decision making, and for identifying potentially
material problems early;
verification of digital tagging of financial statement items found in reports using
Extensible Business Reporting Language (XBRL); and
special assignments, such as improving internal control in a given area or
implementing a fraud prevention program.
3

See COSO, Guidance on Monitoring Internal Control Systems (2009), par. 42-53.

4 Overseeing the internal audit

Operational audits

Operational audits evaluate and improve the efficiency and effectiveness of certain
functions, and often result in recommendations to management for operational
improvements.
Internal auditors may be asked to evaluate the performance of individual
managers, and may also be tasked with developing process improvements or
implementing fraud prevention measures.
The planning process for operational audits is similar to that of financial audits,
and involves:
assessing risks to operational objectives;
understanding how the organizations controls manage or mitigate the risks; and
assessing the effectiveness of those controls.
Compliance audits

Compliance audits validate adherence to internal managerial policies and regulatory

requirements. Periodic compliance audits help protect the organization from severe
consequences of intentional and unintentional violations of policy or law.
Compliance audit plans may be structured similar to financial and operational
plans, but because compliance audits often involve legal matters, their scope and
the work conducted may be directed by legal counsel.

Overseeing the internal audit 5

Internal audit role for ERM

The umbrella of Enterprise Risk Management (ERM) encompasses all of the

aforementioned internal audit types reporting, operations and compliance
plus strategic audits to align high-level goals with the organizations mission.
ERM helps management and the board to see the universe of risks that could affect
organizational objectives and to take a rational, measured response to each one.
The more complex an organization, the more complex the ERM plans will be for:
assessing and prioritizing the risk to organizational objectives;
determining how best to respond to risks given company objectives;
determining that the response was effective; and
designing and executing appropriate monitoring procedures.

ERM is the process of identifying and managing

significant risks across the organization that are likely
to impact its success in achieving objectives.

6 Overseeing the internal audit

Audit committee responsibility

for ERM

Although the board delegates to management the responsibility for managing

and mitigating enterprise risks, oversight of that process may fall to the audit
committee. The NYSE has explicitly outlined audit committee responsibility
for ERM: The audit committee should discuss the companys major financial
risk exposures and the steps management has taken to monitor and control such
exposures. The audit committee is not required to be the sole body responsible
for risk assessment and management, but the committee must discuss guidelines
and policies to govern the process by which risk assessment and management is
undertaken.4
Audit committee members should have a working knowledge of ERM
that includes:5
understanding the entitys risk philosophy and concurring with the
entitys risk appetite;
knowing the extent to which management has established effective
enterprise risk management of the organization;
reviewing the entitys portfolio of risk and considering it in light of
the entitys risk appetite; and
being apprised of the most significant risks and whether management
is responding appropriately.

4
5

See NYSE Rule 303A.07(c)(iii)(D).

Effective Enterprise Risk OversightThe Role of the Board of Directors. COSO, 2009. Available at www.coso.org/
documents/COSOBoardsERM4pager-FINALRELEASEVERSION82409.pdf.

Overseeing the internal audit 7

Oversight and reporting

Although internal audit typically reports to the audit committee, or sometimes

to management, it is important for the audit committee to maintain open lines of
communication with both management and the board. Chief Audit Executives
(CAEs) usually meet with the audit committee or the board at least annually and in
private. By participating in these and other meetings relative to the boards financial
oversight responsibilities, CAEs stay apprised of strategic business and operational
developments, raise high-level risks early, and exchange information concerning
internal audit planning functions.6
With no legal requirements that specify a standard level of certification,
people calling themselves internal auditors can have a broad range of aptitude
and training. Thus, audit committee members may want to inquire about the
professional qualifications of internal audit personnel.

See IIAs Practice Advisory 1111-1, Board Interactions.

8 Overseeing the internal audit

Grant Thorntons internal

audit services

Companies today face the pressure of doing more with fewer resources. Every
business function, including internal audit, is expected to bring value to the
organization. Whether its by reducing overall compliance costs or identifying
cost containment opportunities by process improvement initiatives, management
will look to internal audit to do their share. Grant Thornton understands these
demands. We can help you not only to create and implement internal controls that
safeguard your business assets, but also to increase the efficiency, effectiveness and
overall performance of the internal audit function.
Our internal audit professionals work with you to assess your corporate
level risk, identify the areas of greatest risk, and develop appropriate work plans
and audit programs to mitigate those risks. We help you assess your control
environment and establish your ongoing compliance plan, complementing your
existing independent audit relationships and enhancing the overall quality of your
corporate governance.
Grant Thorntons internal audit services include:
Full outsourcing of internal audit
Co-sourcing with the existing internal audit function
Internal audit transformation
Information technology auditing
Process mapping and process reviews
Internal controls documentation and testing
Operational audits
Quality assurance reviews

Overseeing the internal audit 9

Contact a member of our Governance, Risk and Compliance Solution Group

Warren Stippich
Edward Hill

National and Midwest Region

Solution Leader
T 312.602.8499
E Warren.Stippich@gt.com

Central Region Solution Leader

T 832.476.3710
E Edward.Hill@gt.com
Justin Hendrickson

Bailey Jordan

Southeast Region Solution Leader

T 336.271.3965
E Bailey.Jordan@gt.com
Bill Mellon

Northeast Region Solution Leader

T 215.376.6087
E Bill.Mellon@gt.com

10 Overseeing the internal audit

West Region Solution Leader

T 206.398.2436
E Justin.Hendrickson@gt.com

Subscribe to Grant Thornton publications at www.GrantThornton.com/Subscribe

Receive relevant white papers and timely updates on industry issues and the regulatory environment.
CorporateGovernor white paper series
Ensure your public company is run well and in accordance with applicable laws and regulations. Explore
a range of topics from fraud prevention and detection to financial reporting control and SOX compliance:
Enterprise risk management: Creating value in a volatile economy
discusses why implementing an enterprise risk management (ERM) program
can benefit companies in a down economy and how ERM can help enhance
business strategy.

Hear that whistle blowing! Establishing an effective complaint-handling

process addresses an important mandate of the Sarbanes-Oxley Act: the
requirement that audit committees establish procedures for receiving,
documenting and handling complaints related to accounting and auditing matters.

Fraud in the economic recovery

As companies pick up the pieces following a bruising bout of the economic
blues, they need to be on the lookout for fraud. From heightened fraud risk to
due diligence strategies for companies purchasing distressed assets, this
CorporateGovernor white paper provides a sound overview of fraud prevention
in todays economic environment.

Timely updates
Tailored to management, boards and audit committees of mid-cap public companies, these updates
help you stay abreast of issues that affect the marketplace and your business.
Boardroom awareness: Service organization reports in transition
to new U.S. and international standards
In this issue of CorporateGovernor newsletter, Grant Thornton advisory
professionals discuss the new service organization reporting standards that are
set to replace Statement on Auditing Standards No. 70 (SAS 70) by mid-2011.

Information overload: How to make data analytics work for the internal
audit function
Learn how your internal audit department can effectively use data analytics to
add value to your organization.

Overseeing the internal audit 11

Suggested reading

The Audit Committee Handbook, Fifth Edition (Wiley, 2010,

ISBN: 978-0-470-56048-8, U.S. $95.00).

The Audit Committee Handbook is co-authored by Grant Thornton LLP

audit committee experts R. Trent Gazzaway, national managing partner of Audit
Services, and Robert H. Colson, partner in Public Policy and External Affairs,
along with Louis Braiotta Jr., professor of accounting at SUNY Binghamtons
School of Management, and Sridhar Ramamoorti, principal at Infogix Advisory
Services. The Audit Committee Handbook provides practical, in-depth guidance
on all audit committee functions, duties and responsibilities. This latest edition
features regulatory updates, new chapters on audit planning and oversight,
heightened focus on fraud risk, and broad international coverage. The Audit
Committee Handbook is available at www.GrantThornton.com/ACHandbook
and through major online booksellers and bookstores nationwide.
The Anti-Corruption Handbook: How to Protect Your Business in the Global
Marketplace (Wiley, 2010, ISBN: 978-0-470-61309-2, U.S. $75.00)

Todays demanding marketplace expects CFOs, auditors, compliance officers

and forensic accountants to take responsibility for fraud detection. These
expectations are buoyed by such legislation as the Foreign Corrupt Practices
Act, which makes it a crime for any U.S. entity or individual to obtain or retain
business by paying bribes to foreign government officials. Written by William
P. Olsen, the national practice leader of Forensics, Litigation and Investigation
Services at Grant Thornton LLP, The Anti-Corruption Handbook provides
guidelines addressing the challenges of maintaining business integrity in the
global marketplace.

12 Overseeing the internal audit

Grant Thornton LLP offices

National Office
175 West Jackson Boulevard
Chicago, IL 60604
312.856.0200
National Tax Office
1900 M Street, NW, Suite 300
Washington, DC 20036
202.296.7800
Arizona
Phoenix
California
Irvine
Los Angeles
Sacramento
San Diego
San Francisco
San Jose
Woodland Hills
Colorado
Denver

602.474.3400

949.553.1600
213.627.1717
916.449.3991
858.704.8000
415.986.3900
408.275.9000
818.936.5100

Kansas
Wichita

316.265.3231

Maryland
Baltimore

410.685.4000

Massachusetts
Boston
617.723.7900

954.768.9900
305.341.8040
407.481.5100
813.229.7201

Georgia
Atlanta

404.330.2000

Illinois
Chicago
312.856.0200
Oakbrook Terrace 630.873.2500

405.218.2800
918.877.0800

Oregon
Portland

503.222.3562

Pennsylvania
Philadelphia

215.561.4200

Michigan
Detroit

248.262.1950

Minnesota
Minneapolis

South Carolina
Columbia
803.231.3100

612.332.0001

Texas
Austin
Dallas
Houston
San Antonio

512.391.6821
214.561.2300
832.476.3600
210.881.1800

Utah
Salt Lake City

801.415.1000

Virginia
Alexandria
McLean

703.837.4400
703.847.7500

Washington
Seattle

206.623.1121

Missouri
Kansas City
St. Louis

816.412.2400
314.735.2200

Nevada
Reno

775.786.1520

New Jersey
Edison

732.516.5500

New York
Long Island
Downtown
Midtown

631.249.6001
212.422.1000
212.599.0100

303.813.4000

Florida
Fort Lauderdale
Miami
Orlando
Tampa

Oklahoma
Oklahoma City
Tulsa

North Carolina
Charlotte
704.632.3500
Greensboro
336.271.3900
Raleigh
919.881.2700
Ohio
Cincinnati
Cleveland

Washington, D.C.
Washington, D.C. 202.296.7800
Wisconsin
Appleton
Milwaukee

920.968.6700
414.289.8200

513.762.5000
216.771.1400

Overseeing the internal audit 13

 Grant Thornton LLP

All rights reserved
U.S. member firm of Grant Thornton International Ltd
The people in the independent firms of Grant Thornton International Ltd provide personalized attention and the highest
quality service to public and private clients in more than 100 countries. Grant Thornton LLP is the U.S. member firm of
Grant Thornton International Ltd, one of the six global audit, tax and advisory organizations. Grant Thornton International Ltd
and its member firms are not a worldwide partnership, as each member firm is a separate and distinct legal entity.
In the U.S., visit Grant Thornton LLP at www.GrantThornton.com.