search

External auditors may choose to rely on the work performed by the clients internal auditors

1 Jahrs vor
Kommentare: 0
Ansichten: 148

Institute of Internal Auditors

William G. Bishop III, CIA
President
Tel: +1 407 937 1200

Show

January 13, 2003

Jonathan G. Katz, Secretary
U.S. Securities and Exchange Commission
450 Fifth Street, NW
Washington, DC 20549-0609
VIA E-Mail:

RE: File No. S7-49-02
Proposed Rule: Strengthening the Commission's Requirements Regarding Auditor Independence

Dear Mr. Katz:

The Institute of Internal Auditors (IIA) is very interested in and supportive of the Securities and Exchange Commission's (SEC) efforts to improve corporate governance by enhancing the independence of external auditors. The IIA and our 82,000 members believe that good governance and accurate financial reporting emanate from the coordinated interaction of the board/audit committee, management, internal auditors, and external auditors. We believe we are uniquely qualified to offer comments about the impact of certain provisions of the proposed rule regarding the independence of the external auditor, particularly in those areas where there is an internal auditing relationship. Accordingly, in offering our comments on the rules proposed to implement Section 208(a) of the Sarbanes-Oxley Act of 2002, we have focused the majority of our response in areas that are dependent upon understanding the definition of internal auditing and scope of activities performed by internal auditors.

Summary of IIA Positions on Auditor Independence

The IIA believes that preserving the independence of the external auditor is critical to restoring investor confidence and that actions being promulgated by this rule need to provide clear and unambiguous guidance. From the vantage point of The IIA, the most essential outcome of this rule should be a clear definition of internal auditing and its role in the comprehensive system of checks and balances that are essential for an effective governance process. The questions about the extent to which external auditors can perform internal (operational) audits and other non-audit services must be clarified and can best be addressed through rules that clearly define the distinct roles for directors, executive management, public accountants, and internal auditors. We believe that the following are among the critical considerations that need to be addressed:

  1. Internal auditing is a profession separate and apart from the profession of public accounting. Internal auditing standards and ethical codes as well as certification requirements differ from those of the independent public accountant. Internal auditing addresses all aspects of the company that safeguard assets and promote the achievement of objectives as compared with the emphasis on accounting controls and public reporting which are the primary domain of external auditors.

  2. The objectives of a system of internal control address the reliability of financial information, the efficiency and effectiveness of operations, and compliance with laws, regulations, and policies. One of the primary responsibilities of an internal auditor is to provide to directors and executives an assessment of the adequacy of internal controls. Understanding this role of internal auditors is key to assessing the degree of service that can be provided by the external auditor in a non-audit engagement.

  3. Internal audit services cannot be provided by the same accounting firm that audits the organization's financial statements, as it would impair the independence of the external auditor. A "zero tolerance" approach for non-audit services should be adopted, as independence is impaired, regardless of the size of the organization, if the same firm audits the financial statements and performs internal audit services. [Question 4 in Section II, Subsection B.5]. An exemption from this approach for small public entities should not be allowed. [Question 2 in Section II, Subsection B.5].

In response to the issues and questions posed in Section II, Subsection B.5, The IIA recommends that the SEC:

  • Adopt The IIA's definition of internal auditing,

  • Endorse The IIA's Standards for the Professional Practice of Internal Auditing (Standards) for those providing internal auditing services, and

  • Require use of a principles-based approach to gauge any non-audit services that may be provided by external auditors.

We further recommend that this rulemaking should recognize the Committee of Sponsoring Organizations of the Treadway Commission (COSO) definition of Internal Control to foster understanding of the differences between internal auditing and internal control. [Question 5 of Section II, Subsection B.5]. Finally, we agree with the principles in the paragraph in Section II, Subsection B.5 that external auditors should not audit their own work, perform management functions, or act as an advocate for their clients.

* * *

The following parts of this letter present The IIA's views and recommendations about questions and issues discussed in the SEC release. We have arranged our comments in the order that the issues and questions are presented in the proposal.

Conflicts of Interest Resulting from Employment Relationships [Section II, Subsection A]

The Sarbanes-Oxley Act restricts external auditors from assuming certain employment positions within client organizations. We believe that the SEC rules should be amended to include the position of chief internal audit executive among the list of positions specifically proscribed for a one-year period preceding the date of the initiation of an audit. Presumably the chief internal auditor would fall in the category of "person serving in an equivalent position," but given the significance of the chief audit executive within an organization, relationship with the audit committee, and extent of coordination with the external auditor, we believe this position should be added to and explicitly mentioned in the SEC rules.

The SEC exposure draft questions if a one-year cooling off period is sufficient before audit engagement team members assume certain employment positions, as defined by the SEC, with client organizations. However, one year may not be sufficient in some circumstances. The relationship between auditor and client may be affected by the tenure of the engagement team members with the external audit firm, length of service to the audit client, the significance of the position in the firm (i.e. partner) or the potential compensation package offered by the client organization. Therefore, we recommend that in addition to a one-year cooling off period, that the audit committee be charged with reviewing the potential employment of someone from the accounting firm to determine if any of the above factors might suggest that a longer period is necessary to assure a cooling of the former relationship. To emphasize the point, we note that the New York Stock Exchange has proposed a five-year cooling off period for independent directors if they are former company employees or employees of the company's independent auditors.

Perhaps of equal significance to considerations about client employment of external auditors is the number of external auditors hired from the same firm. An organization that hires several external auditors from the same public accounting firm, especially from the client engagement team and same local office, into key management positions may need to be more concerned about possible independence considerations. Another factor to consider is the time period during which the hiring is conducted. Hiring a large number of external auditors from the same local office over a relatively short time span could increase the risk of impairments to independence.

Services Outside the Scope of the Practice of Auditors - Internal Audit Outsourcing [Section II, Subsection B.5]

Question 1. Inserting Definition of Internal Auditing

The exposure draft poses the question "Is the definition of the `internal audit function' sufficiently clear?" However, nowhere is "internal audit function" actually defined. We believe that the rule should include a clear definition of internal auditing. The IIA has promulgated the most authoritative and widely recognized definition of internal auditing and supports it through a comprehensive framework of standards (Standards for the Professional Practice of Internal Auditing) and guidance (Practice Advisories). The IIA's Professional Practices Framework, that includes the Standards for the Professional Practice of Internal Auditing and the Practice Advisories can be found on The IIA web site at www.theiia.org.

The IIA defines internal auditing as follows:

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations.  It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

This definition covers a broad scope of practice, and must be so to reflect the diverse practice of internal auditing in many organizations and on a worldwide basis. However, linking the definition with the Standards provides a sound basis upon which to understand the nature and activities of internal auditing. While The IIA's definition of internal auditing is acknowledged as authoritative and widely accepted around the world, it's breadth is indicative of the fact that there is some work performed by the internal auditor and the external auditor that may be similar in nature, employ the same techniques and require audit of some of the same controls, processes or information. The differences between internal and external auditing are also to be found in the relationship with the organization and in the breadth of services. While both internal and external auditors employ similar systematic and disciplined examination processes, there are distinguishing characteristics.

The external auditor or public accountant should always be external to the organization and independent of its management. The external auditor owes primary allegiance to public investors and owners. The primary skill or expertise held by the public accountant is the knowledge of prescribed accounting principles that permit financial statements to be relied on by investors and other stakeholders.

Internal auditors monitor and evaluate the entire system of internal control for the company while maintaining independence from responsibility for management direction and control. However, a professional internal auditing function should be expected to be fully conversant with the goals, policies, and processes of the company including its culture. The primary skill of the internal auditor is the knowledge of the business and broad systems of internal control.

The individual missions of the internal and external auditors converge at the audit committee of the board of directors and bring unique and necessary information to these directors. Both will bring information about the state of internal controls, and the work of each should be carefully coordinated to preclude overlap and omission. The American Institute of Certified Public Accountants and The IIA support the need for this collaborative effort.

Our recommendation is that the SEC should adopt The IIA's definition of internal auditing, endorse The IIA's Standards for the Professional Practice of Internal Auditing (Standards) for those providing internal auditing services, and adopt the safest course of action which is for the SEC to draw a "bright line" requirement that prohibits the firm that performs the financial statement audit from conducting any internal audit services. No exceptions, no loopholes, no ambiguous terms, and no materiality considerations for "discrete" items. (See subsequent commentary regarding operational audits, audits of small businesses and individual projects).

Question 2. Deleting Exceptions for Small Businesses

The external auditor's independence is impaired if he or she conducts both the financial statement audit and internal auditing services, regardless of the size of the organization. Public companies have an obligation to investors and stakeholders to ensure that financial results are fairly reported and audited by an "independent" public accountant. This obligation holds true for both large and small businesses. If an organization is listed on a public exchange and accepts investor's money, then all listed companies should be required to conform to the same independence standards.

Both small and large businesses should implement a proper system of checks and balances to ensure investors and other stakeholders that operations are conducted according to established policies and procedures. Every organization, regardless of size, should have some type of internal control system or process, and, as pointed out in COSO's Internal Control - Integrated Framework, a key component of control is monitoring. Monitoring in a small privately held company can be as basic as the owner reviewing activity in the checkbook. In a larger public company it can be as extensive as an independent, objective assurance and consulting activity, professionally staffed that evaluates risk management, control, and governance processes. A formal internal audit function tends to develop over time and grow with the organization. The structure of the internal auditing function may run from assigning someone part-time responsibilities for internal auditing, to reliance on procedures performed periodically by third party providers, to establishing a professionally staffed, in-house internal auditing group.  

Factors to be considered in determining the need for an internal audit function include stakeholders' expectations, risk tolerance levels, public or legal requirements, and the size and complexity of the organization and its operations. Size factors considered might include assets, revenue, expenses, liquidity and location of assets, number and locations of operating facilities, number of employees, and volume of activity. Governing bodies may simply need to ask themselves whether they have reliable assurance that financial and other information is correctly reported, whether controls and procedures are functioning as planned, and whether programs are meeting expectations.  

Audit committees in new industries or in industries undergoing change need to be especially alert to the need to establish and monitor control over risks. Some would say that internal auditing should be established at the time that an organization goes public. Certainly, any organization that takes shareholder money should have a governance structure comprising strong, independent audit committees supported by professional internal auditors engaged in the assessment of risks and controls.  

Question 3. Avoiding the Distinction that Performing Individual Audit Projects is Okay, But Not Outsourcing Services

We do not see any difference in "outsourcing" or "individual audit projects." If the external auditor conducts the financial statement audit and performs internal auditing services, under either term, the effect is still the same - the external auditor is placed in the position of auditing his or her own work and/or performing management functions, and independence is impaired. You can create a different label for the service, but the substance is still the same.

Another way of asking this question would be to say "can the external auditor outsource a `portion' of the internal audit function without impairing independence?" The answer is still the same - independence is impaired regardless of how much of the internal audit activity is performed by the external auditor.

Since potential problems can surface in any area of an organization and can be found during any type of audit - financial, operational, compliance - situations that challenge independence can arise under any scenario. Major problems and potential conflicts of interest can arise in large and small businesses, financial and operational audits, all throughout an organization or in the smallest, most discrete segment of a business. For these reasons, independence safeguards should apply to all businesses, large and small alike, to every type of audit, and from total outsourcing of the entire internal audit function to performance of the smallest internal audit project.

Question 4. Advising Against Any Safeguards That Would Protect Independence in Outsourcing Situations

We are not aware of any safeguards that could be established by the auditor that would prevent independence from being impaired without creating a conflict of interest for the auditor. The auditor being responsible for establishing safeguards to ensure his or her own independence places the auditor in a potential position of having to "blow the whistle" on themselves. This has already proven not to be the best scenario.

We believe that the same firm that provides the financial statement audit should be prohibited from providing any internal auditing services and that the SEC should not attempt to develop rules that would permit such services.

Questions 5 and 6. Deleting Exceptions for Operational Internal Audits

The exposure draft indicates that the independence rule "...does not include operational internal audits unrelated to the internal accounting controls, financial systems, or financial statements." While the term "operational internal audits" is used quite frequently there is no common definition of what this means. Also, it is wrong to assume that operational internal audits are unrelated to internal accounting controls, financial systems, or financial statements. It is difficult to envision any "operational internal audits" that are actually unrelated to the internal accounting controls, financial systems, or financial statements. All activities in every organization ultimately have an impact on the financial statements, are measured by the financial system in terms of revenue and expenses, and are affected by internal accounting controls - budgets, expense reports, journal entries for transactions, authorization and approval of activities. The trend toward integrated operational and financial systems blurs the differentiation made here.

Rather than provide an exception for "...operational internal audits unrelated to the internal accounting controls, financial systems, or financial statements", which would seem impossible to define, we suggest deleting reference to this point. Additionally, it may prove extremely difficult to define and subsequently enforce rules that would allow "nonrecurring evaluations of discrete items or programs that are not in substance the outsourcing of the internal audit function." What is "discrete" is left open to interpretation and will certainly vary by organization. Similarly, what is "nonrecurring" is too broad to deal with effectively without specifying a time frame. Should it be "nonrecurring" over one year, two years, or three years? If the internal audit function, or rather the services to be provided, are judged against established principles, and internal audit activities are not specifically defined, it will not be possible to determine what is "...not in substance the outsourcing of the internal audit function."

If during the conduct of an audit determined to be an "operational internal audit unrelated to the internal controls, financial systems, or financial statements," what happens if the auditors uncover a weakness or problem that actually affects the internal controls, financial systems, or financial statements? If they report this finding in the operational audit report, does this make the audit an "internal audit that is related to internal controls, financial systems, or financial statements, and therefore a prohibited practice? If the auditors remain silent on the finding, then they have violated internal auditing standards, performed a disservice to the client, failed to meet expectations of stakeholders, and maybe even engaged in or become an accomplice to an illegal activity. If the audit findings do not reveal problems - either control weaknesses or financial problems - but recommend improvements in operating procedures or other efficiency measures, such action can still translate into an effect on the financial systems or financial statements, or maybe even on internal controls. In order to avoid dilemmas that are almost certain to occur, the rules should not provide exceptions for an activity that cannot be defined and that generates results that ultimately translate into an effect on the financial statements.

COSO stressed the importance of a concept of internal controls broader than internal accounting controls. Modern internal control models such as the COSO model view financial and operational controls as a part of the same system of controls. Operational auditing is the comprehensive review of the varied functions within an enterprise to appraise the efficiency and economy of operations and the effectiveness with which those functions achieve their objectives.

Internal Control - Integrated Framework states:

Internal control is broadly defined as a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

  • Effectiveness and efficiency of operations.

  • Reliability of financial reporting.

  • Compliance with applicable laws and regulations.

The COSO definition of internal control clarifies that operational issues are included within the scope of internal controls. The IIA believes that the SEC's question "Would it impair the auditor's independence if the auditor performs only operational audits unrelated to internal controls, financial systems, or financial statements?" is inconsistent with the COSO definition of internal control. We believe that operational auditing should be subject to evaluation for independence conflicts using the same criteria employed to evaluate all other internal auditing services.

The safest course of action is for the SEC to draw a "bright line" requirement that prohibits the firm that performs the financial statement audit from conducting any internal audit services. No exceptions, no loopholes, no ambiguous terms, and no materiality considerations for "discrete" items.

Audit Committee Administration of the Engagement [Section II, Subsection D]

Question 2. Allowing Audit Committee Policy for Approval of Non-audit Services

The SEC exposure draft questions if it is appropriate for audit committees to establish specific policies for approval of non-audit services as opposed to detailed reviews, presentations, discussions, and votes in advance of each contracted service. The IIA believes that audit committees should be allowed to adopt operating policies that establish appropriate guidelines for contracting non-audit services. Requiring audit committee votes and approvals for each service or transaction is not reasonable or practical and would place the audit committee in a role similar to operating management. Audit committees should be able to adopt a policy to govern this activity and simply review overall compliance with the policy. To facilitate review of policy compliance a schedule of all services contracted should be reviewed at each audit committee meeting.

Question 5. Requiring Communications with Internal and External Auditors

The SEC exposure draft questions what policies and procedures should be established to facilitate communications between audit committee members and auditors, and for evaluating the independence of external auditors. A properly developed audit committee charter should establish appropriate requirements to facilitate communications and evaluations of auditor independence.

In summary, the audit committee charter should contain the following:

  • Key components such as the purpose, authority, and responsibilities of the audit committee.

  • Identification of the operating guidelines of the committee relative to committee composition, meeting frequency and overall guidelines.

  • Relationship with internal and external auditors and management.

  • Requirements for approval of both audit and non-audit services, including the overall internal audit plan.

To enhance independence, particularly for internal auditors, The Institute recommends that the following provisions be included in the audit committee charter:

  • The audit committee should ensure that the internal audit function is structured in a manner that achieves organizational independence and permits full and unrestricted access to top management, the audit committee, and the board.       

  • The audit committee should review the internal audit function's charter and ensure unrestricted access by internal auditors to records, personnel, and physical properties relevant to the performance of engagements.       

  • The audit committee should review and approve the annual internal auditing budget and assess the appropriateness of the resources allocated to internal auditing.       

  • Decisions regarding hiring or termination of the Chief Audit Executive (CAE) should require endorsement by the chairman of the audit committee.       

  • The chairman of the audit committee should also be appropriately involved in performance evaluation and compensation decisions related to the CAE.       

  • The audit committee should regularly provide the CAE and the external auditor with the opportunity to confer privately with the committee, without the presence of management.

    The IIA has developed considerable guidance to facilitate interaction between audit committees, internal and external auditors. The following, which can found on The IIA's web site, is a partial listing of some of this guidance:

    • Practice Advisory 2060-2: Relationship with the Audit Committee (See Attachment 1)

    • Practice Advisory 2120.A1-1: Assessing and Reporting on Control Processes

    • Practice Advisory 2050-2: Acquisition of External Audit Services

    • Practice Advisory 1210.A1-1: Obtaining Services to Support or Complement the Internal Audit Activity.

    • Practice Advisory 1110-2: Chief Audit Executive (CAE) Reporting Lines

    • Audit Committee Effectiveness - What Works Best, 2nd Edition

    • Corporate Governance and the Board - What Works Best

    • Independence and Objectivity: A Framework for Internal Auditors

    * * *

    Concluding Remarks

    The IIA supports the efforts of the SEC to improve corporate governance. Restoration of confidence must be founded on accepted principles of corporate governance that define the roles of directors, executives, internal auditors, and public accountants. The independence of the public accountant, as addressed in this proposed rule, is critical to making the overall process effective.

    In conclusion, The IIA's recommendations to the SEC are summarized as follows:

      1) In cases where audit clients are contemplating employment of members of the independent auditor's engagement team, we believe that the SEC rules should be amended to include the position of chief internal audit executive among the list of positions specifically proscribed for a one-year period preceding the date of the initiation of an audit.

      2) In addition to a one-year cooling off period, the audit committee should be charged with reviewing the potential employment of someone from the accounting firm to determine if any relevant factors might suggest that a longer period is necessary to assure a cooling of the former relationship.

      3) We believe that the rule should include a clear definition of internal auditing. The IIA has promulgated the most authoritative and widely recognized definition of internal auditing and supports it through a comprehensive framework of standards (Standards for the Professional Practice of Internal Auditing) and guidance (Practice Advisories). Our recommendation is that the SEC should adopt The IIA's definition of internal auditing and endorse The IIA's Standards for the Professional Practice of Internal Auditing for those providing internal auditing services.

      4) In reference to considerations by the SEC to adopt exceptions for limited internal audit services that could be performed by the firm that audits an organization's financial statements, the safest course of action is for the SEC to draw a "bright line" requirement that prohibits the conduct of any internal audit services. No exceptions, no loopholes, no ambiguous terms, and no materiality considerations for "discrete" items.

      5) The external auditor's independence is impaired if he or she conducts both the financial statement audit and internal auditing services, regardless of the size of the organization. If an organization is listed on a public exchange and accepts investor's money, then all listed companies should be required to conform to the same independence standards and there should be no exceptions for "small businesses."

      6) Since potential problems can surface in any area of an organization and can be found during any type of audit - financial, operational, compliance - situations that challenge independence can arise under any scenario. Major problems and potential conflicts of interest can arise in large and small businesses, financial and operational audits, all throughout an organization or in the smallest, most discrete segment of a business. For these reasons, independence safeguards should apply to all businesses, large and small alike, to every type of audit, and from total outsourcing of the entire internal audit function to performance of the smallest internal audit project.

      7) Rather than provide an exception for "...operational internal audits unrelated to the internal accounting controls, financial systems, or financial statements", which would seem impossible to define, we suggest deleting reference to this point.

      8) The IIA believes that audit committees should be allowed to adopt operating policies that establish appropriate guidelines for contracting non-audit services. Requiring audit committee votes and approvals for each service or transaction is not reasonable or practical and would place the audit committee in a role similar to operating management. Audit committees should be able to adopt a policy to govern this activity and simply review overall compliance with the policy.

      9) Guidelines to facilitate communications and evaluations of auditor independence should be included in a properly developed audit committee charter.

    The IIA stands ready to participate with the SEC in the establishment of rules to implement the provisions of the Sarbanes-Oxley Act.

    Sincerely,

    William G. Bishop III, CIA 

    Attachment 1
    

    



    Practice Advisory 2060-2: Relationship with the Audit Committee
    Interpretation of Standard 2060 from the Standards for the Professional Practice of Internal Auditing  
    

    Related Standard: 2060 - Independence and Objectivity
    The chief audit executive should report periodically to the board and senior management on the internal audit activity's purpose, authority, responsibility, and performance relative to its plan. Reporting should also include significant risk exposures and control issues, corporate governance issues, and other matters needed or requested by the board and senior management.  
    



    
    		 
Nature of this Practice Advisory
    Internal auditors should consider the following suggestions regarding the relationship between the internal audit activity and the audit committee of the governing body. This guidance is not intended to represent all necessary considerations, but merely summarizes key information concerning appropriate relationships between audit committees and internal auditing.  Compliance with Practice Advisories is optional. 
    

    1.       The term "audit committee," as used in this document, refers to the governance body that is charged with oversight of the organization's audit and control functions. Although these fiduciary duties are often delegated to an audit committee of the board of directors, the information in this Practice Advisory is also intended to apply to other oversight groups with equivalent authority and responsibility, such as trustees, legislative
bodies, owners of an owner-managed entity, internal control committees, or full boards of directors. 
    2.       The Institute of Internal Auditors recognizes that audit committees and internal auditors have interlocking goals. A strong working relationship with the audit committee is essential for each to fulfill its responsibilities to senior management, board of directors, shareholders, and other outside parties. This Practice Advisory summarizes The Institute's
views concerning the aspects and attributes of an appropriate relationship between an audit committee and the internal audit function. The Institute acknowledges that audit committee responsibilities encompass activities that are beyond the scope of this advisory, and in no way intends it to be a comprehensive description of audit committee responsibilities. 
    3.       There are three areas of activities that are key to an effective relationship between the audit
committee and the internal audit function, chiefly through the Chief Audit Executive (CAE): 
      •  Assisting the audit committee to ensure that its charter, activities, and processes are appropriate to fulfill its responsibilities. 
      •  Ensuring that the charter, role, and activities of internal audit are clearly understood and responsive to the needs of the audit committee and the board. 
      •  Maintaining open and effective communications with the audit committee and the chairperson.

    Audit Committee Responsibilities
    1.       The CAE should assist the committee in ensuring that the charter, role and activities of the committee are appropriate for it to achieve its responsibilities. The CAE can play an important role by assisting the committee to periodically review its activities and suggesting enhancements. In this way, the CAE serves as a valued advisor to
the committee on audit committee and regulatory practices. Examples of activities that the CAE can undertake are: 
      •  Review the charter for the audit committee at least annually and advise the committee whether the charter addresses all responsibilities directed to the committee in any terms of reference or mandates from the board of directors. 
      •  Review or maintain a planning agenda for the audit committee's meeting that details all required activities to ascertain whether they
are completed and that assists the committee in reporting to the board annually that it has completed all assigned duties. 
      •  Draft the audit committee's meeting agenda for the chairman's review and facilitate the distribution of the material to the audit committee members and write up the minutes of the audit committee meetings. 
      •  Encourage the audit committee to conduct periodic reviews of its activities and practices compared with current best practices to ensure that its
activities are consistent with leading practices. 
      •  Meet periodically with the chairperson to discuss whether the materials and information being furnished to the committee are meeting their needs. 
      •  Inquire from the audit committee if any educational or informational sessions or presentations would be helpful, such as training new committee members on risk and controls. 
      •  Inquire from the committee whether the frequency and time allotted to the committee are sufficient. 
        • 

    Internal Audit Activity's Role
    1.      The CAE's relationship to the audit committee should revolve around a core role of the CAE ensuring that the audit committee understands, supports, and receives all assistance needed from the internal audit function. The IIA supports the concept that sound governance is dependent on the synergy generated among the four principal
components of effective corporate governance systems: boards of directors, management, internal auditors, and external auditors. In that structure, internal auditors and audit committees are mutually supportive. Consideration of the work of internal auditors is essential for the audit committee to gain a complete understanding of an organization's operations. A primary component of the CAE's role with the committee is to ensure this objective is accomplished and the committee views the CAE as
their trusted advisor. The chief audit executive can perform a number of activities to accomplish this role:  
      •  Request that the committee review and approve the internal audit charter on an annual basis. (A model internal audit department charter is available on The Institute's Web site) 
      •  Review with the audit committee the functional and administrative reporting lines of internal audit to ensure that the organizational structure in place allows adequate independence for
internal auditors. (Practice Advisory 1110-2: Chief Audit Executive (CAE) Reporting Lines) 
      •  Incorporate in the charter for the audit committee the review of hiring decisions, including appointment, compensation, evaluation, retention, and dismissal of the CAE.  
      •  Incorporate in the charter for the audit committee to review and approve proposals to outsource any internal audit activities. 
      •  Assist the audit committee in evaluating the adequacy of the personnel and budget,
and the scope and results of the internal audit activities, to ensure that there are no budgetary or scope limitations that impede the ability of the internal audit function to execute its responsibilities. 
      •  Provide information on the coordination with and oversight of other control and monitoring functions (e.g. risk management, compliance, security, business continuity, legal, ethics, environmental, external audit). 
      •  Report significant issues related to the processes for
controlling the activities of the organization and its affiliates, including potential improvements to those processes, and provide information concerning such issues through resolution. 
      •  Provide information on the status and results of the annual audit plan and the sufficiency of department resources to senior management and the audit committee. 
        



      •  Develop a flexible annual audit plan using an appropriate risk-based methodology, including any risks or control concerns identified by
management, and submit that plan to the audit committee for review and approval as well as periodic updates.          
      •  Report on the implementation of the annual audit plan, as approved, including as appropriate any special tasks or projects requested by management and the audit committee.         
      •  Incorporate into the internal audit charter the responsibility for the internal audit department to report to the audit
committee on a timely basis any suspected fraud involving management or employees who are significantly involved in the internal controls of the company. Assist in the investigation of significant suspected fraudulent activities within the organization and notify management and the audit committee of the results.  
      •  Audit committees should be made aware that quality assessment reviews of the internal audit activity be done every five years in order for the audit activity to declare
that it meets The IIA's Standards for the Professional Practice of Internal Auditing (Standards).  Regular quality assessment reviews will provide assurance to the audit committee and to management that internal auditing activities conform to Standards. 
    Communications with the Audit Committee
    1.      While not
to diminish any of the activities noted above, in a large part the overall effectiveness of the CAE and audit committee relationship will revolve around the communications between the parties. Today's audit committees expect a high level of open and candid communications. If the CAE is to be viewed as a trusted advisor by the committee, communications is the key element. Internal auditing, by definition, can help the audit committee accomplish its objectives by bringing a systematic, disciplined
approach to its activities, but unless there is appropriate communications, it is not possible for the committee to determine this. The chief audit executive should consider providing communications to the audit committee in the following areas. 
      •  Audit committees should meet privately with the CAE on a regular basis to discuss sensitive issues. 
      •  Provide an annual summary report or assessment on the results of the audit activities relating to the defined mission and scope of
audit work. 
      •  Issue periodic reports to the audit committee and management summarizing results of audit activities.          
      •  Keep the audit committee informed of emerging trends and successful practices in internal auditing.          
      •  Together with external auditors, discuss fulfillment of committee information needs. 
      •  Review information submitted to the audit committee for completeness and
accuracy. 
      •  Confirm there is effective and efficient work coordination of activities between internal and external auditors. Determine if there is any duplication between the work of the internal and external auditors and give the reasons for such duplication.
    

    Copyright © 2002 by The Institute of Internal Auditors, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201. All rights reserved. Under copyright laws and agreements, no part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form by any means - electronic, mechanical, photocopying, recording, or otherwise - without prior written permission of the publisher. 
    

    December 3, 2002 
    

    •  
    

    Can an external auditor rely on an internal auditor's work?
    

    The external auditor can use internal auditors who may have relevant expertise in particular areas, and. The external audit team can focus on the more significant audit issues.
    

    Which of the following areas can external auditors rely on internal auditors?
    

    Which of the following areas can external auditors rely on internal auditors' work in auditing internal controls? Testing of low risk internal control activities.
    

    Is it wise for an external auditors to use others work internal auditors and experts for audit purpose?
    

    Internal auditors are employees of the business. If external auditors rely on the work of internal auditors, there is a potential that it could result in a threat to the independence of the external auditors which is an ethical issue.
    

    Can statutory auditor rely on internal auditor?
    

    The statutory auditor, who is external to the company, used to rely on the assertions of the internal auditor.
    

    


    


    

    
external auditors
choose
rely
work performed
clients internal auditors

    

    





    

    

    

    

     
    

    

    



    

    

    

    zusammenhängende Posts
    

    

    



    

    

    
What are the advantages in using private employment agency consultancy in recruitment?

    

    

    What are the advantages in using private employment agency consultancy in recruitment?
    

    

    

    

    

    
What type of audit test will auditors use when testing to see if existing capital stock transactions are recorded?

    

    

    What type of audit test will auditors use when testing to see if existing capital stock transactions are recorded?
    

    

    

    

    

    
Why should successful managers recognize opportunities and threats in their companys external environment?

    

    

    Why should successful managers recognize opportunities and threats in their companys external environment?
    

    

    

    

    

    
Which of the following business tools focus on a firms external threats and opportunities?

    

    

    Which of the following business tools focus on a firms external threats and opportunities?
    

    

    

    

    

    
Which of the following is an example of an external-unstable factor in attribution?

    

    

    Which of the following is an example of an external-unstable factor in attribution?
    

    

    

    

    



    

    

    
What are possible external and internal forces that drive changes in these business organizations?

    

    

    What are possible external and internal forces that drive changes in these business organizations?
    

    

    

    

    

    
What are possible external and internal forces that driver changes in these business organizations

    

    

    What are possible external and internal forces that driver changes in these business organizations
    

    

    

    

    

    
Analysis of the external environment of an organization identifies the organizations

    

    

    Analysis of the external environment of an organization identifies the organizations
    

    

    

    

    

    
Why is it important for any organization to study and understand external environment?

    

    

    Why is it important for any organization to study and understand external environment?
    

    

    

    

    

    
Which of the following matters is generally included in the auditors engagement letter?

    

    

    Which of the following matters is generally included in the auditors engagement letter?
    

    

    

    

    

    

    

    

    

    

    

    

    

    

    

    

    

    Werbung
    

    



    

    

    

    

    NEUESTEN NACHRICHTEN
    

    

    

    

    

    Borderline wer ist schuld
    

1 Jahrs vor
. durch
LunarLine-up


    

    

    

    

    Wer hat mich auf Instagram blockiert
    

1 Jahrs vor
. durch
IncipientHeader


    

    

    

    

    Wie geht es dir was soll ich antworten?
    

1 Jahrs vor
. durch
SolubleAuthority


    

    

    

    

    Kind 1 Jahr wie oft Fleisch
    

1 Jahrs vor
. durch
ThirstyRepublic


    

    

    

    

    Was müssen Sie bei der Beladung von Fahrzeugen zu beachten?
    

1 Jahrs vor
. durch
WaxedHeadquarters


    

    

    

    

    Schütz Die Himmel erzählen die Ehre Gottes
    

1 Jahrs vor
. durch
ExtrinsicSaucer


    

    

    

    

    In planning an IS audit, the MOST critical step is the identification of the
    

1 Jahrs vor
. durch
SteepPanther


    

    

    

    

    Wie lange darf eine Kaution einbehalten werden?
    

1 Jahrs vor
. durch
SeasonalBanjo


    

    

    

    

    Sarah connor nicht bei voice of germany
    

1 Jahrs vor
. durch
FloridIceberg


    

    

    

    

    Kann man mit dem Fachabitur Jura studieren?
    

1 Jahrs vor
. durch
PolarIndecency


    

    

    

    

    

    

    Werbung
    

    



    

    

    

    

    Populer
    

    

    

    

    

    

    Werbung
    

    



    

    

    

    

    

    

    







    





    

    

    

    

    Um
    


    

    

    

    

    Legal
    


    

    

    

    

    Hilfe
    


    

    

    

    

    Sozial
    


    

    

    

    

    
homeendefrjpkoptzhhiitthtr 
    

    

    

    

    


    

    

    

    Urheberrechte © © 2024 ketiadaan Inc.