Section I: Managing the

Internal Audit Activity

20%
Three Topics in Section I
1. Internal Audit Operations
2. Establishing a Risk-based Internal Audit
Plan
3. Communicating and Reporting to Senior
Management and the Board
 Managing the
Internal Audit Activity
Standard 2000: Managing the Internal Audit Activity
The chief audit executive must effectively manage the internal audit activity to
ensure it adds value to the organization.

Interpretation:
The internal audit activity is effectively managed when:
• It achieves the purpose and responsibility included in the internal audit
charter.
• It conforms with the Standards.
• Its individual members conform with the Code of Ethics and the Standards.
• It considers trends and emerging issues that could impact the organization.
The internal audit activity adds value to the organization and its stakeholders
when it considers strategies, objectives, and risks; strives to offer ways to
enhance governance, risk management, and control processes; and
objectively provides relevant assurance.
Internal Audit Operations
The operational role of internal auditing is to
make sure that:
• Engagements have been properly planned
for,
• The IAA has the resources (human and
financial) to carry out the engagements, and
• The results of the engagements are
communicated to those who can take action.
Standard 2040: Policies and Procedures
The chief audit executive must establish policies and
procedures to guide the internal audit activity.

Interpretation:
The form and content of policies and procedures are
dependent upon the size and structure of the internal
audit activity and the complexity of its work.
Practice Advisory 2040-1: Policies and Procedures
The chief audit executive develops policies and
procedures. Formal administrative and technical audit
manuals may not be needed by all internal audit
activities. A small internal audit activity may be
managed informally. Its audit staff may be directed and
controlled through daily, close supervision and
memoranda that state policies and procedures to be
followed. In a large internal audit activity, more formal
and comprehensive policies and procedures are
essential to guide the internal audit staff in the
execution of the internal audit plan.
Formulating Policies
and Procedures
As the IAA gets bigger, the CAE will not be
able to do everything him/herself and
more will be delegated.

Therefore, they will need to document as

much as possible what is to be done and
how it is to be done.
The Internal Audit Manual
In a large enough organization there will be
a ‘book’ of these policies and procedures
and guidance
Will cover ‘everything’ from the Charter to
performance reviews and evaluations.
Can make reference to the IIA Standards
and Implementation Guides (or other
sources of guidance).
Sample Internal Audit Manual Contents
Part 1 – Policies, Standards & Guidelines
1. Introduction
2. Policies & Standards of Internal Audit
(including Internal Audit Charter)
3. Internal Control Framework
4. Organizing Internal Audit (including structure,
services, types of audit and budget)
5. Performance Monitoring and Evaluation
(including KPI)
Sample Internal Audit Manual Contents
Part 2 – Practices (Risk-based Approach & Methodologies)
1. Strategies & Annual Work Planning
2. Conducting Internal Audit Assignments
3. Preparing Internal Audit Report
4. Audit Tools and Techniques
5. Advisory Services & Approach
6. Quality Assurance and Improvement
7. Follow up on Audit Recommendations
8. Reporting to Audit Committee
9. Personnel and Training
No Set Form for Manual
The manual will vary greatly from
organization to organization.
Planning
The CAE is also responsible for planning
the work of the internal audit activity.
Standard 2010: Planning
The chief audit executive must establish risk-based plans to
determine the priorities of the internal audit activity and to
make certain that they are consistent with the organization’s
goals.
Interpretation:
To develop the risk-based plan, the chief audit executive
consults with senior management and the board and obtains
an understanding of the organization’s strategies, key business
objectives, associated risks, and risk management processes.
The chief audit executive must review and adjust the plan, as
necessary, in response to changes in the organization’s
business, risks, operations, programs, systems, and controls.
Categories of Plans
The overall planning process is broken
down into four smaller categories that the
CAE is responsible for:
• Goals
• Engagement work schedules
• Staffing plans and financial budgets
• Activity reports
Setting Goals
Specific: Goals should be specifically defined.
Measurable: The method of measuring the
goals should be defined.
Agreed to: All interested parties need to agree
to the goals.
Realistic and Achievable: Realistic and
achievable goals keep expectations reasonable.
Timely: Goals should have specific completion
dates.
Risk Assessment in Planning
One of the significant inputs into the
planning process is the risk management
process.
Administrative Activities of
the Internal Audit
Department
Administrative Activities
The administrative activities of the internal
audit activity will be wide and varied.
One of the most important administrative
duties is connected to human resources
within the internal audit activity.
Developing Work Schedules
The planning process and specific work
schedules for engagements should include
the following:
• Which engagements should be performed
• When engagements should be performed
• The time required for each engagement
• Which engagements should receive
priority over other engagements
Managing Resources
Standard 2030 – Resource Management
The chief audit executive must ensure that internal audit
resources are appropriate, sufficient, and effectively
deployed to achieve the approved plan.
Interpretation:
Appropriate refers to the mix of knowledge, skills, and
other competencies needed to perform the plan.
Sufficient refers to the quantity of resources needed to
accomplish the plan. Resources are effectively
deployed when they are used in a way that optimizes
the achievement of the approved plan.
Appropriate, Sufficient and
Deployed
The right people with the right skills being
used in the right manner.
Short and Long-Term View
The CAE needs to oversee the assignment of
individual staff to the engagements with both a
short-term and long-term view.
In the short term, all of the jobs need to be staffed
by qualified and capable internal auditors so
that the job can be completed to the highest
level.
In the long term, however, the staff needs to be
assigned to jobs that will allow them to grow
and become more senior auditors.
Considerations in Assigning Staff
Some factors to consider when assigning
staff to individual engagements are:
• The complexity of the engagement
• The resources that are available in the
IAA
• The experience (skill level) of the staff
• The training and developmental needs of
the audit staff
Practice Advisory 2030-1: Resource Management
1. The chief audit executive (CAE) is primarily responsible for
the sufficiency and management of internal audit
resources in a manner that ensures the fulfillment of
internal audit’s responsibilities, as detailed in the internal
audit charter. This includes effective communication of
resource needs and reporting of status to senior
management and the board. Internal audit resources may
include employees, external service providers, financial
support, and technology-based audit techniques. Ensuring
the adequacy of internal audit resources is ultimately a
responsibility of the organization’s senior management
and board; the CAE should assist them in discharging this
responsibility.
2. The skills, capabilities, and technical knowledge of the internal
audit staff are to be appropriate for the planned activities. The
CAE will conduct a periodic skills assessment or inventory to
determine the specific skills required to perform the internal audit
activities. The skills assessment is based on and considers the
various needs identified in the risk assessment and audit plan.
This includes assessments of technical knowledge, language
skills, business acumen, fraud detection and prevention
competency, and accounting and audit expertise.
3. Internal audit resources need to be sufficient to execute the audit
activities in the breadth, depth, and timeliness expected by
senior management and the board, as stated in the internal audit
charter. Resource planning considerations include the audit
universe, relevant risk levels, the internal audit plan, coverage
expectations, and an estimate of unanticipated activities.
4. The CAE also ensures that resources are deployed effectively.
This includes assigning auditors who are competent and
qualified for specific assignments. It also includes developing a
resourcing approach and organizational structure appropriate
for the business structure, risk profile, and geographical
dispersion of the organization.
5. From an overall resource management standpoint, the CAE
considers succession planning, staff evaluation and
development programs, and other human resource disciplines.
The CAE also addresses the resourcing needs of the internal
audit activity, whether those skills are present or not within the
internal audit activity itself. Other approaches to addressing
resource needs include external service providers, employees
from other departments within the organization, or specialized
consultants.
6. Because of the critical nature of resources, the CAE
maintains ongoing communications and dialog with
senior management and the board on the adequacy of
resources for the internal audit activity. The CAE
periodically presents a summary of status and adequacy
of resources to senior management and the board. To
that end, the CAE develops appropriate metrics, goals,
and objectives to monitor the overall adequacy of
resources. This can include comparisons of resources to
the internal audit plan, the impact of temporary shortages
or vacancies, educational and training activities, and
changes to specific skill needs based on changes in the
organization’s business, operations, programs, systems,
and controls.
Directing the Budget of IAA
The budget is driven by the internal audit
plan, the organizational structure and
the staffing strategy.
The CAE needs to carefully analyze the
funds that are available and the needed
funding to accomplish the objectives of
the IAA.
What is in the Budget
All of the activities that are needed to
accomplish objectives:
• Paying staff
• Training and staff development
• Hiring external specialists as needed
• Any other expenses that the department
will incur in the performance of its duties
Managing the People
in the IAA
Managing the HR Element
Perhaps the most important because, without the
right people, it will be difficult.
Need to know what skills are currently needed and
what skills WILL be needed.
• Determine if they will be developed internally,
outsourced, or if a new person needs to be hired
• Requires looking into the future to project what
the company will be doing and what the IAA will
do.
Getting the Needed Resources
There are different ways top have the
needed skills:
• Full time internal auditor
• Outsourced external specialist
• Use non-IA internal resources of the
company to help in busy season.
Job Descriptions
An important basis for the recruitment and
promotion of staff is the job description.
Job descriptions should be established for
all positions, listing the necessary skills
and requirements for the position.
With detailed and complete job
descriptions, the CAE has an easier time
determining if the IAA is properly staffed.
Training Staff
Training needs to be provided with the goal
of giving the staff the necessary skills to
perform their jobs in the short term and
also to develop and broaden their skills
for their long-term development.
Individuals often see training as a benefit,
and a well-developed training program is
an excellent recruiting tool for the
company.
Developing Staff
Counseling, or mentoring, is an important
element of staff development.
The CAE has a responsibility for counseling
and assisting staff members in their
growth in the organization.
Evaluating Staff
Performance evaluations should be
performed at least annually, or more
often if needed.
The performance evaluations need to focus
on the skills that are necessary for the
individual to perform his or her work
and for IAA as a whole to perform its
duties.
Interviewing Candidates
Whether hiring from inside or outside the
organization, a strong interview process
greatly increases the chances of a
successful hire.
The Interviewers
As part of the hiring process, a number of
members of the internal audit staff may be
involved in interviewing candidates.
Interviewing “Stages”
It is common for the first interview to be a
shorter interview conducted by the HR
department to assess whether the candidate
meets the minimum requirements.
This may be followed by a couple of interviews
with internal audit managers and/or staff.
If these interviews are completed satisfactorily,
the CAE will usually conduct the final
interview.
What to Assess
Throughout the interview process, the interviewer
needs to asses a number of areas about the
candidate. Among them are:
• Does the candidate have the necessary skills for
the position?
• Does the candidate have the required
experience and/or education?
• How will the candidate fit in with the internal
audit department and also the corporate culture
as a whole?
Interviewing Questions
Should ask:
• Questions that are open ended, will allow the
person to answer more than “yes” or “no”.
• What they would do in different situations.
• Detailed questions about their experience and
anything in their experience that might be
relevant to the job that they are interviewing for.
• The difficult questions about things that the
candidate may not want to talk about.
Interview Answers
• The interviewer should not interrupt the
answers of the candidate unless the answer is
not at all related to the question.
• The interviewer also needs to be able to use the
information that they learn during the interview
to potentially change, or add, questions that
they plan to ask.
• Non-verbal cues from the candidate may also be
as important as the spoken answers that they
give.