Protecht.ERM Showcase: Manage all your risks with an easy to use and configurable system (Thu 27/08 10am BST)
Register Now

Organisation requirements

1. Does the internal audit function have the right amount of competent and professional resources to provide the right blend of internal audit services to the organisation? Does this include such things as project assurance activities over high-risk projects?

2. Where the internal audit function may not have in-house resources for technical areas (for example, ICT, treasury, safety, environment, etc.), do they try to do it anyway, or obtain subject matter specialist experts?

3. Does internal audit use innovative approaches to obtain subject matter specialist experts, for example short-term guest auditors from within the business, guest auditors from other organisations or jurisdictions, longer-term rotation program within the business, specialist contractors and service providers, etc?

Insights from the chief audit executive

4. What significant assurance gaps are there in relation to the over-arching assurance framework (lines of defence)? Is the internal audit plan sufficiently co-ordinated with other internal and external assurance providers?

5. Is the internal audit function sufficiently resourced with competent and objective professionals capable of carrying out the internal audit plan? If not, what reasonable steps could be pursued?

6. What features of the audit universe cannot be reasonably covered in the internal audit plan, particularly the top five risks that internal audit may not be able to cover with its current resources?

7. What would be the result from a risk perspective if internal audit had 10% more or 10% less budget?

Past internal audit budgets

image-from-rawpixel-id-146482-jpeg8. Do past internal audit budgets provide a reasonable basis for the current budget? Is the proposed budget mix appropriate between employee costs, co-sourcing expenses, consulting costs, investment in training, technology license costs, travel expenses, and administrative costs? What would be the result of a zero-based budgeting approach?

9. Has the organisation’s overall capital and operating spending been growing or contracting over the corresponding period, and in what proportion to the internal audit budget?

10. Have there been any significant variances in recent years between internal audit’s approved budget and its actual spending? If so, why?

Benchmarking analysis

11. Is there reasonable benchmarking information available that compares the organisation’s internal audit budget by turnover with similar internal audit activities in comparable organisations (that ‘compares apples with apples’)?

12. What is the average cost per productive audit day delivered, and how does this rate compare to peers and external service providers?

13. Does the proposed internal audit plan strike an appropriate balance between traditional assurance engagements and advisory work, with sufficient time available to accommodate management-initiated requests?

14. Is information on the benchmarking ‘spend’ or function size only considered as a guide, representing just one factor for assessing an organisation’s overall assurance coverage? Has the organisation evaluated effectiveness of all assurance activities across all lines of defence?

15. Does internal audit 100% complete its internal audit plan in the year it is due?

Environmental assessment

16. Are there any unique features of the audit universe to be considered, with respect to geographical coverage, international operations, number of locations, extent of centralisation, business maturity, assurance arrangements, or regulatory requirements?

17. Has internal audit considered the velocity of risks, or the speed at which risks are likely to develop in its environmental assessment?

18. Are there any unique features of the risk profile to be considered, such as risk appetite of the board, risk management maturity, business specific risks, effects of disruptive innovation, control effectiveness, maturity level of each of the lines of defence, and the extent of collaborative reporting?

19. Has internal audit considered where new issues might surface by considering goals, objectiveshttps://www.iia.org.au/, budgets, forecasts, performance, and potential changes in business operations?

20. Is the internal audit function seen to be adding value to the organisation and is it raising useful well-founded recommendations, evidenced in a balanced scorecard report or similar, and reflected in a comprehensive annual report on internal audit activities and outcomes?

The killer question

Does the audit committee have a reasonable, defensible basis for informing the chief executive officer and board that the internal audit function is sufficiently resourced, with competent and objective professionals able to carry out the internal audit plan with the aim of enhancing and protecting organisational value?

 

This article is from The Institute of Internal Auditors Australia's' 'The 20 Critical Question Series', which contains topics such as governance, risk management, compliance, fraud and corruption, and other relevant topics. You can reach the full series here.

 

Protecht.ERM helps audit managers gain efficiencies by supporting all stages of the internal audit function. Learn more.

internal audit mockup

 

Related Articles

feature image
Compliance Management, Enterprise Risk Management, Protecht Culture, Compliance Professionals

It all starts with sound Risk Management

This interview was featured in the Forge Magazine. You can access the full publication here.  Too many organisations view risk management as a...
Read more
feature image
Enterprise Risk Management, Health & Safety

Aligning your Workplace, Health & Safety capability with an ERM framework

Enterprise Risk Management (ERM) is becoming increasingly accepted as an integral part of business management processes within successful...
Read more
feature image
Enterprise Risk Management, Operational Risk, Risk Professionals

Managing the War Room

One of the early observations we have made from the COVID-19 crisis experience to date relates to the operations of the war room and the crisis...
Read more