1Understandinginternal audit2345678910 11 12 13 14 15 16 17 18 19 20Audit committees have an essential role to playin ensuring the integrity and transparency ofcorporate reporting.ContactsThe PwC Audit Committee Guide is designedto help members of the audit committee workthrough their maze of responsibilities in apractical manner.82

12345678910 11 12 13 14 15 16 17 18 19 20Understanding internal auditAudit committees have an essential role to play in ensuring the integrityand transparency of corporate reporting.The PwC Audit Committee Guide is designed to help members of theaudit committee work through their maze of responsibilities in apractical manner.The guide consists of: Introduction Setting up the audit committee Financial reporting: Reviewingfinancial information Risk management & internal control Working with the external auditorFinancial reportingRisk management &internal controlExternal audit Understanding of key risk areas Effectiveness of controls Fraud riskAudit committees:Areas of focusAppointment and remunerationScope of workIndependence requirementsSignificant audit findings/recommendationsReviewing the performance of external auditorsInternal audit Charter, authority and resourcesScope of workInternal audit effectivenessResponses to internal auditrecommendations Understanding internal audit Maintaining & measuringeffectiveness Communicating & reporting Ethical, regulatory &compliance mattersContacts Appropriateness of accounting policies Disclosure requirements Fairness and balance of MD&A/operating review GAAP conversion Compliance frameworks The audit committee’s role in‘fit and proper’ requirements forfinancial services entities Materiality in auditsMaintaining& measuringeffectiveness Training needs Maintaining financial literacy Annual performance evaluationof audit committeeUnderstanding internal auditCommunicating &reportingRegulatory, compliance& ethical matters Relations with management Updates and recommendationsto the fullboard Reports to the board andshareholders Effectiveness of system forensuring compliance with lawsand regulations Code of conduct/ethics WhistleblowingWe hope you will find this guide ofvalue to your important role. If youwould like to provide any feedback,or if you need more information,call your usual PwC contact.83

12345678910 11 12 13 14 15 16 17 18 19 20Understanding internal auditA strong, positive relationship with internal audit can give auditcommittee members an insight into control elements relevant totheir work.ContactsCompanies and boards are responsible for the risks a business faces andthe controls it has adopted to mitigate those risks. An internal audit functionis intended to provide assurance to the board and management aboutthe way the company is managing risks and controls as they relate to theorganisation’s business objectives.The Institute of Internal Auditors – Australia (IIA) defines internal auditingas “an independent, objective assurance and consulting activity designedto add value and improve an organisation’s operations. It helps anorganisation accomplish its objectives by bringing a systematic, disciplinedapproach to evaluate and improve the effectiveness of risk management,control, and governance processes.”Understanding internal audit84

12345678910 11 12 13 14 15 16 17 18 19 201. Internal audit and the audit committeeThe internal audit function can be an important source of information and advicefor the audit committee. It is therefore imperative that there be a strong relationshipbetween them.ContactsMany audit committees report they find value in ensuring there is an open lineof communication between the committee and the internal audit function. Somecompanies require the head of internal audit to report directly to the audit committee,rather than to management. Others keep the management line of reporting, butrequire the head of internal audit to meet with the audit committee (or chairman)regularly, including, at times, without management present.The audit committee chairman and the head of internal audit should have regularcontact outside audit committee meetings. This ensures that the head of internalaudit can talk directly to a non-executive about operational or management issuesthat may arise. The audit committee should also encourage a positive relationshipbetween internal audit and the external auditor, to ensure a productive workingrelationship between them.If a company does not have an internal audit function, it is a responsibility of the auditcommittee to consider, in conjunction with the board or senior management, whethersuch a function would benefit the company.Understanding internal audit85

12345678910 11 12 13 14 15 16 17 18 19 202. Charter and authorityAn audit committee is only as good as its members. As existingindependent non-executive directors, all audit committee members willhave, or be able to attain, the qualities and skills required to add valueto the role. These include the qualities set out under Qualifications laterin this section.To be effective, an internal audit department must have the support of management and the board.This means not only that management and the board must provide the right resources, time andauthority, but also that internal audit must have a comprehensive mandate in the form of a charter.The charter and authority, in turn, can provide the audit committee with a clear understanding ofinternal audit activities, functions and organisational structure.The role of internal audit will depend on the individual company’s requirements. The auditcommittee needs to consider whether the charter sets out the internal audit responsibilities clearlyand whether these meet the company’s needs. When evaluating the charter, the audit committeeshould consider the following:ContactsAn internal audit charter sets out the roles, responsibilities, authority and reporting requirementsof the internal audit function. The charter will vary from company to company. An example of aninternal audit charter is provided in Appendix A to this section. Does the charter clearly articulate the scope of work internal audit will perform and as agreedby the audit committee? Does internal audit have appropriate authority to undertake its responsibilities? Does the charter outline the reporting lines of the internal audit department? If so, are thesesufficient to meet the needs of audit committee members? Does the charter require the head of internal audit to meet regularly with the audit committeewithout management present, or does it provide direct access to the audit committee chairman? What relationship will internal audit have with other assurance providers? When was the charter last reviewed and updated? Has it kept pace with the company’s activitiesand changes to the compliance/regulatory environment? Does the charter outline the standards under which internal audit will operate? For example,the IIA Standards for the Professional Practice of Internal Auditing (IIA Professional Standards).Understanding internal audit86

12345678910 11 12 13 14 15 16 17 18 19 203. ResourcingThe audit committee can play an important role in focusing attention onthe adequacy of the internal audit department’s resources.SkillsAlso important are the personal qualities of the internal audit staff and how theyinteract with the company.ContactsThe audit committee should consider the internal audit department’s size and skillset in the context of the business environment in which the company operates. Forexample, important attributes could include computer and systems experience,treasury experience and foreign language skills.The need for good relationships between the internal auditor and the managementand staff of the company has to be balanced with the need to remain impartial andmaintain a professional scepticism in the internal auditor’s role as business partner.The audit committee will require the internal audit function to ‘call it as they see it’,and to make the committee aware of key control breakdowns and actions to correctthem. As this may involve explicit or implicit criticism of management, internal auditstaff will need the right mix of technical and ‘soft skills’ training to enhance theireffectiveness.Following the advent of Sarbanes-Oxley in the USA19 and other corporategovernance requirements, there is a high demand for people who are skilledin assessing risks and controls, and this may place pressure on the ability oforganisations to hire suitable internal audit staff who have these skill sets.19. Public Company Accounting Reform and Investor Protection Act 2002.Understanding internal audit87

12345678910 11 12 13 14 15 16 17 18 19 203. ResourcingHead of internal auditAssessing the resourcing of internal auditThese constraints and pressures place additional emphasis on the quality of the headof internal audit. This person will need to be a strong individual, able to balancedemands and challenges and to manage staff effectively. Given this profile, the auditcommittee should take responsibility for reviewing or approving the appointment,replacement or dismissal of the head of internal audit.Typical questions to ask concerning resourcing include those set out below.OutsourcingDue to the complexities of running an internal audit function, some companieschoose to outsource the activity. Outsourcing the internal audit function is a popularoption because it: provides a solution to the difficulties faced by companies of all sizes in retainingspecialist auditors provides a window to better practice methods that smaller departmentscannot access can increase internal audit’s independence from operational management.External expertsWhere necessary, the internal audit function will need to employ other skills;for example occupational health and safety and IT expertise. In these instancesthe internal audit department might engage experts, either from within or outsidethe organisation. Where external experts are required regularly, large internal auditdepartments are increasingly choosing to develop strategic alliances with externalproviders. These alliances give the department access to experts who understandtheir industry and organisation, as well as access to best practice internal auditknowledge and specialist skills from one provider.Who to askResponse to look forDo you have sufficientresources to completethe internal audit plan?Head of internal auditYes. If the answer isno, determine whatplans are in place toachieve and maintainappropriate resourcing.What is the mix ofresources in internalaudit? (ie in-house vsexternal staff/experts)Head of internal auditAppropriate mix todeliver best result. Themix of resources is clearlylinked to the charter andresponsibilities and hasbeen properly costed.What training programdoes the internal auditdepartment have?Head of internal auditNecessary training tomaintain qualificationsand ‘soft skills’ andto keep up to date onemerging trends.Is there a successionplan for the head ofinternal audit?Head of internal audit,CEO and CFOYes – and there is anappropriate program inplace to prepare potentialfuture leaders.How many vacanciesexist? (Also consider howlong any vacancies haveremained unfilled.)Contacts provides access to a wider range of skills than small, traditional departments cansupportKey questionsIf this is considered a suitable approach, the internal audit function will need to havethe authority to implement it. Usually the audit committee will approve – or, at aminimum, review – such alliances.Understanding internal audit88

12345678910 11 12 13 14 15 16 17 18 19 204. Internal audit’s scope of workThe scope of work of an internal audit department varies significantlydepending on its mandate, the industry within which it operates, theskills of the staff and the existence of other assurance providers inthe organisation.The scope of work of an internal audit department varies significantly depending on its mandate,the industry within which it operates, the skills of the staff and the existence of other assuranceproviders in the organisation. The scope of work may include: financial controls assurance monitoring of risk management implementation IT controls assuranceContacts operational auditing (eg reviews of areas other than finance such as logistics orproduction planning) project management assurance special investigative and ad hoc reviews (eg investigations of suspected fraud).Assessing internal audit’s scope of workThere are some general factors that are relevant to the work of an internal audit function. These canbe used as pointers when assessing the scope of work.1. Balanced relationship with managementInternal auditors should not allow management to inappropriately influence the scope of reviewsand internal audit findings, and should challenge management ‘bullies’. Ensuring that the scopeof the audit is clearly defined and properly communicated to all concerned is a major step towardstransparent outcomes.Understanding internal audit89

12345678910 11 12 13 14 15 16 17 18 19 204. Internal audit’s scope of work2. End-to-end auditsEnd-to-end auditing may be needed where a process crosses over business units,thereby splitting management responsibilities. Walk-throughs and flowcharts areimportant techniques for examining the entire process chain and ensuring thatimportant controls do not ‘fall between the cracks’. When performing end-to-endaudits, the scope should include the facility for these techniques, as well as checksof both manual and automated controls.3. Devil in the detail4. Areas selected for attentionInternal auditors should not ignore remote or niche parts of the business becauseof their relative size. Areas where performance appears too good to be true oris outside expectations should be a particular focus of tests. An adequate riskassessment process should be undertaken to ensure that the internal audit planis properly focused on the key risks affecting the organisation.5. Fraud prevention and incident management strategiesAuditing fraud risks requires specialist skills and a tailored approach. Typical toolsthat should be used by internal auditors include data mining and analysis tools, andspecially built computer-assisted audit tools (CAATs). These tools aid the accurateanalysis and detection of unusual activity. Such tools can also create efficiencies asthey can interrogate large amounts of data faster than manual testing methods.Fraud and related incidents occur in most organisations and internal audit shouldbe involved in managing such incidents. Internal audit should consider whetherspecialists are required to conduct or assist in the investigation. Such specialistassistance can include interviewers, forensic data specialists, lawyers andother experts.Understanding internal auditKey questionsWho to askResponse to look forWhat percentage of theaudit plan is dedicatedto financial assurancereviews, operationalreviews etc?Head ofinternal auditAn adequate explanationconcerning the key focus areasfor internal audit, including acomparison to previous yearsand consideration of niche orhigh-performing areas.Head of internalaudit, CEOand CFOA clear explanation of the riskassessment process used to developthe plan, as well as evidence ofadequate, but not domineering,involvement of management.Head of internalaudit, CEOand CFOA clear explanation that the risksidentified in implementing therisk management framework– including direct links to theorganisation’s key risks andrisk management policy – havebeen incorporated into theplanning process.How does this compare toprevious years?How did you developthe plan and prioritisethe audits?What involvement didmanagement have?How have you integratedthe organisation’s riskmanagement frameworkand key risks into theinternal audit plan?ContactsWith new regulations such as Sarbanes-Oxley in force, there is little room forbudget- driven shortcuts. Businesses should be prepared for internal auditors totest internal controls in detail. Appropriate documentation and sampling standardsshould be consistently employed throughout the internal audit department.Organisations should also have an incident management plan detailing the actionsthat need to be taken should a fraud incident occur. This plan should cover detailssuch as legal and HR consultation, the engagement of specialists, communicationprotocols and reporting processes. When overseeing the scope of work of internalaudit, the audit committee will need to bear these matters in mind. Typical questionsthat will help assess these matters include those set out in the following table.90

12345678910 11 12 13 14 15 16 17 18 19 204. Internal audit’s scope of workKey questionsWho to askResponse to look forWhich risks identifiedas part of implementingthe risk managementframework arenot addressed byinternal audit?Head of internalaudit, CEOIdentification of those risks notaddressed by any assurancegroup, and the reasons why not.What are the topfive reviews of yourassessment process thatdid not make it into thisyear’s plan?Head ofinternal auditA discussion of those reviews that‘just’ missed out on this year’splan. There may be justificationfor conducting these reviews andre-prioritising.Have you been involvedin any ad hoc or specialinvestigative reviewssince we last met?Head ofinternal auditA discussion about the reasonsfor, who requested, and the impacton the internal audit plan of, anyad hoc assignments. The processfor approving these assignmentsshould be discussed. Generally theaudit committee should be at leastaware of these in advance.Head ofinternal auditEvidence that there is a system foridentifying frauds (see the Ethical,regulatory & compliance matterssection), that internal audit activitywas within a reasonable time ofthe fraud being reported, and thatall reports were fully investigated,regardless of size.Are they addressedby other assuranceproviders? If not,why not?Were any fraudsidentified during theperiod under review?If so, was the internalaudit function promptlyadvised and involved inany investigation?Understanding internal auditContactsIf so, what impact willthis have on the internalaudit plan?91

12345678910 11 12 13 14 15 16 17 18 19 205. Responses to internal audit recommendationsMany audit committees follow up on how theinternal audit function’s recommendationshave been dealt with by management. Thisprovides them with an insight into the role andeffectiveness of the internal audit function andalso some understanding of management’sattitude to internal audit.Following are some sample questions to ask the internal audit head regardingpreviously reported internal audit findings.Response to look forIn the reports you are presentingat this audit committee meeting,has management agreed to allfindings reported?Yes. If the answer is no, appropriatereasons are required.Are management’s proposedYes. Timeframes to action findings shouldresolution dates appropriate tobe commensurate with the risk/exposureaddress the risks in a timely manner? of the finding.How long has it taken foryou to finalise each of thereports presented?An explanation for any undue delays.The time it takes to finalise a report isoften a sign of pushback frommanagement.In your professional opinion, areYes. If the answer is no, the findings inmanagement’s reasons for notquestion should be discussed and a revisedactioning findings by their resolution deadline for action/follow-up appropriate?What process do you undertake toconfirm that agreed actions havebeen implemented?ContactsAny recommendations or agreed actions not implemented by management shouldbe reported to the audit committee, especially where there is a risk of exposure.Reasons for any actions being resolved and revised resolution dates should also bereported. If the reasons provided are unacceptable, requests for further informationfrom management should be made.Key questionsInternal audit cannot physically verify allprevious findings. At a minimum, the nextvisit/audit scope should include the followup of previous findings.Tip:Audit committees commonly ask the external auditor to inform them of majorresolved and unresolved issues encountered during the audit and of anyrestrictions senior management imposes on the scope of the audit.Understanding internal audit92

12345678910 11 12 13 14 15 16 17 18 19 206. Internal audit effectivenessTo ensure the internal audit department maintains high performance, itis important that the audit committee regularly assesses the department’seffectiveness. The IIA Professional Standards require that an independent orexternal assessment of the internal audit function be performed at least onceevery five years, and an internal assessment once a year. is satisfying the values of the key stakeholders (ie audit committee, executivemanagement, operational management)ContactsIn the meantime, the audit committee can contribute to maintaining the qualityof performance by determining whether the internal audit function: has maintained its objectivity is adequately trained (the company should provide a supportive atmospherewhere internal auditors can receive continuing professional education) keeps up with current issues and technology; for example, where a companyhas significant computerised operations or is heavily dependent on electroniccommerce, internal auditors should have the necessary skills to understandthe internal control implications has appropriate qualifications in both professional training and practicalexperience (the company should encourage internal auditors to becomemembers of professional associations and to seek professional certificationwhere appropriate) is appropriately funded within the organisation.Understanding internal audit93

12345678910 11 12 13 14 15 16 17 18 19 206. Internal audit effectivenessSome questions to ask include the following.Key questionsWho to askResponse to look forHas internal auditever undergone anexternal assessment?Head ofinternal auditThe timing and results/actionsfrom the last external assessment(at least every five years).If yes, how long ago,and how are wetracking actions toaddress findings?If so, how are actionstracked and reported?Is the internal auditcharter and/ormandate appropriate?Head of internalaudit, CEOand CFOHas it kept pace withthe company’s activitiesand information andcontrol systems?The timing and results/actionsfrom the last self-assessment(yearly is best practice).Yes, the internal audit functionhas an appropriate charter thatis followed and is sufficientlyflexible to allow it to addresschanging risks.What standardsand guidance doesthe internal auditfunction follow?Head ofinternal auditInstitute of Internal Auditors –Australia. Other relevant standardsissued by relevant authorities.Does internal auditinvestigate areassignificant to thekey operational andfinancial risks faced bythe business?CEO and CFOYes. If not, why not? Is the functionnot sufficiently risk focused?Understanding internal auditWho to askResponse to look forDoes the company acton recommendationsfrom internal auditand monitor thechanges made?Head ofinternal auditYes. This should be supportedby reporting to the auditcommittee on clearance ofpreviously reported findings.Do the internal auditorshave an effectiveworking relationshipwith the external auditorand with companypersonnel involved in riskmanagement processes?Head of internalaudit, externalauditor and chiefrisk officerYes. Evidence would be a linkfrom the internal audit plan tothe risk profile, and externalaudit being able to rely oninternal audit’s work.Appendix B is an example of a questionnaire that can be used when evaluatingthe effectiveness of the internal audit function. It may be useful to have the head ofinternal audit and CEO/CFO fill this out separately and compare the results.ContactsDoes internal audit perform Head ofannual self-assessments?internal auditKey questionsBenchmarkingAnother approach to evaluation is to commission a benchmarking exercise. Thisinvolves an independent review of the internal audit department’s activities, whichis used as the basis for benchmarking those activities against those of comparableinternal audit departments. Such reviews can improve the effectiveness of theinternal audit department by identifying actions to ensure future needs are met.Benchmarking exercises should be both quantitative and qualitative. As no twoorganisations are the same, recommendations should be tailored to the needs ofthe organisation.94

12345678910 11 12 13 14 15 16 17 18 19 206. Internal audit effectivenessGeneral questions for the head of internal auditKey questionsResponse to look forAs a member of an audit committee, it is important that you understand fully theoperation of your internal audit department, especially if you are relying on thedepartment to provide you with assurance over the controls within the organisation.Questions to ask your internal audit head are set out in the table below.Have you been inappropriatelypressured to alter or re-prioritisefindings from your work?The only changes made to reports shouldbe to ensure factual accuracy. Internal auditmust ensure that all key risk exposures itdetects during internal audits are reportedto the audit committee.Response to look forWhat co-operation do youreceive from both corporateand operational management?Good co-operation at all times. However,differences of opinion will alwayssurface. These should be explained so thecommittee can assess the stance of eachparty and how they work together. Seriousdifferences of opinion need to be resolved.Have you experienced anycircumstances where managementwas less than co-operative?Examples will help to clarify the issues andthe working relationship.Have any of your requests forinformation been denied?No. Internal audit should have the abilityto review all information it requests. Thecharter should also reinforce this.If there are concerns about undue pressure,the committee will need to discuss with thehead of internal audit from whom thesepressures are coming and how the head ofinternal audit thinks they can be resolved.ContactsKey questionsIf concerns are expressed, the auditcommittee should consider their impactand how they can be resolved.In your opinion, where is ourA clear explanation demonstrating a goodorganisation exposed (be it financial, understanding of the risks, and providingreputation, operational etc)?comfort that these are being addressedthrough internal audit or some otherIs addressing this exposure partassurance process (if appropriate).of your internal audit plan?Understanding internal audit95

12345678910 11 12 13 14 15 16 17 18 19 20Appendix A: Example of an internal audit charterThe internal audit function may cover a range of activities. This example illustrates one option only.1 Purpose of the charter1.1 The internal audit charter provides the functional and organisationalframework within which internal audit operates. This document sets outthe nature, role, status, authority and responsibility of internal audit. t here is an adequate level of compliance with policies, standards,procedures, and applicable laws and regulations.2 Mission and objective of internal audit3 Independence2.1 Internal audit’s mission is to provide independent, objective assurance tothe audit committee on the state of risks and internal controls, providingmanagement with recommendations to enhance controls.3.1 Internal audit must be, and must be seen to be, independent of the activitiesand processes it appraises, to ensure it can perform its duties in an objectivemanner and can provide impartial advice to management and the board.2.2 Its secondary objective is to assist the chief executive officer (CEO) and seniormanagement in the effective discharge of their responsibilities to the board inthe areas of risk management and internal control, by providing independentappraisals of the adequacy and effectiveness of the risk management andinternal control systems. In performing this role, internal audit may alsoprovide assistance to the board in the discharge of its responsibilities.3.2 Audit staff have no line responsibility or authority over any of the activities oroperations they review and (except in the rarest of circumstances as approvedby the CEO and/or audit committee) are not authorised to:2.3 The risk management and internal control systems encompass all policies,processes, practices and procedures established by management or the board,to provide reasonable assurance20 that: established corporate and business strategies and objectives are achieved risk exposure is identified and adequately monitored and managed r esources are acquired economically, adequately protected and managedefficiently and effectively, throughout the course of business significant financial, managerial and operating information is accurate,relevant, timely and reliable erform any operational duties for the organisation except withinpinternal audit initiate or approve accounting transactions external to internal audit direct the activities of any employee not employed by internal audit engage in any other activity that could compromise their objectivity.Contacts1.2 This document should be read in conjunction with the audit committee charter.In addition, a review might highlight opportunities for improving managementcontrol, profitability and the identification of the company’s risk profile. Thesefindings will be communicated to the appropriate level of management throughthe normal reporting process.3.3 It is the responsibility of internal audit staff to communicate to the CEOand audit committee any perceived or potential conflicts that may compromisethe objectivity or independence of internal audit.4 Authority and accountability4.1 The head of internal audit reports to the audit committee, which approves andadvises the board on the a

The charter and authority, in turn, can provide the audit committee with a clear understanding of internal audit activities, functions and organisational structure. An internal audit charter sets out the roles, responsibilities, authority and reporting requirements of the internal audit function. The