Webinar Recording: Best practices to measure and manage Risk Culture
Watch the Session

Organisation requirements

1. Does the internal audit function have the right amount of competent and professional resources to provide the right blend of internal audit services to the organisation? Does this include such things as project assurance activities over high-risk projects?

2. Where the internal audit function may not have in-house resources for technical areas (for example, ICT, treasury, safety, environment, etc.), do they try to do it anyway, or obtain subject matter specialist experts?

3. Does internal audit use innovative approaches to obtain subject matter specialist experts, for example short-term guest auditors from within the business, guest auditors from other organisations or jurisdictions, longer-term rotation program within the business, specialist contractors and service providers, etc?

Insights from the chief audit executive

4. What significant assurance gaps are there in relation to the over-arching assurance framework (lines of defence)? Is the internal audit plan sufficiently co-ordinated with other internal and external assurance providers?

5. Is the internal audit function sufficiently resourced with competent and objective professionals capable of carrying out the internal audit plan? If not, what reasonable steps could be pursued?

6. What features of the audit universe cannot be reasonably covered in the internal audit plan, particularly the top five risks that internal audit may not be able to cover with its current resources?

7. What would be the result from a risk perspective if internal audit had 10% more or 10% less budget?

Past internal audit budgets

image-from-rawpixel-id-146482-jpeg8. Do past internal audit budgets provide a reasonable basis for the current budget? Is the proposed budget mix appropriate between employee costs, co-sourcing expenses, consulting costs, investment in training, technology license costs, travel expenses, and administrative costs? What would be the result of a zero-based budgeting approach?

9. Has the organisation’s overall capital and operating spending been growing or contracting over the corresponding period, and in what proportion to the internal audit budget?

10. Have there been any significant variances in recent years between internal audit’s approved budget and its actual spending? If so, why?

Benchmarking analysis

11. Is there reasonable benchmarking information available that compares the organisation’s internal audit budget by turnover with similar internal audit activities in comparable organisations (that ‘compares apples with apples’)?

12. What is the average cost per productive audit day delivered, and how does this rate compare to peers and external service providers?

13. Does the proposed internal audit plan strike an appropriate balance between traditional assurance engagements and advisory work, with sufficient time available to accommodate management-initiated requests?

14. Is information on the benchmarking ‘spend’ or function size only considered as a guide, representing just one factor for assessing an organisation’s overall assurance coverage? Has the organisation evaluated effectiveness of all assurance activities across all lines of defence?

15. Does internal audit 100% complete its internal audit plan in the year it is due?

Environmental assessment

16. Are there any unique features of the audit universe to be considered, with respect to geographical coverage, international operations, number of locations, extent of centralisation, business maturity, assurance arrangements, or regulatory requirements?

17. Has internal audit considered the velocity of risks, or the speed at which risks are likely to develop in its environmental assessment?

18. Are there any unique features of the risk profile to be considered, such as risk appetite of the board, risk management maturity, business specific risks, effects of disruptive innovation, control effectiveness, maturity level of each of the lines of defence, and the extent of collaborative reporting?

19. Has internal audit considered where new issues might surface by considering goals, objectiveshttps://www.iia.org.au/, budgets, forecasts, performance, and potential changes in business operations?

20. Is the internal audit function seen to be adding value to the organisation and is it raising useful well-founded recommendations, evidenced in a balanced scorecard report or similar, and reflected in a comprehensive annual report on internal audit activities and outcomes?

The killer question

Does the audit committee have a reasonable, defensible basis for informing the chief executive officer and board that the internal audit function is sufficiently resourced, with competent and objective professionals able to carry out the internal audit plan with the aim of enhancing and protecting organisational value?

 

This article is from The Institute of Internal Auditors Australia's' 'The 20 Critical Question Series', which contains topics such as governance, risk management, compliance, fraud and corruption, and other relevant topics. You can reach the full series here.

 

Protecht.ERM helps audit managers gain efficiencies by supporting all stages of the internal audit function. Learn more.

internal audit mockup

 

ASIC Report Whitepaper: A Regulatory Spotlight on Non-Financial Risk
Whitepaper

A Regulatory Spotlight on Non-Financial Risk

Download Now

Related Articles

feature image
Risk Management Risk Manager Risk Professionals Protecht.ERM

Common IT questions around Risk Management Software

If you're reading this article, it's likely that you're facing one of these two scenarios: You are a risk manager looking for risk management...
Read more
feature image
Risk Management Risk Professionals Protecht.ERM

Dynamic Risk Profiling

At the end of last year I had the opportunity to do a workshop at the Annual Risk Leaders Conference organised by the Institute of Risk Management...
Read more
feature image
Enterprise Risk Management Risk Management Case Study

How the Sydney Opera House Improved Transparency and Accountability

Interview to Saira Buksh, Sydney Opera House ERPG Operations Administrator My name is Saira Buksh. I work for the Sydney Opera House and I have been...
Read more