Professional Documents
Culture Documents
SUPPLEMENT ONE
2 Main considerations
The Audit Charter
This sets out the role and objectives of internal audit and is at the core of the delivery of audit services.
This is the starting place for a new audit function. Apart from basic material included in this
supplement there are also other issues with a fundamental effect on the direction of the new audit
service as to whether:
1. Internal audit reports to the organisation (the audit committee), or management (say the Chief
Executive).
2. Internal audit reports on the organisation (i.e. issues a formal annual audit report), or reports the
results of individual audits.
3. Internal audit will act as a consultancy based service directed by managers who finance the
function and request specific reviews.
4. There are any restrictions on audit access.
5. Audit powers are permanent and provided through the highest decision-making forum in the
organisation.
The charter represents the hopes and aspirations of the internal audit function and it is important that
it is designed to support the delivery of professional audit services. If there are problems at this stage,
it is unlikely that a successful audit function will develop in the future.
Audit standards
Training
A training budget is essential for the newly formed internal audit unit. This covers the types of
training that will be undertaken by both senior and junior staff. We must not make the mistake of
assuming that experience can simply be bought in. These people may not be available and it is at
times better to employ people who are not yet set in the way they perform audit work. A good mix of
experienced and less experienced auditors will provide the best cost/service profile that a competitive
audit service must strive to achieve. As a final point, bearing in mind that training is dealt with
elsewhere in the handbook, do not resource training as a one-off effort. It must consist of an ongoing
programme that evolves as the needs of the audit function change over time.
Computer audit
One matter that should be high on the agenda for the CIA when designing the new internal audit
service relates to computer audit. There are several approaches:
1. Create a specialist unit of say two (or three) computer auditors.
2. Employ computer auditors and locate them throughout internal audit.
3. Employ an IT “Guru” who is available to help and assist audit staff.
4. Assimilate computer audit expertise throughout the internal audit unit by ensuring that all auditors
have a good appreciation of IT and related skills and techniques.
5. Rely on the organisation’s computing department to provide backup and support.
Computer audit expertise may be acquired at recruitment stage (at premium rates), seconded in or
developed on an incremental basis by training and development. There are pros and cons for each
2
SUPPLEMENT ONE ESTABLISHING A NEW AUDIT FUNCTION
approach. Computer audit is about performing audits of IT systems while also providing an input into
internal audit’s own IT strategy. Extensive reliance on the organisation’s IT department promotes
good working relationships but at the same time impairs our ability to audit this department. It means
that information may not be secured independently by internal audit, but obtained third-hand by IT or
operational staff. Many of these arguments apply equally to the provision of a contract audit service.
The CIA must be wary of creating an elite section within internal audit that are paid more for IT skills
which may become potentially uncontrollable. One useful technique that can be used where auditors
do not possess the required IT skills is to second a member of the computing department into internal
audit to provide backup and support. If this secondment works out, we would seek to develop basic
auditing skills and make the secondment permanent. The CIA must publish and implement an IT
strategy that covers the information needs of internal audit over the next few years.
Fraud work
There is a need to define a clear policy on the detection and investigation of fraud and irregularities.
The CIA would have to draft a policy document that deals with a number of related issues:
• Management’s responsibilities to investigate frauds and ensure that they are fully resolved.
• The internal audit role in supporting management.
• Management’s responsibilities to establish suitable controls that guard against fraud and
irregularity. There is a distinct need for controls that isolate instances where frauds occurred.
• The internal audit role in supporting management.
• Management’s responsibilities to take positive action where it has reason to believe that a fraud
has occurred.
• The internal audit role in supporting management.
• Key contacts in the organisation who deal with police and high-level reports on material fraud.
The CIA should take the initiative in helping to set standards. Clarifying who does what forces the
organisation to address responsibilities and procedures.
Business planning
The new CIA should devise and publish a business plan that covers the internal audit unit. This will
direct the internal audit function over the next few years and show how resources will be applied to:
• Defined organisational control issues.
• Outline allocation of audit resources.
• Human resource development plan.
• Information systems strategy.
• A marketing strategy.
This activity is a key role undertaken by the CIA, and should consume much of his/her working hours.
Structuring has been dealt with elsewhere.
Audit services
One question to be tackled early on in the life of the newly formed unit is related to the type of
services that will be provided by internal audit. We turn to the list of options:
• Systems based audits of financial areas.
• Systems based audit of all services.
• Probity audits derived from a programme of testing routines throughout the organisation. These
may or may not have a financial bias.
• Special investigations commissioned by senior management.
• Fraud investigations.
• Value-for-money studies that seek to identify areas for savings/less waste.
• Consultancy projects that support important organisational developments such as a new computer
system or major restructuring exercise.
• External audit type roles where specific financial accounts are certified.
It is incumbent upon the CIA to decide the best way to discharge the audit role and which services will
be provided and to which degree. It is possible to break down the audit role into two:
1. Systems based audit of all services: financial, operational, strategic and automated systems.
2. Consultancy projects requested by management into regularity, compliance, VFM, management
development and others.
Budgets
Whilst the CIA must seek to negotiate an adequate budget, there is little scope to secure extensive
funding at the outset. As the internal audit service is developed and grows, we would expect the
budget to receive greater support from the organisation and so promote a clear growth. This is not to
say that we would wish to secure as much funding as possible, since the more expensive the unit, the
greater the re-charge and cost to clients. Going back to an earlier point where internal audit was
broken down into audit services and consultancy services, we can protect the budget for audit services
by making the audit committee the client. Consultancy services may be directly re-charged (on a
project basis) to management. It goes without saying that the CIA should exercise good budgetary
control in spending decisions and keeping a balanced account.