how to employ an internal auditor

8/14/2019 How to Employ an Internal Auditor

1/20

HOW TO EMPLOY AN

Internal Auditor A GUIDE TO RESOURCING FOR INTERNAL AUDIT


2/20


3/203

Index OBJECTIVE ....................................................................................................................................................4

PREAMBLE .....................................................................................................................................................4

EXECUTIVE SUMMARY .................................................................................................................................4

FOCUS FOR THE AUDIT COMMITTEE............................................................................................................5

FOCUS FOR THE EXECUTIVE .......................... ............................ ............................ ............................ ...........5

FOCUS FOR THE CAE ....................................................................................................................................5

FURTHER READING .......................................................................................................................................6

ANNEXURE A : ISSUES TO CONSIDER WHEN DECIDING TO OUTSOURCE,CO-SOURCE OR PROVIDE IN-HOUSE INTERNAL AUDIT SERVICES ............................................................7

ANNEXURE B : CONSIDERATIONS WHEN SELECTING RECRUITMENTSOURCES .......................................................................................................................................................9

ANNEXURE C : SKILLS COMPETENCY MATRIX............................................................................................10

ANNEXURE D : CONSIDERATIONS WHEN OUTSOURCING SOME ORALL INTERNAL AUDIT SERVICES ...................................................................................................................12

ANNEXURE-E: PRACTICE ADVISORY 1210-1: PROFICIENCY .....................................................................14

ANNEXURE-F: PRACTICE ADVISORY 1210.A1-1: OBTAINING SERVICES

TO SUPPORT OR COMPLIMENT THE INTERNAL AUDIT ACTIVITY ................................................................15

ANNEXURE-G: STANDARD 2000: MANAGING THE INTERNAL AUDIT ACTIVITY ........................... ..........16

ANNEXURE-H: PRACTICE. ADVISORY 2030-1: RESOURCE MANAGEMENT ..............................................17

ANNEXURE-I: PRACTICE ADVISORY 2330.A1.1: CONTROL OF ENGAGEMENT RECORDS .......................18

ABOUT THE INSTITUTE ...................................................................................................................................19


4/204

ObjectiveThis booklet is intended to act as a guideline for resourcing an

internal audit activity, whether employing staff in-house, co-

sourcing or outsourcing the activity. Where possible the relevant

standards and practice advisories have been included to support

the guidance.

An internal audit activity will be successful if it has the correct

quantity and quality staff, who perform well and have the diversity

of skills required to deliver on challenging demands from a varied

client base. This brochure will aid the reader to match the level

of skill required by the audit activity to the skills of the internal

auditor.

Who will bene t from the document?

Audit Committee (AC)

Executive management, Chief Executive Of cer (CEO)

Chief Audit Executive (CAE)

Human Resources Department (HR)

Recruitment Agents

PreambleThe decision to have an Internal Audit Activity (IAA) shouldbe taken at the strategic level of the organisation and should

include consideration of whether to staff the activity with in-house

personnel co-source or outsource. This decision will be in uenced

by various factors such as managements view and understanding

of the value of internal audit, the size, nature and complexity of

the organisation, the culture of the organisation, the cost versus

bene t, the industry norm, the risk pro le of the organisation, the

audit maturity and the degree of specialisation required.

For an IAA to be effective the function needs to enjoy the support

of the Audit Committee, executive and senior management. In

SA the establishment of an IAA is legistlated by the PFMA (Public

Finance Management Act) and treasury regulations for central

and provincial government and the MFMA (Municipal Finance

Management Act) for local government.

Executive summaryThe decision to secure internal audit services is not a simple one.Many variables have to be considered, such as the extent to

which the Board are able to manage the structures and activities

of the organisation hands on, as well as the level of risk inherent

in the various structures and activities of the organisation. The level

of risk in turn will be in uenced by, among other things, the size of

the organisation, the current state of change in the organisation,

whether the organisation is acquiring new businesses or unbundling,

the speed at which new products are taken to market etc. These

variables will all impact on the level of skills and experience required

by the internal audit activity and the number of auditors required

to provide suf cient assurance to the Board regarding the state of

internal control, risk and governance within the organisation.

The CAE will play a signi cant role in the determination of the

intensity of internal audit work required and thus should be the

key gure in the planning of the resourcing of the internal audit

activity.

Cognisance must be taken of the fact that the CAE, irrespective

of how the IAA is sourced, shall be an employee of the company

at an executive level. This is con rmed in a position paper issued

by the IIA Inc. on 20/06/2005 in which the following is stated:

In cases where total outsourcing is selected as the method for

obtaining internal audit services, The IIA believes that oversight

and responsibility for the internal audit activity cannot be

outsourced. An in-house liaison, preferably an executive or senior

management-level employee should be assigned responsibility for

management of the internal auditing activity. Consideration of the

independence of the assigned in-house liaison must be evaluated

if this individual has other (non-internal audit) responsibilities.

The audit committees or equivalent governing bodys role is

also important in the oversight process and the level of active

oversight should be considered. A related publication entitled, The

Professional Practice Framework for Internal Auditing, is organized

to provide a full range of internal audit guidance and includes

The Standards and Ethics, and Practice Advisories, e.g. chief audit

executives role and responsibilities, independence considerations,

etc. The de nition of Chief Audit Executive in the Glossary of the

Standards provides further clarity.

The key decision to be made is whether to:

Have a full internal audit activity within the organisation;

Co-source i.e. outsource only certain internal audit activities

e.g. where speci c specialist skills are required for ad-hoc

projects; or

Outsource the internal audit activity entirely.

See Annexure A for guidance in this regard.

Irrespective of whether the activity is in-house, co-sourced or

outsourced, the skills matrix required to effectively service the

How to employ an internal auditor A Guide to resourcing for Internal Audit


5/205

organisation should be determined and used as the basis for

ensuring the employment of the appropriately skilled resources.

This document advocates that even when the IIA is outsourced

the service provider should provide a full skills mapping to the

requirements of the organisation to ensure that the correct level of

service is being provided. This skills matrix should be drawn up by

the in-house CAE, based on the risk assessment and approved by

the audit committee.

The scope of the work to be covered and the risk pro le and size

of the organisation will determine the levels and number of staff

required there is no realistic benchmark for inter-organisational

comparison. This will also to a large extent be in uenced by the

risk appetite of management and their understanding of, and

perceived need for internal audit.

The Annexures to this document provide more detailed guidance

on sourcing internal auditors and include selected Practice

Advisories relating to relevant internal auditing standards

Focus for the audit committeeThe audit committee or the equivalent governing body should

provide the stamp of approval over the strategic decision to

employ internal audit in-house, co-source or outsource.

Treasury Regulations (Government Notice No 225 published in

Government Gazette No 27388 on 15 March 2005) as prescribed

under Section 76 of the Public Finance and Management Act

regulate the functioning of internal audit and audit committees

and thus it is important for all public sector entities to have

effective internal audit activities which add value. The Treasury

Regulations require compliance with the International Standards

for the Professional Practice of Internal Audit.

The King II Code fully endorses the International Standards for

the Professional Practice of Internal Audit and recommends that

companies should have an effective internal audit function that

has both the respect and co-operation of both the Board and

management. Should a Board decide not to establish an internal

audit activity full reasons should be disclosed in the annual report

and an explanation provided as to how assurance of effective

internal controls, processes and systems will be obtained.

The Audit Committee should provide con rmation of the skills/

competency mix required to ensure that the objective of the

internal audit activity of the organisation can be accomplished

effectively. This would then provide guidance over the selection

criteria (Annexure C) for the appointment of a CAE, and support

both executive management and the human resources activity in

ensuring that a suitable selection is made both in the employment

of an in-house CAE, and audit activity staff, however resourced.

The audit committee should ensure that when outsourcing and

co-sourcing the credentials of the contracting partner/person

and staff meet the skills and competency mix for the internal audit

activity as required by the organisation.

The audit committee should play a role in the appointment,

performance appraisal and, if merited, the dismissal of the CAE.

These roles should be de ned in the charters of the audit activity

and the audit committee. The audit committees involvement

would serve to strengthen the governance processes surrounding

reporting on internal control processes within the organisation andstrengthen the independence of the CAE. The audit committee

would play the same role with outsourced and co-sourced

activities.

The rst decision that has to be made when establishing an IAA

is whether to have an in-house , co-source or outsource activity -

refer Annexure A. Then follows the appointment of the CAE.

Focus for the executiveThe executive should appoint the CAE in agreement with the audit

committee. It is reiterated that the IIA believes that oversight and

responsibility for the internal audit activity cannot be outsourced.

Annexure C provides guidance on the skills set that a CAE should

possess. Should one of the executives assume the role of the CAE

and the function be outsourced, then the relevant executive

should ensure that the leader of the appointed outsourced party

should have appropriate CAE skills.

The executive should agree the resourcing plan for the internal

audit activity with the CAE; this would include considerations to

in-source, co-source and outsource the internal audit activity

(refer Annexure H). The executive needs to ensure that all relevant

factors which could affect the provision of an effective internal

audit activity have been considered when determining the

resourcing strategy. Annexure D provides guidance on issues to

consider when making the decision to outsource or co-source.

Focus for the CAE The key focus for the CAE is to ensure that the internal audit activityis properly managed in accordance with the guidance provided

in Standard 2000 refer Annexure G.


6/206

The CAE is responsible for sourcing the necessary skills set for the

effective provision of an internal audit service to the organisation:

this would include the establishment of the internal audit activity

including staf ng, and/or the acquisition of co-sourced servicesand the in-house skills set. Annexure A: Issues to consider when

deciding to outsource, co-source or provide in-house internal audit

services should aid the CAE when considering which resourcing

alternatives to consider.

If outsourcing or co-sourcing is required, Annexure D provides

guidance on issues to consider when concluding contractual

obligations with the service provider.

The CAE needs to ensure that the International Standards

for the Professional Practice for Internal Auditing are appliedwhen appointing personnel. Standard 1210 Pro ciency needs

to be considered during the screening process - states that:

Internal auditors should possess the knowledge, skills, and other

competencies needed to perform their individual responsibilities.

The internal audit activity collectively should possess or obtain theknowledge, skills, and other competencies needed to perform its

responsibilities. The Practice Advisory relating to this standard is

contained in Annexure E. Annexure C provides guidance on the

skills set (not exhaustive) that a CAE should consider when recruiting

at different skill levels. The CAE should ensure that the outsourced

personnel have the necessary skill to perform the assignment

Annexure B considers some of the advantages and disadvantages

that may be associated with recruiting internal audit personnel

from within the organisation, from external sources or from tertiary

institutions.

Further readingIf you would like to nd out more about the subject the following publications may be of interest to you:

PUBLICATION AUTHOR PUBLISHER

The Professional Practices Framework (PPF) - The purpose ofthe PPF is to organize the full range of internal audit guidanceand includes the Code of Ethics, The Standards, and PracticeAdvisories.

IIA Inc IIA Inc

Audit Committee Effectiveness What Works Best 3rd Edition PricewaterhouseCoopers IIA Research Foundation

20 Questions Directors Should Ask about Internal Audit Canadian Institute of CharteredAccountants, IIA ResearchFoundation

IIA Research Foundation

A Balanced Scorecard Framework for Internal AuditingDepartments

Frigo, ML IIA Research Foundation

King II report King Committee on CorporateGovernance

Institute of Directors (IOD)

Public Finance and Management Act (PFMA) SA Legislature Government Printers

Municipal Finance Management Act (MFMA) SA Legislature Government Printers


7/207

Annexure A:Issues to consider when deciding to outsource,

Co-source or provide in-house internal audit services

The most appropriate manner of resourcing an internal auditactivity (IAA) is an issue which management and Audit Committees

have grappled with over many years. The following are someguidelines which should be considered when establishing anIAA, or considering co-sourcing or outsourcing, but also at timeswhen change occurs in an organisation e.g. workloads increase,downsizing, mergers and acquisitions and so on.

De nitions

In-house - an internal audit activity staffed mainly by permanentemployees of the entity.

Co-sourced (Partnering/ In-sourcing) - an existing in-house function

which contracts in other skills on a temporary or project basis. Thesecontracted skills are directly managed and supervised by the in-house function as though employed by the entity itself.

Outsourced - an external entity is contracted to provide all aspectsof the full internal audit service. NB the Chief Audit Executive

(CAE) cannot be outsourced, must be an employee, and theresponsibility for and control over the delivery of service alwaysremains within the entity.

The decision on which of the methods would be most appropriatefor a particular organisation can be guided by the discussion pointsin the table below. Each has advantages and disadvantages, andthe nal choice will be determined by the speci c circumstancesof the organisation, managements view of the need for, andunderstanding of internal audit and the ready availability ofsuitable resources in the market.

Note: I = In-house, C = Co-source, O = Outsource. Where thereis an x in more than one column, this indicates that alternativescould be effective taking into account speci c organisationalcircumstances.

CONSIDERATION I C O COMMENTS

Executive Management and Audit Committeeunderstanding and expectations of internal audit

Effective IAA required to add value, provide strongassurance on risk and control in all facets of thebusiness on a continuous basis

X X XThe size and complexity of the organisation should also be takeninto account.

The CAE should still be accountable for effectively managing theIAA to ensure that it adds value

IAA needed only as a measure to comply withlegislation or regulation X

Size and complexity of the business requiring auditing

Small, simple operations X The key consideration is the knowledge of the business required bythe internal auditor. The more routine the operations, the easier itwill be for contractors to manage the audit on an ad-hoc basis. Thelarger the organisation and the more complex, the easier it will befor permanent employees to perform a continuous, comprehensiveaudit and to be aware of nuances concerning control and risk thatcontractors would miss.

Co-sourcing if effective where specialization is needed for ad-hocprojects and it would not be feasible to employ a full time resource

Small, complex operations X X

Medium, simple operations X X

Medium, complex operations X X X

Large, simple operations X X X Large, complex operations X XStructure of the organisation i.e. centralised /decentralised/global operationsThe structure of the organisation will determinewhere the internal auditors will be domiciled. It is

usually effective for specialist auditors e.g. t reasuryspecialists to be centralised at headquarters withoperational auditors being decentralised

X X X

A large decentralised operation works most effectively when it isin-house, with certain activities co-sourced. Co-sourcing is also costeffective when sourcing specialised skills which would be moreexpensive to retain in-house. In addition, outsource service providersusually have networks and structures, sometimes global, which allowfor such specialists to continuously upgrade their expertise

Cost The cost of the IAA will always be a keyconsideration; this is particularly relevant in smallorganisations. An effective IAA should however beable to deliver value-added services which shouldadequately compensate for the cost of the function.

In-house IAAs can often be more costly than an outsourcedactivity. The latter can however never realistically attain thesame degree of business continuity and knowledge as full-timeemployees, or build organisational relationships to the same extent.

Operational change in an organisation X

When strategic or structural change occurs such as duringmergers and acquisitions or unbundling, there may be the need totemporarily increase the review activities of internal audit and thusco-sourcing specialists could be considered.

Maturity of internal audit within the organisation X X X

For start-up functions, the requirements might be much differentthan for established internal audit functions. Strategic decisionscould include merit for co-sourcing the establishment in order totransfer skill or to establish an in-house function should requiredresources be available.


8/208

General considerations

In-house staff are always available in case of ad-hoc, urgent requests from management.

In-house staff can become too close to their clients and risk losing objectivity. It is debatable whether outsourced services are entirelyobjective due to their business imperative both situations can be controlled through effective management.

Loyalties of in-house staff will lie with their own organisation.

In-house functions could become isolated within their own environment and not have the same extent of exposure to new or cuttingedge practices that outsourced service providers would.

In-house IAAs provide an extremely good training ground/nursery for future senior management. This is because internal auditors gain abroad understanding of all the entitys operations and risk exposures. This makes for very effective management succession planning.

An in-house IAA acts as a constant source of skills transfer to operational staff.

Certain outsourced staff may well have excellent client management skills which is advantageous when getting buy-in for implementationof recommended changes. In addition, the external status of outsourced staff may cause them to be viewed by operational staff asmore expert or credible than those of an in-house activity.

Clients in an organisation can become reliant on expertise of certain outsourced staff, particularly as their knowledge of the businessincreases. Staff turnover amongst contractors, especially regarding scarce skills, means that such staff are rarely available in the mediumor long term. This means a new learning curve for replacement staff and the risk of ineffective audit evaluations at least initially.

In organisations where the IAA reports to operational management, the staff of an outsource function may be more independent thanin-house employees.

Outsource service providers frequently have access to advanced technologies, leading edge methodologies and comprehensiveknowledge bases, which may be beyond the nancial or technical reach of an in-house department.

Co-sourcing can provide savings in the overall cost of audit coverage, by reducing down-time of contingency staff and increasingef ciency through better methodologies and staff skills. This partnering can also serve as effective skills transfer.

By working together with senior in-house employees, co-sourced staff have a shorter learning curve than a brand-new employee wouldhave.

Co-sourcing can improve the IAA by making available specialised skills, industry and process knowledge as required, which the averagein-house function would either not require on a full time basis, or would not be able to hire and retain.


9/209

Annexure B:Considerations when selecting recruitment sources

There are three main sources of internal auditors namely, recruitment from within the organisation, external recruitment and recruitment froma tertiary institution.

Advantages and disadvantages

RECRUITMENT FROM WITHIN THEORGANISATION

EXTERNAL RECRUITMENT(including secondment of staff from

professional rms)

RECRUITMENT FROM TERTIARY INSTITUTIONS

Knowledge of the business operations andorganisational culture

Will be unable to audit previous area of work until a year has passed

Audit training will be required but will beable to start performing quickly and supportthe other internal auditors with in-depth

organisational knowledge.

May be less objective than external recruiti.e. have dif culty in critically evaluating thesystems and the culture being in uenced bytheir previous experience

No recruitment costs

The IAA can be used as a training groundfor future senior positions as internal auditorshave a broad understanding of the entireorganisation, especially risk and control.This allows for effective business successionplanning.

Brings knowledge and experience fromother institutions

Will take time to learn the business, but maybe able to perform more quickly and requireless supervision than university recruit

Can view systems and procedures from afresh perspective

Possible enhanced objectivity, but mayhave undesirable work habits to beovercome

New employees could bring new ideas andapproaches

May take time to adapt to environment

Can be expensive particularly if a senior position

Unknown capability (although withsecondments from professional rms, onecontracts the rm and not only the individual

so there is the option to exchangethe individual until comfortable with thecapability.

Can be trained as interns during vacation

More training required than if recruitingexperienced staff. Learning curve shortenedif quali cation includes internal auditdiscipline

Not in uenced by any bad habits fromprevious work environment

Will be objective but may accept anyguidance without critical questioning

May take time to adapt to environment

Organisation is seen to provide jobopportunities; could aid equity development

Is able to look at systems and proceduresfrom a fresh perspective

No recruitment costs

Unknown capability and would clearly havean applied knowledge gap


10/2010

Annexure C:Skills competency matrix

ENTRY LEVEL AUDITOR EXPERIENCED AUDITOR ADVANCED AUDITOR/MANAGER

CAE

QUALIFICATIONS AND EXPERIENCES

Professional designations in InternalAuditing: IAT - Internal Audit Technician

(SAQF level 6) GIA General Internal Auditor

(SAQF level 6) CIA Certi ed Internal Auditor

(SAQF level 7)Specialisations CCSA Certi cation in Control Self

Assessment CFSA Certi ed Financial Systems Auditor CGAP Certi ed Government Auditing

Professional CISA Certi ed Information Systems

Auditor

IAT i.e. two years of arelevant quali cation

plus two yearsexperience

Completion ofIAT would be an

advantage

GIA i.e. three year quali cation plus

three years relevantexperience.

Specialisedcerti cations CCSA,

CFSA, CGAP and CISAare useful

Completion ofGIA would be an

advantage

CIA

and/or specialisationsuch as CCSA, CFSA,

CGAP and CISA

CIA

and/or specialisationsuch as CCSA, CFSA,

CGAP and CISA

Relevant degree e.g. a degree assisting with businessunderstanding such as nursing in a healthorganisation would be relevant. InternalAuditing as a degree or subject is anadvantage.

Preferable or studying toward a

relevant secondaryquali cation

Required or 5-10 yearsexperience

Required Required, preferablya business degree atMasters level such asMBA, MCom (Internal

audit, IT audit, etc).CA(SA) can be

appropriate if the corebusiness of the entity is

nancial.

AUDITING SKILL AND COMPETENCE

Auditing experience Awareness Application tointegration

Integration Integration

Corporate governance and risk management

Awareness Application tointegration


Risk analysis Awareness Application Integration Integration

Control frameworks Awareness Application Integration Integration

Identifying types of controls (e.g.preventative, detective)

Awareness Application tointegration


General Management Principles Awareness Application Integration Integration

Business knowledge Integration Integration

Global and corporate view Awareness Application

Strategic knowledge Awareness

Operational knowledge Awareness Application

Corporate politics and sensitivity Awareness Application

Information technology Awareness Application Integration Application

Use of information technology Application Integration Integration Awareness

Statistical sampling Application Integration Integration IntegrationData collection and analysis Application Application Integration Integration

Fraud awareness and skills Awareness Awareness Awareness Awareness

Current knowledge of the PPF Application Integration Integration Integration

Planning and time management Awareness Application Integration Awareness

PERSONAL QUALITIES - BEHAVIOURAL SKILLS

Assertiveness Medium Medium High High

Emotional stability Medium Medium High High

Lateral thinking Medium Medium High High

Self motivation Medium Medium High High

Diligence High High High High

Good judgement / discernment Medium High High High

Creativity Medium High High High

Honesty, integrity and con dentiality High High High High


11/2011

ENTRY LEVEL AUDITOR EXPERIENCED AUDITOR ADVANCED AUDITOR/MANAGER

CAE

PERSONAL QUALITIES - BEHAVIOURAL SKILLS (Continued)

Independence High High High High

Ethics sensitivity High High High High

Leadership Low Medium High High

Objectivity High High High High

Versitility with various levels of management Medium Medium High High

Ability to work independently Medium High High High

Conceptual thinking Medium Medium High High

Critical thinking Low Medium High High

Analytical ability and problem identi cation Medium Medium High High

INTERPERSONAL SKILLS

Verbal communication Ability to express ideas Medium High Excellent

Written communication including reportwriting

Ability to express ideas Medium High Excellent

Con ict management and resolution Ability to read thesituation

Application Integration Integration

Presentation skills Demonstrable Application Integration Integration

Facilitation Awareness Demonstrable Integration Excellent and proven

Negotiation skills Awareness Application Integration Integration

Persuasion skills Awareness Application Integration Integration

Marketing skills Awareness Demonstrable Demonstrable Integration

Interpersonal relationships includingrelationship building

Awareness Medium Excellent and proven Excellent and proven

Political awareness Awareness Demonstrable Application Integration

Situational leadership Awareness Application tointegration Integration Integration

Interviewing Application Integration Integration Integration

Staff management, team building andteam member

Awareness Application Integration Excellent and proven

Ability to market internal audit Awareness Application Application Integration

OTHER TECHNICAL SKILLS

IFRS, IFAC (where applicable) Awareness Application Integration Integration

Tax (where applicable) Awareness Application Integration Integration

Company law (where applicable) Awareness Application Integration Integration

Accounting (where applicable) Awareness Application Integration Integration

Other relevant Acts, legislation and

regulations

Awareness Application Integration Integration

Research skills Awareness Application tointegration

Integration Awareness

Financial analysis Awareness Application Application tointegration

Integration

Total quality management Awareness Awareness Awareness Awareness

ISO knowledge Awareness Awareness Awareness Awareness

Change management Awareness Awareness Integration Integration

Speciality area e.g. IT Security, Finance Application Integration Integration Integration

Application Ability to cognitively apply knowledge to practical solutions within the speci c audit environment whilst taking the impact on the audit universe into account

Awareness Demonstrates an awareness of the competence or skill, but may not yet know how to apply it effectively

Demonstrable Aware of the competence or skill and beginning to apply it effectively

High High technical level of expertise in the relevant area and ability to source skill when expertise is lacking

Integration Ability to strategically and cognitively apply knowledge and experience to practical solutions within the audit universe and across all business entities and

the external business environment

Medium Medium level of expertise in the relevant area


12/20


13/20


14/2014

Annexure E:Practice Advisory 1210-1: Pro ciency

Primary Related Standard

1210 Pro ciency

Internal auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The internalaudit activity collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities.

Interpretation:

Knowledge, skills, and other competencies is a collective term that refers to the professional pro ciency required of internal auditors toeffectively carry out their professional responsibilities. Internal auditors are encouraged to demonstrate their pro ciency by obtainingappropriate professional certi cations and quali cations, such as the Certi ed Internal Auditor designation and other designations offeredby The Institute of Internal Auditors and other appropriate professional organizations.

Practice Advisory

1. The knowledge, skills, and other competencies referred to in the standard include: Pro ciency in applying internal audit standards, procedures, and techniques in performing engagements. Pro ciency means the

ability to apply knowledge to situations likely to be encountered and to deal with them appropriately without extensive recourse totechnical research and assistance.

Pro ciency in accounting principles and techniques if internal auditors work extensively with nancial records and reports. Knowledge to identify the indicators of fraud. Knowledge of key information technology risks and controls and available technology-based audit techniques. An understanding of management principles to recognize and evaluate the materiality and signi cance of deviations from good

business practices. An understanding means the ability to apply broad knowledge to situations likely to be encountered, to recognizesigni cant deviations, and to be able to carry out the research necessary to arrive at reasonable solutions.

An appreciation of the fundamentals of business subjects such as accounting, economics, commercial law, taxation, nance,quantitative methods, information technology, risk management, and fraud. An appreciation means the ability to recognize theexistence of problems or potential problems and to identify the additional research to be undertaken or the assistance to beobtained.

Skills in dealing with people, understanding human relations, and maintaining satisfactory relationships with engagement clients. Skills in oral and written communications to clearly and effectively convey such matters as engagement objectives, evaluations,

conclusions, and recommendations.

2. Suitable criteria of education and experience for lling internal audit positions is established by the chief audit executive (CAE) who givesdue consideration to the scope of work and level of responsibility and obtains reasonable assurance as to each prospective auditorsquali cations and pro ciency.

3. The internal audit activity needs to collectively possess the knowledge, skills, and other competencies essential to the practice of theprofession within the organization. Performing an annual analysis of an internal audit activitys knowledge, skills, and other competencies

helps identify areas of opportunity that can be addressed by continuing professional development, recruiting, or co-sourcing.

4. Continuing professional development is essential to help ensure internal audit staff remains pro cient.

5. The CAE may obtain assistance from experts outside the internal audit activity to support or complement areas where the internal auditactivity is not suf ciently pro cient.


15/2015

Annexure F:Practice Advisory 1210.A1-1:

Obtaining external service providers to support or complement the internal audit activity


1210.A1 The chief audit executive must obtain competent advice and assistance if the internal auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement.

Practice Advisory

1. Each member of the internal audit activity need not be quali ed in all disciplines. The internal audit activity may use external service providersor internal resources that are quali ed in disciplines such as accounting, auditing, economics, nance, statistics, information technology,engineering, taxation, law, environmental affairs, and other areas as needed to meet the internal audit activitys responsibilities.

2 An external service provider is a person or rm, independent of the organization, who has special knowledge, skill, and experience in aparticular discipline. External service providers include actuaries, accountants, appraisers, culture or language experts, environmentalspecialists, fraud investigators, lawyers, engineers, geologists, security specialists, statisticians, information technology specialists, theorganizations external auditors, and other audit organizations. An external service provider may be engaged by the board, senior

management, or the chief audit executive (CAE).

3 External service providers may be used by the internal audit activity in connection with, among other things: Achievement of the objectives in the engagement work schedule. Audit activities where a specialized skill and knowledge are needed such as information technology, statistics, taxes, or language translations. Valuations of assets such as land and buildings, works of art, precious gems, investments, and complex nancial instruments. Determination of quantities or physical condition of certain assets such as mineral and petroleum reserves. Measuring the work completed and to be completed on contracts in progress. Fraud and security investigations. Determination of amounts, by using specialized methods such as actuarial determinations of employee bene t obligations. Interpretation of legal, technical, and regulatory requirements. Evaluation of the internal audit activitys quality assurance and improvement program in conformance with the Standards. Mergers and acquisitions.

Consulting on risk management and other matters.

4 When the CAE intends to use and rely on the work of an external service provider, the CAE needs to consider the competence,independence, and objectivity of the external service provider as it relates to the particular assignment to be performed. The assessmentof competency, independence, and objectivity is also needed when the external service provider is selected by senior managementor the board, and the CAE intends to use and rely on the external service providers work. When the selection is made by others and theCAEs assessment determines that he or she should not use and rely on the work of the external service provider, communication of suchresults is needed to senior management or the board, as appropriate.

5 The CAE determines that the external service provider possesses the necessary knowledge, skills, and other competencies to perform theengagement by considering: Professional certi cation, license, or other recognition of the external service providers competence in the relevant discipline. Membership of the external service provider in an appropriate professional organization and adherence to that organizations code of ethics.

The reputation of the external service provider. This may include contacting others familiar with the external service providers work. The external service providers experience in the type of work being considered. The extent of education and training received by the external service provider in disciplines that pertain to the particular engagement. The external service providers knowledge and experience in the industry in which the organization operates.

6 The CAE needs to assess the relationship of the external service provider to the organization and to the internal audit activity to ensurethat independence and objectivity are maintained throughout the engagement. In performing the assessment, the CAE veri es thatthere are no nancial, organizational, or personal relationships that will prevent the external service provider from rendering impartial andunbiased judgments and opinions when performing or reporting on the engagement.

7 The CAE assesses the independence and objectivity of the external service provider by considering: The nancial interest the external service provider may have in the organization. The personal or professional af liation the external service provider may have to the board, senior management, or others within the

organization. The relationship the external service provider may have had with the organization or the activities being reviewed. The extent of other ongoing services the external service provider may be performing for the organization. Compensation or other incentives that the external service provider may have.


16/2016

Annexure-G:Standard 2000: Managing the Internal Audit Activity

The chief audit executive must effectively manage the internal audit activity to ensure it adds value to the organization.

Interpretation:

The internal audit activity is effectively managed when: The results of the internal audit activitys work achieve the purpose and responsibility included in the internal audit charter; The internal audit activity conforms with the De nition of Internal Auditing and the Standards; and The individuals who are part of the internal audit activity demonstrate conformance with the Code of Ethics and the Standards.


17/2017

Annexure-H:Practice Advisory 2030-1: Resource management


2030 Resource ManagementThe chief audit executive must ensure that internal audit resources are appropriate, suf cient, and effectively deployed to achieve theapproved plan.

Interpretation:Appropriate refers to the mix of knowledge, skills, and other competencies needed to perform the plan. Suf cient refers to the quantity ofresources needed to accomplish the plan. Resources are effectively deployed when they are used in a way that optimizes the achievementof the approved plan.

Practice Advisory

1. The chief audit executive (CAE) is primarily responsible for the suf ciency and management of internal audit resources in a manner thatensures the ful llment of internal audits responsibilities, as detailed in the internal audit charter. This includes effective communication ofresource needs and reporting of status to senior management and the board. Internal audit resources may include employees, externalservice providers, nancial support, and technology-based audit techniques. Ensuring the adequacy of internal audit resources is ultimatelya responsibility of the organizations senior management and board; the CAE should assist them in discharging this responsibility.

2. The skills, capabilities, and technical knowledge of the internal audit staff are to be appropriate for the planned activities. The CAEwill conduct a periodic skills assessment or inventory to determine the speci c skills required to perform the internal audit activities. Theskills assessment is based on and considers the various needs identi ed in the risk assessment and audit plan. This includes assessmentsof technical knowledge, language skills, business acumen, fraud detection and prevention competency, and accounting and auditexpertise.

3. Internal audit resources need to be suf cient to execute the audit activities in the breadth, depth, and timeliness expected by senior

management and the board, as stated in the internal audit charter. Resource planning considerations include the audit universe, relevantrisk levels, the internal audit plan, coverage expectations, and an estimate of unanticipated activities.

4. The CAE also ensures that resources are deployed effectively. This includes assigning auditors who are competent and quali ed for speci cassignments. It also includes developing a resourcing approach and organizational structure appropriate for the business structure, risk pro le, and geographical dispersion of the organization.

5. From an overall resource management standpoint, the CAE considers succession planning, staff evaluation and development programs,and other human resource disciplines. The CAE also addresses the resourcing needs of the internal audit activity, whether those skills arepresent or not within the internal audit activity itself. Other approaches to addressing resource needs include external service providers,employees from other departments within the organization, or specialized consultants.

6. Because of the critical nature of resources, the CAE maintains ongoing communications and dialog with senior management and theboard on the adequacy of resources for the internal audit activity. The CAE periodically presents a summary of status and adequacy ofresources to senior management and the board. To that end, the CAE develops appropriate metrics, goals, and objectives to monitor theoverall adequacy of resources. This can include comparisons of resources to the internal audit plan, the impact of temporary shortagesor vacancies, educational and training activities, and changes to speci c skill needs based on changes in the organizations business,operations, programs, systems, and controls.


18/2018

Annexure-I:Practice Advisory 2330.A1-1: Control of Engagement Records


2330.A1 The chief audit executive must control access to engagement records. The chief audit executive must obtain the approval ofsenior management and/or legal counsel prior to releasing such records to external parties, as appropriate.

Practice Advisory

1. Internal audit engagement records include reports, supporting documentation, review notes, and correspondence, regardless of storagemedia. Engagement records or working papers are the property of the organization. The internal audit activity controls engagementworking papers and provides access to authorized personnel only.

2 Internal auditors may educate management and the board about access to engagement records by external parties. Policies relatingto access to engagement records, handling of access requests, and procedures to be followed when an engagement warrants aninvestigation, need to be reviewed by the board.

3 Internal audit policies explain who in the organization is responsible for ensuring the control and security of the activitys records, whichinternal or external parties can be granted access to engagement records, and how requests for access to those records need to behandled. These policies will vary depending on the nature of the organization, practices followed in the industry, and access privilegesestablished by law.

4 Management and other members of the organization may request access to all or speci c engagement working papers. Such accessmay be necessary to substantiate or explain engagement observations and recommendations or for other business purposes. The chiefaudit executive (CAE) approves these requests.

5 The CAE approves access to engagement working papers by external auditors.

6 There are circumstances where parties outside the organization, other than external auditors, request access to engagement workingpapers and reports. Prior to releasing the documentation, the CAE obtains the approval of senior management and/or legal counsel, as

appropriate.

7 Potentially, internal audit records that are not speci cally protected may be accessed in legal proceedings. Legal requirements varysigni cantly in different jurisdictions. When there is a speci c request for engagement records in relation to a legal proceeding, the CAEworks closely with legal counsel in deciding what to provide.


19/2019

About the InstituteThe Institute of Internal Auditors (IIA Inc), established in 1941, is the leading non-profit professional body representing the interests of internal

auditors worldwide. It i s the internationally recognized authority, principle educator and acknowledged leader in certif ication, research

and technology guidance for the profession. It is also the creator and custodian of the International Standards for the Professional

Practice of Internal Auditors, and the Code of Ethics to which all members must adhere. In serving its members, it is dedicated to the

education and advancement of internal auditors.

The Institute of Internal Auditors South Africa (IIA SA) is an association incorporated as a non-profit organisation and is affiliated to the

Institute of Internal Auditors Inc, (IIA Inc) as a National Institute. All funds are applied directly to member benefits and administration.

The Internal Auditor The scope of the Internal Auditor encompasses the examination and evaluation of the adequacy and effectiveness of the organisations

system of internal control and the quality of the organisations performance. The impor tance of the internal auditing function is emphasized

by recognition in the King Report on Governance, and the Public Finance Management Act, the Municipal Finance Management Act

as well as Treasury regulations.


20/20

2008 Annual Report

P O Box 2290Bedfordview

2008

Telephone: +27 11 450 1040 Facsimile: + 27 11 450 1070Website: www.iiasa.org.za

how to employ an internal auditor

Documents