Here are some audit committee questions you can ask to check the adequacy of internal resources:
1. Does the internal audit function have the right amount of competent and professional resources to provide the right blend of internal audit services to the organisation? Does this include such things as project assurance activities over high-risk projects?
2. Where the internal audit function may not have in-house resources for technical areas (for example, ICT, treasury, safety, environment, etc.), do they try to do it anyway, or obtain subject matter specialist experts?
3. Does internal audit use innovative approaches to obtain subject matter specialist experts, for example short-term guest auditors from within the business, guest auditors from other organisations or jurisdictions, longer-term rotation program within the business, specialist contractors and service providers, etc?
Insights from the chief audit executive
4. What significant assurance gaps are there in relation to the over-arching assurance framework (lines of defence)? Is the internal audit plan sufficiently co-ordinated with other internal and external assurance providers?
5. Is the internal audit function sufficiently resourced with competent and objective professionals capable of carrying out the internal audit plan? If not, what reasonable steps could be pursued?
6. What features of the audit universe cannot be reasonably covered in the internal audit plan, particularly the top five risks that internal audit may not be able to cover with its current resources?
7. What would be the result from a risk perspective if internal audit had 10% more or 10% less budget?
Past internal audit budgets
8. Do past internal audit budgets provide a reasonable basis for the current budget? Is the proposed budget mix appropriate between employee costs, co-sourcing expenses, consulting costs, investment in training, technology license costs, travel expenses, and administrative costs? What would be the result of a zero-based budgeting approach?
9. Has the organisation’s overall capital and operating spending been growing or contracting over the corresponding period, and in what proportion to the internal audit budget?
10. Have there been any significant variances in recent years between internal audit’s approved budget and its actual spending? If so, why?
11. Is there reasonable benchmarking information available that compares the organisation’s internal audit budget by turnover with similar internal audit activities in comparable organisations (that ‘compares apples with apples’)?
12. What is the average cost per productive audit day delivered, and how does this rate compare to peers and external service providers?
13. Does the proposed internal audit plan strike an appropriate balance between traditional assurance engagements and advisory work, with sufficient time available to accommodate management-initiated requests?
14. Is information on the benchmarking ‘spend’ or function size only considered as a guide, representing just one factor for assessing an organisation’s overall assurance coverage? Has the organisation evaluated effectiveness of all assurance activities across all lines of defence?
15. Does internal audit 100% complete its internal audit plan in the year it is due?
16. Are there any unique features of the audit universe to be considered, with respect to geographical coverage, international operations, number of locations, extent of centralisation, business maturity, assurance arrangements, or regulatory requirements?
17. Has internal audit considered the velocity of risks, or the speed at which risks are likely to develop in its environmental assessment?
18. Are there any unique features of the risk profile to be considered, such as risk appetite of the board, risk management maturity, business specific risks, effects of disruptive innovation, control effectiveness, maturity level of each of the lines of defence, and the extent of collaborative reporting?
19. Has internal audit considered where new issues might surface by considering goals, objectives, budgets, forecasts, performance, and potential changes in business operations?
20. Is the internal audit function seen to be adding value to the organisation and is it raising useful well-founded recommendations, evidenced in a balanced scorecard report or similar, and reflected in a comprehensive annual report on internal audit activities and outcomes?
The killer question
Does the audit committee have a reasonable, defensible basis for informing the chief executive officer and board that the internal audit function is sufficiently resourced, with competent and objective professionals able to carry out the internal audit plan with the aim of enhancing and protecting organisational value?
This article is from The Institute of Internal Auditors Australia's' 'The 20 Critical Question Series', which contains topics such as governance, risk management, compliance, fraud and corruption, and other relevant topics. You can reach the full series here.
Like this post? Let us know if you would like to read more about what internal audit questions to ask your committee.
Protecht.ERM helps audit managers gain efficiencies by supporting all stages of the internal audit function. Learn more.