Primary navigation:

QFINANCE Quick Links
QFINANCE Topics
QFINANCE Reference
Add the QFINANCE search widget to your website

Home > Auditing Best Practice > What Is the Range of the Internal Auditor’s Work?

Auditing Best Practice

What Is the Range of the Internal Auditor’s Work?

by Andrew Cox

What Influences the Type of Work?

The range and type of the internal auditor’s work depend on a number of factors:

The mandate for internal audit contained in the internal audit charter: This is what the audit committee and the organization want internal audit to do. Although ideally this should include both assurance services and consulting services, it is true to say that some audit committees and management believe that internal audit should not stray from its roots of providing assurance, so in some organizations the internal audit charter has focused only on the provision of assurance services. This attitude peaked following the corporate collapses of the 1990s. However, more enlightened audit committees and management of today seek a more comprehensive internal auditing service for the organization. This has the potential to add a lot of value, rather than just reporting what is wrong in compliance and financial areas.

To whom the chief audit executive reports to: The chief audit executive should report to the audit committee functionally and for operations, and to the chief executive officer for administration. Where a chief audit executive may have other reporting arrangements—for example to a chief executive officer for operations and administration, or worse, to a chief financial officer—there is a risk that internal audit may lose a measure of its independence. This has a potential to impact negatively on the range and type of work to be performed by internal audit.

The capability and skills of the internal auditors: As the work of internal audit moves toward more difficult methods of operating, the complexity of internal audit work increases. This means that the capability and skills of the internal auditor need to be greater, and many internal auditors see this as a quantum leap so great that they prefer to remain comfortable where they are.

Any legislative or regulatory requirements of internal audit: The work of internal audit will nearly always have a role to provide assurance of legislative and regulatory compliance; this is an important role that should never be forgotten.

Case Study

Designing a Comprehensive Internal Audit Plan

A large public sector organization with a significant commitment to internal auditing provided sufficient funds to resource an internal audit function of 25,000 audit hours each year. The audit committee wanted an annual internal audit plan of work that provided assurance and examined how well the organization was operating, but which was also responsive to the changing needs and risks of the organization. The risk-based annual internal audit plan of work to achieve this designed by the chief audit executive is summarized in Table 4.

Table 4. The chief audit executive’s risk-based annual internal audit plan

Audit type Cyclical 12 months scheduled hours Rolling 6 months scheduled hours Rolling 3 months reserve hours Rolling 3 months unassigned hours Annual total hours
Compliance Assurance Consulting   6,000 0   0 0   0 0   0 0 6,000
Financial Assurance Consulting   750 250   2,500 0   1,000 0   500 0 5,000
IT Assurance Consulting   3,000 3,000   0 0   0 0   0 0 6,000
Performance Assurance Consulting   0 500   0 2,500   0 1,000   0 1,000 5,000
Internal audit planning 500 0 0 0 500
Audit monitor and follow-up 500 0 0 0 500
Audit committee 500 0 0 0 500
External audit coordination 1,500 0 0 0 1,500
25,000

Rather than have a static annual internal audit plan, the plan shown in the table was designed to cover an 18-month period with a refresher every six months so that workflows could be smoothed and work allocated to internal auditors continuously. The plan encompassed the following areas:

  • Cyclical 12 months scheduled: For high-risk areas worthy of annual internal audit attention.

  • Rolling 6 months scheduled: Higher-risk areas scheduled for periodic or one-off internal audits.

  • Rolling 3 months reserve: Areas held in reserve in case of postponement or cancellation of other internal audits.

  • Rolling 3 months unassigned: Reserved for on-demand internal audits initiated by management for emerging business issues and risks.

Conclusion

The range and type of the internal auditor’s work depend on a number of factors:

  • The mandate for internal audit contained in the internal audit charter.

  • What the audit committee wants internal audit to do, and how enlightened it is.

  • What management wants internal audit to do.

  • To whom the chief audit executive (head of internal audit) reports.

  • The capability and skills of the internal auditors.

  • Any legislative or regulatory requirements of internal audit.

Making It Happen

Chief audit executives should look to his or her audit committee and management for guidance on the range and type of work to be performed by the internal audit function. However, the chief audit executive, as an internal audit professional, should be using his or her knowledge and experience to identify and influence the formulation of a risk-based internal audit plan of work that best provides for the needs of the organization. This is likely to be a blended plan of internal audit work that encompasses both assurance services and consulting services:

Assurance Services

  • Part of the overall internal audit plan of work.

  • Annual or longer-term focus.

  • Risk-based.

  • May include cyclical internal audits of higher-risk areas.

  • Need to consider legislative and regulatory requirements.

  • Need to consider external audit to avoid duplication of audit effort.

  • Estimated hours for audit topics assessed from previous internal audits (structured gut feel).

  • Focus on compliance, financial issues and risks, financial controls, and IT reviews.

Consulting Services

  • Part of the overall internal audit plan of work.

  • Flexible, rolling focus—rather than fixed in time.

  • Risk-based and customer-focused.

  • If limited previous data are available, estimate hours needed for internal audit topics on the basis of the best available information and past experience (unstructured gut feel).

  • Focus on current and emerging business issues and risks, and system under development reviews.

Back to Table of contents

Further reading

Books:

  • Australian National Audit Office. Public Sector Audit Committees: Having the Right People is the Key. Canberra: Australian National Audit Office, 2005.
  • Australian National Audit Office. Public Sector Internal Audit—An Investment in Assurance and Business Improvement. Canberra: Australian National Audit Office, 2007.
  • Picket, K. H. Spencer. Audit Planning: A Risk-Based Approach. Hoboken, NJ: Wiley, 2006.
  • Reding, Kurt F., Paul J. Sobel, Unton L. Anderson, Michael J. Head, Sridhar Ramamoorti, and Mark Salamasick. Internal Auditing: Assurance and Consulting Services. Altamonte Springs, FL: IIA Research Foundation, 2007.
  • Sawyer, Lawrence B., Mortimer A. Dittenhofer, and James H. Scheiner. Sawyer’s Internal Auditing: The Practice of Modern Internal Auditing. 5th ed. Altamonte Springs, FL: IIA Research Foundation, 2003.

Standards:

Website:

Back to top

Share this page

  • Facebook
  • Twitter
  • LinkedIn
  • Bookmark and Share