SUPPLEMENT ONE ESTABLISHING A NEW AUDIT FUNCTION

THE INTERNAL AUDITING HANDBOOK

SUPPLEMENT ONE

ESTABLISHING A NEW AUDIT FUNCTION

1 Introduction
Legislation and/or internal pressures can lead to a demand for internal audit where this has not
existed before. Calls for enhanced corporate governance can make secure systems of control an
organisational issue to be addressed through establishing an audit committee. Research has shown
that the audit committee, even where primarily concerned with external audit, will mature and
concentrate more on internal audit. The situation where a newly formed internal audit function has to
be developed is not unusual and we cover this. Issues include:
• The audit charter.
• Audit standards.
• The code of conduct.
• Recruitment and selection.
• Training.
• The general survey.
• Computer audit.
• Fraud work.
• The use of systems based audits.
• Business planning.
• Probity work.
• The IT strategy.
• The audit manual.
• Audit services.
• Service level agreements.
• Budgets.
• Structures.

2 Main considerations
The Audit Charter
This sets out the role and objectives of internal audit and is at the core of the delivery of audit services.
This is the starting place for a new audit function. Apart from basic material included in this
supplement there are also other issues with a fundamental effect on the direction of the new audit
service as to whether:
1. Internal audit reports to the organisation (the audit committee), or management (say the Chief
Executive).
2. Internal audit reports on the organisation (i.e. issues a formal annual audit report), or reports the
results of individual audits.
3. Internal audit will act as a consultancy based service directed by managers who finance the
function and request specific reviews.
4. There are any restrictions on audit access.
5. Audit powers are permanent and provided through the highest decision-making forum in the
organisation.

The charter represents the hopes and aspirations of the internal audit function and it is important that
it is designed to support the delivery of professional audit services. If there are problems at this stage,
it is unlikely that a successful audit function will develop in the future.

Audit standards

© Spencer Pickett 1997 1

The CIA has to decide on two types of standards before the new audit function can be developed -
professional and operational standards. The former may be based on those provided by a professional
auditing body. It is inappropriate to adopt professional standards if staff are unable to pass the
qualifying examinations and become members of this professional body. By definition one could not
guarantee that these standards could be achieved (when using unqualified auditors). Operational
standards are more readily achievable since they represent a local interpretation of the professional
base. These will have to be agreed by the CIA as they will set the tone for audit work. This impacts on
recruitment as high standards mean that experienced and capable staff will have to be appointed if
they are to comply with, and build on, these standards.

The code of conduct

Another consideration when setting up a new audit service is whether to set standards of conduct
before recruiting staff. This is an ideal opportunity where people join only if they feel they can meet
the high standards. Once in post it is difficult to impose new requirements. We would look for all the
attributes of honesty, integrity, commitment, loyalty, and confidentiality. This enables us to test these
factors (wherever possible) when recruiting staff. We could check for criminal records and make
detailed enquiries when seeking personal references. We may build in a dress code and special rules
on behaviour (say smoking or alcohol consumption).

Recruitment and selection

It is essential that the “rounded person” is acquired with a whole package of attributes. Training can
only go so far, and we are not talking only about formal qualifications and experience. People who can
team build, who communicate well and have a sincere belief in their work are real assets. Those who
can develop junior staff and get on well with their colleagues make the role of the CIA more bearable.
Reliable individuals who do not gossip or try to “beat the system” should be sought. Suitable
recruitment policies and procedures are essential although where there is scope to head-hunt, this may
be considered. Personal recommendations are another way of getting the right staff, although we must
at all times fall in line with organisational policies. We must make sure that we can get rid of staff
who are unable to pass their auditing examinations.

Training
A training budget is essential for the newly formed internal audit unit. This covers the types of
training that will be undertaken by both senior and junior staff. We must not make the mistake of
assuming that experience can simply be bought in. These people may not be available and it is at
times better to employ people who are not yet set in the way they perform audit work. A good mix of
experienced and less experienced auditors will provide the best cost/service profile that a competitive
audit service must strive to achieve. As a final point, bearing in mind that training is dealt with
elsewhere in the handbook, do not resource training as a one-off effort. It must consist of an ongoing
programme that evolves as the needs of the audit function change over time.

The general survey

This is an important part of the development of a new audit function. The general survey represents
the justification for the new service in that it defines those areas that should be subject to audit
coverage. It consists of the ongoing analysis of control needs of the organisation with a view to
assigning audit resources. The survey directs resources in the right way and should be carried out
early on in the process of establishing internal audit. It may not be possible to perform a feasibility
study on the need for introducing internal audit without first carrying out this exercise. So long as it is
done before significant resources have been acquired, then this will probably be acceptable. This is
why it is good practice to recruit a good CIA in advance of resourcing the new unit, so that this
background work may be completed before we commit any resources.

Computer audit
One matter that should be high on the agenda for the CIA when designing the new internal audit
service relates to computer audit. There are several approaches:
1. Create a specialist unit of say two (or three) computer auditors.
2. Employ computer auditors and locate them throughout internal audit.
3. Employ an IT “Guru” who is available to help and assist audit staff.
4. Assimilate computer audit expertise throughout the internal audit unit by ensuring that all auditors
have a good appreciation of IT and related skills and techniques.
5. Rely on the organisation’s computing department to provide backup and support.

Computer audit expertise may be acquired at recruitment stage (at premium rates), seconded in or
developed on an incremental basis by training and development. There are pros and cons for each

2
SUPPLEMENT ONE ESTABLISHING A NEW AUDIT FUNCTION

approach. Computer audit is about performing audits of IT systems while also providing an input into
internal audit’s own IT strategy. Extensive reliance on the organisation’s IT department promotes
good working relationships but at the same time impairs our ability to audit this department. It means
that information may not be secured independently by internal audit, but obtained third-hand by IT or
operational staff. Many of these arguments apply equally to the provision of a contract audit service.
The CIA must be wary of creating an elite section within internal audit that are paid more for IT skills
which may become potentially uncontrollable. One useful technique that can be used where auditors
do not possess the required IT skills is to second a member of the computing department into internal
audit to provide backup and support. If this secondment works out, we would seek to develop basic
auditing skills and make the secondment permanent. The CIA must publish and implement an IT
strategy that covers the information needs of internal audit over the next few years.

Fraud work
There is a need to define a clear policy on the detection and investigation of fraud and irregularities.
The CIA would have to draft a policy document that deals with a number of related issues:
• Management’s responsibilities to investigate frauds and ensure that they are fully resolved.
• The internal audit role in supporting management.
• Management’s responsibilities to establish suitable controls that guard against fraud and
irregularity. There is a distinct need for controls that isolate instances where frauds occurred.
• The internal audit role in supporting management.
• Management’s responsibilities to take positive action where it has reason to believe that a fraud
has occurred.
• The internal audit role in supporting management.
• Key contacts in the organisation who deal with police and high-level reports on material fraud.

The CIA should take the initiative in helping to set standards. Clarifying who does what forces the
organisation to address responsibilities and procedures.

Business planning
The new CIA should devise and publish a business plan that covers the internal audit unit. This will
direct the internal audit function over the next few years and show how resources will be applied to:
• Defined organisational control issues.
• Outline allocation of audit resources.
• Human resource development plan.
• Information systems strategy.
• A marketing strategy.

This activity is a key role undertaken by the CIA, and should consume much of his/her working hours.
Structuring has been dealt with elsewhere.

Audit services
One question to be tackled early on in the life of the newly formed unit is related to the type of
services that will be provided by internal audit. We turn to the list of options:
• Systems based audits of financial areas.
• Systems based audit of all services.
• Probity audits derived from a programme of testing routines throughout the organisation. These
may or may not have a financial bias.
• Special investigations commissioned by senior management.
• Fraud investigations.
• Value-for-money studies that seek to identify areas for savings/less waste.
• Consultancy projects that support important organisational developments such as a new computer
system or major restructuring exercise.
• External audit type roles where specific financial accounts are certified.

It is incumbent upon the CIA to decide the best way to discharge the audit role and which services will
be provided and to which degree. It is possible to break down the audit role into two:
1. Systems based audit of all services: financial, operational, strategic and automated systems.
2. Consultancy projects requested by management into regularity, compliance, VFM, management
development and others.

© Spencer Pickett 1997 3

There is a knock-on effect on the adopted strategy, structure and approach to audit work.

Budgets
Whilst the CIA must seek to negotiate an adequate budget, there is little scope to secure extensive
funding at the outset. As the internal audit service is developed and grows, we would expect the
budget to receive greater support from the organisation and so promote a clear growth. This is not to
say that we would wish to secure as much funding as possible, since the more expensive the unit, the
greater the re-charge and cost to clients. Going back to an earlier point where internal audit was
broken down into audit services and consultancy services, we can protect the budget for audit services
by making the audit committee the client. Consultancy services may be directly re-charged (on a
project basis) to management. It goes without saying that the CIA should exercise good budgetary
control in spending decisions and keeping a balanced account.

The launch of the new service

The new service must be introduced to the organisation. The best way to view this is in terms of
launching the service, using all the well known devices that this entails, without going to the extreme.
A good way to do this is to undertake presentations to senior management and the audit committee as
well as preparing the all-important audit brochure for wide distribution.

The audit manual

We have kept the audit manual as the last topic to be dealt with when setting up a new internal audit
department. The extreme view of the audit manual is that of a process that forces audit management
to document its objectives, policies, and procedures in a formal and publicised fashion. Most of the
matters mentioned above will be documented in a section of the audit manual and there is nothing
wrong with allowing this document to grow as the audit unit develops. There are parts of the manual
that may be written before the service is established. The CIA may have several months to define what
is expected from internal audit and how the services should be delivered before staff are brought in.
The manual will change and adapt as the new audit function materialises.