AuditNet® Ask the Auditor Forum
Auditing Standards
Also post your question at AudiTalk The AuditNet
Discussion Forum
Question:
Is
there a QAR certification? If someone wants to perform QAR's for internal
audit groups, are there any restrictions or requirements?
Answer:
To my knowledge there is no QAR certification for internal audits. The IIA
(and other organizations) do have volunteer teams that conduct quality
assurance reviews. If someone wanted to perform QAR's they should be
independent of the organization and of the internal audit activity. The
review team should consist of individuals who are competent in the
professional practice of internal auditing and the external assessment process. Qualified individuals could include consultants or
professional service providers from outside the organization whose internal
audit activity is the subject of the external assessment.
Question:
How should an audit charter address the following questions regarding the direct
reporting relationship between Internal Audit, the Audit Committee and Senior
Management (i.e. CEO, CFO): 1). Who does Internal Audit report to? 2). Is
Internal Audit an independent function? 3). Who determines Internal Audit's
salary compensation without impacting the Internal Auditor's independence? I
have encountered various opinions from the Board, Audit Committee and Senior
Management and can find no definite answers as to how the charter should be
worded.
Answer: The
International Standards for the Professional Practice of Internal Auditing state
that the CAE should be responsible to an individual in the organization with
sufficient authority to promote independence and to ensure broad audit coverage,
adequate consideration of engagement communications, and appropriate action on
engagement recommendations.
Ideally, the chief audit executive should report functionally to the audit
committee, board of directors, or other appropriate governing authority, and
administratively to the chief executive officer of the organization.
The question of independence is enhanced when the board concurs in the appointment or removal of the CAE.
To the best of my knowledge the standards do not address who determines the compensation issues for the CAE or the audit staff. That would normally be an operational issue that would vary by organization.
Following are some examples of charters:
Bank for International Settlements Audit Charter
CMS Group of Companies Internal Audit Charter
International Brotherhood of Teamsters Internal Audit Charter
For a page devoted to internal audit charters on AuditNet which includes a Google search of audit charters click here.
Question: I
am looking for IIA guidelines to determine if management's signature is required
on the Audit Report upon response as part of wrap-up procedures. I know that
external auditors require written signature on the management representation
letters prior to issuing an opinion, is there something similar in internal
audit?
Answer: There is a
response to a similar question in the
How Do I... Forum.
To my knowledge there is no specific guidance in the IIA Standards requiring
management's signature on the audit report or any form of management
representation letter. While AICPA standards mandate written representation
letters, I see nothing comparable in the IIA standards. (If anyone is aware of
this requirement, please share). That does not mean to imply that this is not a
best practice that some chief audit executives are considering based on new SEC
reporting requirements. In 2002 Protiviti conducted a
governance research study specifically mentioning this practice. This would
be an interesting question for the audit-l discussion group.
Question:
I am Director of Internal Audit for our holding company. I am being asked to
assist in setting up reconciliation and conversion tests and proof for
conversion of one office into another. Does this hinder my ability to function
in my position of Internal Audit? In the same vein how far can Internal Audit go
in assisting in implementation of procedures and processes? I know what the IIA
standards are but this is the real world and I know that IA assists in these
areas. Any guidance you can give me is appreciated.
Answer:
The key issue here is internal audit's maintenance, including appearance, of
independence. As a usually guideline/rule, IA should not develop or implement or
execute operational procedures. When an organization needs procedures and
pressure is put on IA to do this, there are some ways this may be handled to
help maintain this IA independence.
Explain to management that IA independence is essential to maintain an effective IA function and that generally accepted IA standards clearly spell this out.
Assess your situation. If IA will be expected to audit these procedures it is ask to develop and implement, then you have a difficult situation. If your audit staff is large enough, you can have staff never involved in the development & implements of these procedures audit them. However, if this is not possible and management insists IA do this, then you need an alternative for management that will work. One way is to ask management to form a "team" to develop these procedures, with only key operational staff on this team and IA as "consultants" only to this "team", explaining that IA will only make generalized recommendations on how the "team" should proceed and assess the procedures the "team" proposes. But, make sure management understands that the "team" is responsible for the procedures not IA. Also, make it clear that IA will not approve these procedures, because IA must audit them later.
Question: Most
auditing standards use the word "should". Is this defined as a
mandatory directive [shall}, or is it subject to professional judgment based on
the situation?
Answer:
Should is not a mandatory directive. But, it does mean that if you deviate from
these directives you need a good, defendable reason or reasons. These reasons
should be documented in the workpapers and covered with & approved by audit
management. This exception to the normal should be explained to organizational
management so that if the same or similar situation comes up in the future you
may make a different decision based on differing circumstances. Also Mirriam-Websters
Collegiate Dictionary Online would indicate that should, shall and must are
used interchangeably. While audit standards commonly use the word
"should", historically this has been interpreted as "must" or
"shall." This would be most critical in audits where you state that
the audit was conducted in accordance with standards such as those promulgated
by the Institute of Internal Auditors, the American Institute of Certified
Public Accountants or the Comptroller General of the United States. In order to
meet those standards you must have complied with a number of the standards that
state "should" such as external quality assurance assessments.
You can always apply professional judgment based on the situation but in
our opinion, "should" translates as "shall" for the
Yellow Book, A.I.C.P.A. and I.I.A. standards and unless directed otherwise that
would be our interpretation.
Question:
The predecessor auditor of a nonprofit audit client of
mine issued an unqualified "balance sheet only" auditors report, but
was hired to issue an audit report on a full set of financial statements...Was
it wrong for them to issue this type of report ? My guess is that they wanted to
please my client and not issue a disclaimer on the statement of activities.....I
am interested to get feedback on this....
Answer:
On the surface this appears to be a straightforward issue. If the predecessor
firm was hired to issue an audit report on a full set of financial statements
and they did not, then it could be wrong. Generally accepted auditing
standards require the auditor's report to "contain an expression of opinion
regarding the financial statements, taken as a whole." The wording
"taken as a whole" indicates the opinion expressed by the auditor
encompasses all financial statements. However, there may be situations as
outlined at www.nysscpa.org/cpajournal/old/16762553.htm
where a CPA may issue an opinion on the balance sheet only. IMO however if the
predecessor CPA contracted to conduct a full financial audit but only issued an
opinion on the balance sheet then you would want to know the reasons why. That
may be a determining factor in whether or not you accept the engagement. At the
least you should check with both the A.I.C.P.A. and your state society in regards to
this issue.
Question:
I am looking for a Yellow Book Standards - checklist. If anyone knows where I
could look to get the information please let me know
Answer:
The Texas State Auditors Office has a Yellow Book Checklist available at http://www.sao.state.ut.us/resources/ybchecklist.pdf
Question:
Our Audit Department is considering a shift from the traditional audit
approach to one of consulting. Where can I obtain data on the development of
this audit approach?
Answer:
The recently revised IIA Standards includes consulting activities in the
definition of Internal Auditing . You should research the IIA site at www.theiia.org
for more detailed information on consulting services. The IIA
Standards are mute on Internal Auditing Departments totally becoming
consultants. Per the Standards, the nature of consulting services provided to an
organization and to third parties should be defined in the audit charter.
In our research, experience, and contacts, Internal Audit Departments are
implementing consulting service in a various ways. We know of no
Internal Auditing Department that is totally consulting. You can search
the Internet for Departments that have implemented consulting services;
reviewing their available information, or contacting them to find out how
they implemented consulting and why they did it that way. One interesting way
we know of is at Virginia Commonwealth University at www.vcu.edu/iaweb/iam_welc.html.
Question: I just assumed the role of Internal Audit Manager in my company. At the same, I have also been assigned other responsibilities including management reporting and acting as an investor relations manager. How can I explain to management that by having dual roles, I won't be able to carry out my work freely and objectively as the Company's internal auditor.
Answer: Make them aware of the Standards for the Professional Practice of Internal Auditing issued by the Institute of Internal Auditors. The Standards are being revised and updated and should be formally approved by the end of 2000. Here is a link to the new standard on Independence:
Question: We are currently in the process of restructuring our audit organization for a state agency. The audit function as perceived includes two distinct functions: an internal audit function basically engaged in performance and operational audits, and an external function engaged in audits of contractors doing business with the agency.
My question is this - organizationally should these functions be separated (under two supervisors)? Are there any independence issues involved in the organizational placement of these functions? It is has been our experience in most similar agencies across the country these functions are separate and distinct. Is there a standard or precedent for this?
Answer: As a governmental organization, your audit activities are governed by the "yellow book" the government auditing standards, published by GAO. Check out section 3.11 of the standards covering independence.
There are always questions of independence involved in the organizational placement of any auditing function. Organizationally, these functions should be set up to maximize independence and operational efficiency. If experience shows that "in most similar agencies across the country these functions are separate and distinct", then there are probably good reasons for making them separate and distinct. You may want to contact a few of these other agencies with strong audit reputations to discuss this issue with them.
Question: According to the internal audit standards, can an internal auditor of an electric utility that reports to the Electric System Director instead of the Executive Director be independent? Assume that the Company that I am referring to has an Internal Audit Office which reports to the Executive Director and the Board of Directors. Are auditors that do not pertain to such an office considered to be independent?
Answer: To answer the question of whether the auditor is independent requires more information. The Standards state that "Internal auditors are independent when they can carry out their work freely and objectively. Independence permits internal auditors to render the impartial and unbiased judgments essential to the proper conduct of audits. It is achieved through organizational status and objectivity".
In your example, the auditor who is not a part of the Internal Audit Office appears to be reporting to an individual in the organization with sufficient authority to promote independence and to ensure broad audit coverage, adequate consideration of audit reports, and appropriate action on audit recommendations. The key is whether the Electric System Director allows the auditor to operate independently. If not, then the auditor is not independent. The auditor's appearance of independence would be enhanced if there were a written statement, signed by the Electric System Director or the Executive Director, which requires that the auditor be allowed to operate independently. Another way to ensure independence is for the work of the auditor to be reviewed by the Internal Audit Office on a periodic basis.
Question: Are there any generally accepted standards similar to GAAP for information systems?
Answer: The closest thing to GAAP for information systems is the COBIT project sponsored by the Information Systems Audit and Control Foundation.
"The mission and objective of the COBIT® project:
To research, develop, publicize and promote an authoritative, up-to-date, international set of generally accepted IT Control Objectives for day-to-day use by business managers as well as security, control and audit practitioners.
COBIT has been developed as a generally applicable and accepted standard for good Information Technology (IT) security and control practices that provides a reference framework for management, users, and IS audit, control and security practitioners."
The COBIT project web site (http://www.isaca.org/cobit.htm) contains the following materials you can download for free to your computer:
- Executive Summary - Consists of an Executive Overview (which provides senior Management awareness and understanding of COBIT's key concepts and principles) and the Framework (which provides senior management with a more detailed understanding of COBIT's key concepts and principles, and identifies COBIT's four domains and corresponding 34 IT Processes)
- Framework - Describes in detail COBIT's 34 high-level IT control objectives, and identifies the business requirements for information and IT resources primarily impacted by each control objective.
- Control Objectives - Contains statements of the desired results or purposes to be achieved by implementing the 302 specific, detailed control objectives throughout the 34 IT Processes.
By purchasing the COBIT CD-ROM from the Foundation, you can obtain the above plus the following documents:
- Audit Guidelines - Contains suggested audit steps corresponding to each of the 34 high-level IT Control Objectives to assist information systems auditors in reviewing IT processes against COBIT's 302 recommended detailed control objectives to provide management assurance and/or advice for improvement.
- Implementation Tool - Contains Management Awareness and IT Control Diagnostics, an Implementation Guide, FAQs, case studies from organizations currently using COBIT, and slide presentations that can be used to introduce COBIT into organizations. The new Tool Set is designed to facilitate the implementation of COBIT, relate lessons learned from organizations that quickly and successfully applied COBIT in their work environments, and lead management to ask about each COBIT process: Is this domain important for our business objectives? Is it well
performed? Who does it and who is accountable? Are the processes and control formalized?
Question: Guideline 560 of the Standards requires an external review of the internal audit department to be performed. Our company's external auditors perform a limited review of our internal audit function as part of their annual audit to determine the extent to which they will rely on our work. Would this constitute an "external review" under Standard 560?
Answer: No. As noted in Statement on Internal Auditing Standards No. 4, Quality Assurance, "these limited review procedures by independent outside auditors usually relate only to their audit of the organization's financial statements and generally would not constitute an "external review" for purposes of Guideline 560".