Practical Guide for

Establishing YOUR Internal Auditing Activity

Submitted by:
Carl Burch, CMA, CIA
Lecturer of Finance and Accounting
Moscow, Russia
Cburch@global.t-bird.edu

February 2009
Table of Contents

...............................................................................................................................................1
Introduction.............................................................................................................................5
Governance.........................................................................................................................................6
Risk Management...............................................................................................................................6
Control................................................................................................................................................7
Internal Audit Start-up Framework.......................................................................................8
STEP #1: Review the IIA’s Professional Practices Framework.........................................9
STEP #2: Understand stakeholders’ requirements ..........................................................11
STEP # 3: Develop an Internal Audit Charter....................................................................12
Review the Independence and Objectivity of the Internal Audit Function.......................................12
STEP #4: Develop an initial Risk Assessment for your company..................................15
STEP #5: Develop the Audit Plans .....................................................................................16
Strategic Audit Plans: .......................................................................................................................16
Annual Audit Plans:..........................................................................................................................17
STEP #6: Build the budget..................................................................................................19
STEP #7: Determine the staffing requirements.................................................................20
Building in-house: ............................................................................................................................20
Fully Outsourcing: ...........................................................................................................................20
Partial Outsourcing: .........................................................................................................................20
Drafting Job Descriptions: ...............................................................................................................22
STEP #8: Establish a plan for the development of Staff..................................................23
STEP #9: Communicate the existence of the Internal Audit Function in the Company
................................................................................................................................................24
STEP #10: Establish a quality assurance program .........................................................25
Quality Program Assessment: ..........................................................................................................25
Appendix A ...........................................................................................................................27
16-steps to establishing an Internal Audit Shop................................................................................27
Appendix B ...........................................................................................................................29
Summary Outline of The IIA Standards............................................................................................29
Appendix C ...........................................................................................................................35
The IIA’s Code of Ethics...................................................................................................................35
Appendix D ...........................................................................................................................38
Audit Committee Charter - Sample..................................................................................................38
Appendix E ...........................................................................................................................41
Sample Internal Audit Charter .........................................................................................................41
Appendix F ...........................................................................................................................44
Schedule of Audit Coverage 2007-09 - Sample................................................................................44
Appendix G...........................................................................................................................46
Job (Position) Descriptions for Internal Auditing Staff....................................................................46
Appendix H............................................................................................................................50
Internal Auditing Department Evaluation Form – Sample ..............................................................50

3
4
Introduction
The perception of internal auditing has certainly gone through some drastic changes over the past
decade or so. To a great extent (unfortunately) this change in perception is owed to the accounting
scandals that occurred at the beginning of this century. It seems true that change comes about only
when unfortunate incidents occur.

These accounting scandals brought attention to the importance of the internal auditing activity for all
companies, both private and public. The term internal auditing meant, for most people, inspectors who
went around and checked off and checked on the accuracy of numbers. To most this seems, or seemed
pretty boring. Thus, because it was probably not the most prestigious profession it didn’t get a whole lot
of attention. However, this negative connotation has changed to the point were internal auditing is now
one of the more sought after accounting professions.

The Institute of Internal Auditing (IIA) defines the Internal Audit Activity (IAA) as

“an independent, objective assurance and consulting activity designed to add value and
improve an organization’s operations. The IAA is intended to help the organization accomplish
its objectives by bringing a systematic, disciplined approach to evaluate and improve the
effectiveness of risk management, control and governance processes.”1

Based on the above definition the scope of internal auditing includes:

1) Ensuring results are consistent with established objectives and goals, and operations or
programs are carried out as planned.

2) Ensuring economical and efficient use of resources.

3) Safeguarding assets.

4) Ensuring compliance with organizational policies, contracts, laws, and regulations.

5) Appraising the reliability and integrity of financial information by evaluating the means
developed by management to identify, classify, measure, and report such information.

It’s obvious that the scope of internal auditing has evolved way beyond simply inspecting or as some
would say - bean counting. The increased role of the internal auditor can be attributed to the increased
complexity and sophistication of businesses and government operations. Managers realize they are
having more and more difficulty keeping track of what’s going on in their operations, so they need
someone who’s able to help them make sense of what’s going on. This someone most often turns out to
be the organization’s internal auditor. Who in the organization is in a better position to know what’s
going on than the internal auditor?

Based on the internal auditor’s expanded role you could then argue that the term “internal auditing” or
“internal auditor” does not really properly describe the activity as defined by the IIA. Although, not all in
the accounting profession are completely content with the term “internal auditing” a suitable
replacement has still not been found. But, the purpose of this document is not to critique the term
“internal auditing” but rather to walk you through the process of getting your internal auditing function
off the ground.

1
Institute of Internal Auditors, The professional Practices Framework of Internal Auditing (Altamonte Springs, Florida:
The Institute of Internal Auditors, 2004), xxvii.

5
There are many different reasons why your organization needs to establish an activity within your
organization called Internal Auditing. Perhaps, the reason is for greater assurance for financial reporting
purposes, or perhaps, it’s to meet regulatory requirements, but whatever the reason, internal auditing is
a function that can help your organization accomplish its business objectives. It is the accomplishment
of objectives that separate the successful, and less successful companies.

At the beginning of this document, we mentioned that internal auditing helps organizations accomplish
their objectives through the improved effectiveness of their risk management, control and
governance processes. These processes are grouped together because of their interrelatedness. This
means you cannot review and evaluate any one process without having it related to the others. At this
point, we don’t want to get into too much discussion about these processes; that can come later, but it
is important that you be familiar with each term. Governance is the most general term so we’ll start with
it first. You just need to remember that without proper governance, everything else is moot (or
meaningless).

Governance
The IIA defines governance as “the system by which organizations are directed and controlled.” In
addition, the IIA goes on to say “governance includes the rules and procedures for making decisions on
corporate affairs to ensure success while maintaining the right balance with the stakeholders’ interest.”

The four cornerstones of corporate governance are the board, executive management, external auditors,
and, of course our favorite, internal auditors. The internal audit function is included as a cornerstone
because of its commitment to the improvement of governance. It does this by:2

1) Promoting appropriate ethics and values within the organization.

2) Ensuring effective organizational performance management and accountability.

3) Effectively communicating risk and control information to appropriate areas of the organization.

4) Effectively coordinating the activities of the communicating information among the board,
external and internal auditors, and management.

Risk Management
Risk management is all about identifying, assessing, and managing risks that companies face. When we
talk about risk, we generally think of risk in the negative connotation, for example, the negative impact
something is going to have on the organization. But the risk is not always negative, risk can also be
positive as well. For example, if a company produces a new product, there’s the risk that the new
product will fail. On the other hand, there’s also the opportunity that the new product will succeed and
be profitable for the company. This opportunity is considered to be a risk.

In regards to risk management, the IIA has identified five key objectives in the risk management
process. These five objectives are:3

1) Risks that arise from business strategies and activities are identified and prioritized.

2) Management and the board have determined the level of risk acceptable to the organization.

3) Risk mitigation (reduction) activities are designed and implemented to reduce, or otherwise
manage, risk at levels that are acceptable.

2
Standard 2130.
3
Practice Advisory 2110-1.

6
 4) Risk is periodically reassessed on an ongoing basis.

5) Reports are given periodically to the board and management on the results of the risk
assessment process.

Control
Control in its most basic sense is a force that leads to something happening or not happening. It is
through control that management is able to achieve its wishes.

The IIA says that control is

“Any action taken by management to enhance the likelihood that established objectives and
goals would be achieved. Controls may be preventive (to deter undesirable events from
happening), detective (to detect and correct undesirable events which happen), and directive
(to cause or encourage a desirable event to happen). The concept of a system of control is the
integrated collection of control components and activities that are used by an organization to
achieve its objectives and goals.”

Below are the more common types of controls.

Preventive: Segregation of duties, suitable authorization of transactions, checking the credit

worthiness of customers before goods are shipped.

Directive: Managers of a construction company instructing project managers to hire local workers
in order to create a favorable image in the communities in which the company operates. Requiring
internal auditing staff to be certified, possibly as a CIA (Certified Internal Auditor), or CPA (Certified
Public Accountant), or some other certification.

Detective: Bank reconciliations, checking for missing document numbers in pre-numbered

documents, performing variance analysis.

There are other definitions of control but you simple need to remember that controls are adequate and
useful if they help your organization achieve its objectives.

Now that we have reviewed the basics of internal auditing, it’s time to start laying the foundation for
creating your internal auditing function. For this is the ultimate the purpose of this Paper.

So, “Where do you begin?”

You begin by understanding that the internal audit activity can be anything you want it to be, as
long as you have the support of the board and senior management. The critical phrase here is: “as long
as you have the support of the board and senior management.” Getting and maintaining their support
will be the most critical and hardest issue facing you and your department. It’s obvious that without
their strong support your chance of success will be severely diminished.

7
Internal Audit Start-up Framework
We believe building a successful internal auditing function is a 10-step process. IIA developed its own
16-step process, but we believe our 10-step process is enough to get you to the point were you are able
to plan and conduct an engagement.

We first layout the steps and then discuss each one in detail. The 10 steps are:

1) Review the IIA’s Professional Practices Framework.

2) Understand stakeholders’ requirements.
3) Develop an Internal Audit Charter.
4) Develop a risk assessment for your organization.
5) Develop the Internal Audit Plans.
6) Build the Internal Audit budget
7) Develop a staffing plan
8) Develop a plan for training, staff development and evaluations.
9) Communicate the existence of the internal audit function within the company.
10)Establish quality assurance program.

Note: See Appendix A for a listing of the IIA’s 16-step process for creating an internal audit function.

Now, we begin………

8
STEP #1: Review the IIA’s Professional Practices Framework
The best place to begin our journey is by first reviewing the IIA’s Professional Practices Framework. By
definition, any profession needs to hold its members to a high and consistent level of behavior, and the
profession of internal auditing is no different. Based on this, the IIA promulgates the Professional
Practice Framework that is used as a guide for internal auditors in the performance of their work.

The three categories of guidance are:

1) The International Standards for the Professional Practice of Internal Auditing (Standards),

2) Practice Advisories, and

3) Code of Ethics.

Note: A summary of the IIA Standards and Code of Ethics are shown in Appendices B and C.

Together these documents are considered to be essential for the professional practice of internal
auditing.

The Standards are the criteria by which internal auditors should perform their duties in an organization.
There is nothing specifically mentioned by regulators (i.e., PCAOB, NYSE, etc.)4 in regards to following
the IIA Standards, however, given the standing of the IIA as the leading global professional organization
for internal auditors it simply makes sense that you would want to follow their guidelines. Let’s look at
the example below.

Let’s say your company is planning an IPO (Initial Public Offering) to be offered on the NYSE.

One of the requirements of the NYSE is that listed companies have an internal audit function.5

The NYSE states:

“Listed companies must maintain an internal audit function to provide management and the audit
committee with ongoing assessment of the company’s risk management processes and system of
internal controls. A company may choose to outsource this function to a third party service
provider other than its independent auditor.”

Because your company is going public you also need to consider the requirements of the
Sarbanes-Oxley Act of 2002 (SOX). The enactment of SOX was in direct response to the
accounting scandals at the beginning of the last century. Even though SOX has no requirement for
the existence of an internal audit function, it’s perceived that internal auditors can assist
management in meeting their responsibilities of Sections 302 and 404.

Section 302: This section requires management to evaluate and report on the effectiveness of
disclosure controls and procedures with respect to the quarterly and annual financial reports.

Section 404: This section requires management to document and evaluate the design and
operation, and report on the effectiveness of its internal control over financial reporting.

4
PCAOB (Public Company Accounting Oversight Board), NYSE (New York Stock Exchange).
5
Having an internal audit function does not necessarily mean having to have an actual department in the organization. It’s
possible that the function could be outsourced to a service provider.

9
 Again, the regulations only mention about the need to have an internal audit function,
nothing about following the Standards. But, remember the Standards provide guidance
to be in compliance with regulations.

The Standards have the following four purposes:

1) Outline the basic principles that represent the practice of internal auditing, as it should be.

2) Provide framework for performing and promoting a board range of value added internal auditing
services.

3) Establish the basis for the evaluation of internal auditing performance.

4) Foster (support) improved organizational processes and operations.

The IIA Practice Advisories represent the “best practices” of implementing the Standards. The Practice
Advisories are not mandatory and do not represent all of the considerations that may be necessary
when applying them, but they are simply the recommended stet of items that should be addressed or
followed.

Finally, there are the IIA’s Code of Ethics. Whereas the Standards provide guidance for internal auditors
in the performance of their duties, The Code of Ethics provides an ethical guide for the conduct of
internal auditors.

10
STEP #2: Understand stakeholders’ requirements
For this stage we are trying to answer the question, “How can the internal audit activity “best” serve the
organization?”

In order to answer this question, you need to do a lot of information gathering, and part of this process
is to understand the stakeholders’ requirements. To better understand the stakeholders’ requirements
you can do the following:

• Interview senior management and member of the audit committee. This gives you a
chance to start building a rapport with the top. As we have already said, without their full and
un-mitigating support, the chances of your success are severely diminished. You want to ensure
that they have a clear understanding of the internal audit function. You can then clarify their
expectations.

• Review the audit committee’s Charter. You want to have clearer understanding of the audit
committee’s responsibility regarding internal auditing (see below).

Note: See Appendix D for a sample Audit Committee Charter.

- Review with management and the chief audit executive the charter, activities, staffing,
and organizational structure of the internal audit function.

- Have final authority to review and approve the annual audit plan and all major
changes to the plan.

- Ensure there are no unjustified restrictions or limitations, and review and concur in the
appointment, replacement, or dismissal of the chief audit executive.

- At least once per year, review the performance of the CAE and concur with the annual
compensation and salary adjustment.

- Review the effectiveness of the internal audit function, including compliance with The
Institute of Internal Auditors' International Standards for the Professional Practice of
Internal Auditing.

- On a regular basis, meet separately with the chief audit executive to discuss any
matters that the committee or internal audit believes should be discussed privately.

•Meet with the external auditor. The external auditors would be in a good position to advise you
on some of the problems they have identified during their own reviews. Coordination between the
internal and external auditors is an important issue for the internal auditing function and this is a
good method to start developing a good, working relationship.

•Meet with other stakeholders, including operations managers. During these meetings you
can get a better feel for their risks and concerns.

11
STEP # 3: Develop an Internal Audit Charter
After gathering all of the necessary information during the second stage, you should now be in a position
to develop the Internal Audit Charter.

During this stage you will be working with the board and senior management to articulate the mission
for internal audit.

It is the Charter that lets internal auditors do their work. It will probably be the CAE to write up the draft
Charter, but for it to mean something it has to be approved by senior management and accepted by the
audit committee. After its approval and acceptance, it then needs to be communicated to people within
the company.

The Charter should define the following items in respect to the internal audit activity:

1) The scope of the services (i.e., assurance and consulting) and work to be performed,

2) The objectives of the function,

3) The authority of the function to access records, personnel and physical properties in the
organization,

4) The accountability of the function, and

5) The responsibility of the function.

Note: See Appendix E for a sample Internal Audit Function Charter. This sample Charter was adapted
from the one posted on the IIA website (www.theiia.org).

Of course, no Charter can possibly encompass all of the activities that could be possible, so when
tailoring your Charter, just make sure it fits your company’s needs. Also, you need to recognize that
even though the Charter is a formal and approved document (approved by senior management and
accepted by the audit committee), it is not a document that is unchanging. In the beginning you should
review the document at least annually (and more often as circumstances may require) to ensure that it
is still relevant and addresses the needs and issues that the organization and the internal audit activity
are facing. It may be good to include all of the activities you think you might want the internal audit
function be involved in, in the coming two to three years. This does not mean you have to do these
activities, only that you could if the need arose.

One of the important things to remember when developing the Charter is to make sure that your
function maintains its independence and objectivity. We look at these terms below.

Review the Independence and Objectivity of the Internal Audit Function

Independence:
The function is a unique function within the organization. It is not part of the organization’s regular
management structure and as such does not play a management role within the organization. Ideally,
you want the internal audit activity to functionally report to the Audit Committee of the Board of
Directors, and administratively to the CEO or some other designated management person.

Why is this? As with external auditors, internal auditors need to be protect their independence from any
undue internal management pressure. This means that the internal auditor should be able to perform its

12
work freely and objectively without having to worry about individuals or groups within the organization
influencing or affecting what it is trying to do. Functionally reporting to the Audit Committee or some
other governing authority means that they are responsible for:

•Approving the function’s Charter.

•Approving the internal audit risk assessment and related audit plan,

•Receiving communications from the CAE on the results of the function or other private meetings
with the CAE without management present.

•Approving decisions regarding the appointment or removal of the CAE, and

•Making appropriate inquiries of management and the CAE to determine whether there are scope or
budgetary limitations that impeded the ability of the function to execute its responsibilities.

Now, when we are talking about independence, we know that you are not go to be as independent as
say your company’s external auditor because, one, it is management that is going to be involved in the
approval of your budget, and two, if you need to buy some office supplies, you’re not going to go to the
audit committee to get approval for the expenditures. For issues like this you should go to someone in
administration, perhaps the chief financial officer.

Administrative reporting typically would include:

•Setting the budget for the function,

•Having the HR department administer personnel evaluations and compensation,

•Monitoring internal communications and information flows, and

•Administering the organizations internal policies and procedures.

The idea of independence is not to be taken lightly. It’s this idea of independence that differentiates
internal auditing from the other departments within your organization.

When looking at independence you might want to consider seeking some external assistance in making
sure the function is truly, as best it can, independent. External auditors might be in a good position to
review the independence and objectivity of the internal audit activity. To some extent, external auditors
also have some sake in the establishment of a well-run internal audit function. It’s possible that the
external auditors may rely on some of the work of the internal auditors; so therefore, they want to have
some comfort that the work of the internal auditors is not being manipulated. But their willingness to
rely on some of the work will be diminished if they feel the internal audit function lacks independence, or
objectivity.

Objectivity:
What we mean by objectivity is that you, as an internal auditor, have to be able to remain objective
when conducting your work. You should

1) Impartial.

2) Have an unbiased attitude, and

3) Avoid conflicts of interest.

13
Being objective means that the conclusions or opinions that you are drawing are based solely on facts at
hand, and are not influenced by feelings, emotions, relationships with others, monetary bribes or any
other outside influence.

Impairment of Objectivity:
When we talk about objectivity you need to keep in mind others perception of whether the internal
auditor is being objective or not. For example, if the internal auditor accepts a gift or money of
significant value from the client, objectivity would be perceived to be impaired even if the auditor, in
fact, was objective.

Also, objectivity is assumed to be impaired if an auditor performs an assurance review of any activity
over which he or she has recently had responsibility. Individuals who are assigned to or transferred to
your department should not audit areas where they worked until a reasonable period of time has
elapsed. Based on the IIA Standards, the amount of time is about one year.

14
STEP #4: Develop an initial Risk Assessment for your company
Risk assessment is the systematic process of assessing and integrating professional judgment about
probable adverse conditions and/or events. The questions should always be asked: What could go wrong
here? What assets do we need to protect? By answering these questions you can then understand the
means of controlling the risks.

The COSO study, Internal Control-Integrated Framework, summaries risk assessment in the following
way:6

“Every entity faces a variety of risks from external and internal sources that must be assessed.
A pre-condition to risk assessment is the establishment of objectives, linked at different levels
and internally consistent. Risk Assessment is the identification and analysis of relevant risks to
achievement of objectives, forming a basis for determining how the risks should be managed.
Because economic, industry, regulatory and operating conditions will continue to change,
mechanisms are needed to identify and deal with the special risks associated with change.”

The assessment of risks starts by developing the “audit universe,” or list of all auditable entities. This
would be a compilation of the subsidiaries, business units, departments, groups, processes, or other
established subdivisions of an organization that exist to manage one or more business risks.

The assessment of risk involves determining the volume of transactions and the average dollar amount
per transaction, the dollar value of assets that are exposed to loss, as well as the probability that a loss
will occur.

The company objectives must be established before risks can be assessed. Risk assessment forms the
basis for determining how risks (both internal and external) should be managed.

•External risks include changes in technology, changes in the market in which an entity operates,
new legislation bringing new requirements, natural disasters, economic changes, a failure of a key
supplier, or being sued, defrauded, or robbed.

•Internal risks include employee embezzlement accompanied by falsification of records to conceal

the theft; lack of compliance with government regulations; or other illegal acts by employees, such
as taking a bribe. Internal risks can also include disruption in computer systems, poor management
decisions, errors, or accidents. Changes in management responsibilities can affect control activities;
and an ineffective board or audit committee may leave openings for fraudulent actions on the part of
anyone within the company.

6
Committee of Sponsoring Organization of the Treadway Commission, Internal Control-Integrated Framework,
Executive Summary, page 3.

15
STEP #5: Develop the Audit Plans
Based on the IIA Standards7

“The CAE should establish risk-based plans to determine the priorities of the internal audit
activity, consistent with the organization’s goals.”

The function of the audit plan is to put into writing the audit goals, schedules, staffing needs, and
reporting. The plan should also demonstrate that audit resources are used efficiently and effectively.
Based on this, we can see that audit plans are a good method of promoting internal auditing in the
company.

Even though, audit plans are designed to act as a guide or roadmap for your company when you do the
audits, you need to remember that the plans are not written in stone and might be modified during an
audit if circumstances require it.

The audit plan should be prepared at least annually, but it is highly recommended to develop
strategic audit plans as well. The primary purpose of the strategic plans is to ensure sufficient internal
audit coverage.

Strategic Audit Plans:

Strategic means in the future, so this plan would show your audit coverage going out two, three or more
years. Developing this long-term plan is something you should not take lightly.

Sawyer8 identifies 6 purposes of the strategic plan. These are:

1) To provide a guide for your internal audit department,

2) To provide a basis for your budget request,

3) A way of involving management and the board in audit planning,

4) Provides the standard by which you can measure the accomplishments of your department,

5) A means to show management and the board that your department is under competent control,
and

6) A notice to the external auditor of proposed audit coverage.

Sawyer9 also outlined some of the basic elements that every strategic plan should contain. These
elements are:

1) All the operations of the company should be analyzed for auditability and potential risks.

2) Each organizational component should be analyzed as to specific objectives, performance

standards, and controls. Proposed audit hours should be allocated each of the identifiable
elements constituting an audit project.

3) Relative risks should be assessed, taking into account the objectives of internal control set forth
in the Standards:10

7
Standard 2010.
8
Sawyer’s Internal Auditing, 5th Edition, page 945.
9
Sawyer’s Internal Auditing, 5th Edition, page 947.
10
Standard 2120.A1.

16
 •Reliability and integrity of information.

•Compliance with internal and external rules and regulations.

•Safeguarding assets.

•Economical and efficient use of resources.

•Achievement of established organizational objectives and goals.

The big issue for the strategic plan is to make sure that all areas of the company are audited at least
periodically. Without such a plan, it is possible that a certain area would never be audited because it
does not meet the requirements for the annual audit.

Now, we want to look at the annual audit planning process.

Annual Audit Plans:

The CAE has the responsibility to develop the annual audit plan based on the assessment of risk and the
exposures that may affect the company. Based on risk and exposure the CAE can prioritize the activities
to be audited. You just need to make certain that the plans are consistent with the Charter and with the
goals of the company.

How do you determine which engagements to conduct? It’s ultimately the responsibility of the CAE to
determine which engagements are to be performed. Sometimes it may come down to the judgment of
the CAE in making this decision.

Other factors to consider when prioritizing are:

•The length of time since the last engagement was performed in the area;

•Request from senior management, the audit committee or other governing bodies;

•An engagement’s relation to the external audit;

•Changing circumstances in the business, operations, programs, systems or controls;

•Changes in the risk environment or control procedures in the department;

•The potential benefit that could be achieved from the engagement; and

•Changes in the skills of the available staff (it may be that a new employee has new skills, or training
has given a staff member new skills) because new skills may enable conducting different types of
engagements.

Note: In the development of audit plans, it is generally recommended to leave some time for
management request (usually about 10%).

We have already mentioned that the primary factor in prioritizing engagements is risk. When we discuss
risk assessment, you need to remember that there are two types of assessments, quantitative
(numerical) assessments as well as qualitative (characteristics) assessments. Quantitative assessments
would include the dollar value of the assets at risk or the potential loss, while qualitative includes things
such as the risk in the area of fraudulent behavior or the importance of the section to the operations of
the business as a whole.

17
One way to measure the extent of risk in different areas is to multiply the dollar amount that is at risk of
loss by the percentage chance of the loss occurring. In this way, the CAE is able to address the fact that
while petty cash is at great risk because it is cash that is, in essence, available to everyone in the
organization, there is not much cash at risk at any one time because there is never much cash in petty
cash at any point in time. When combining these factors, petty cash is probably a lower priority when
compared to an area where there is a lower risk of loss, but the loss value would be much greater.

The above discussion has focused on a monetary measurement. However, there are also risks that are
not related to the assets of the company or a specific monetary amount that also need to be assessed.
For example, control procedures (or, more accurately, lack of control procedures) may also be an area of
risk that would need investigation.

Note: See Appendix F for a sample Schedule of Audit Coverage for a three-year period. The
difference between this 3-year plan and the annual plan is that the annual plan would include the
timing of the audits, and possibly the assigned personnel.

18
STEP #6: Build the budget
You are going to build your internal audit budget based on the results of the risk assessment and audit
plan. The internal audit budget must be sufficient to so you can deliver a risk-based plan developed
during the fifth stage. The amount that you are going to budget to achieve your objectives will be driven
by the audit plan, organizational structure, and staffing strategy.

In 2004, the IIA conducted a random survey of 730 companies to get an idea of what companies spend
to support their internal auditing functions (see Exhibit 1). The survey identified a general range of
0.03% to 0.22% of revenues for an internal audit budget. The percentage goes up to 1.33% of revenue
for companies with revenue of less than 100 million USD.

The following information below was provided by The IIA Global Auditing Information Network (GAIN)
Reports:

Exhibit 1

Average Internal Audit Cost – By Revenue

Revenue Range Internal Audit Average Average Internal Average Internal
Staff Count Revenue Audit Audit as % of
Revenue
<$100M 3 $36,900,254 $277,884 1.33%

$100-$500M 4 $218,576,736 $474,429 0.22%

$500M-$1B 7 $755,271,735 $945,432 0.13%

$1B-$5B 12 $2,490,683,297 $1,769,890 0.07%

$5B-$15B 23 $9,229,594,016 $3,720,156 0.04%

>$15B 74 $41,347,965,743 $11,678,423 0.03%

Source: The IIA Global Auditing Information Network (GAIN).

For more information visit website: www.theiia.org/gain

You will have two classifications of costs in the internal audit budget: Capital expenditures and
Administrative expenses.

1) Capital Expenditures include costs for purchasing desktop computers, notebooks, printers,
copy machine, cell phones, office furniture, etc.

2) Administrative costs could include the following:

•The salary of the CAE.

•The salary of remaining auditors.

•Travel expenses. This could be a significant cost, particularly, if your company has multiple
locations.

•IT support costs.

•Office equipment repair costs.

•Office supplies.

•General office maintenance costs.

19
STEP #7: Determine the staffing requirements
The CAE needs to make sure his or her staff is professional. This means having the right people in the
right positions. This follows along the idea that “it’s better to be understaffed then to hire the wrong
people who could very quickly ruin the creditability of your department.” But, the CAE does need to be
concerned about not meeting the regulatory requirements, e.g., NYSE, Sarbanes-Oxley, and others.

What staffing options do you have? In our earlier example, the company is going to float an IPO on the
NYSE. In this case, the company is mandated to have an internal audit function. Again, listed companies
may choose to outsource this function to a third party service provider other than its independent
auditor.

Based on this requirement, you have three alternatives. You can: (1) build the IAA in-house, (2) fully
outsource the IAA, or (3) partially outsource the IAA.

Building in-house:
This alternative tends to be the more traditional way of creating and building internal audit activities.
Advantages to this approach can include the ability to groom employees for future needs within the
company. The company also has the advantage of having staff available on a permanent basis who
understand the culture, structure, and practices of the company. In addition, the full-time staff is in a
position to further develop specialized skills through professional certification programs (i.e., CIA, CFSA,
CISA, and others), which further professionalizes the department.

Fully Outsourcing:
Outsourcing is generally defined as contracting out the IAA to others who are not employees of the
company. There are a variety of reasons why a company may consider fully outsourcing the internal
auditing function, including:

 Saving time having to staff the function,

 Having the opportunity to have an operational function immediately,

 Having access to varied skills and resources, and

 Potentially providing greater independence and objectivity. This is because they would not be on
staff of the company.

What could be a disadvantage of outsourcing? One disadvantage could be that since the contracted
auditors are not part of the company they might not have the loyalty to the company has in-house
auditors. Also, in-house auditors would be more familiar with the business environment of the company,
and thus, be in a better position to help the company. Finally, internal auditing is supposed to be a value
added function, but if executive management and the board are not a 100% on board, then outsourcing
could limit the benefits of the IAA.

Partial Outsourcing:
Even with fully developed in-house internal auditing staff, it’s unlikely you will have the capability to
provide complete audit coverage. In these cases, you should consider partially outsourcing to an outside
organization that can provide specialized skills so you can meet your objectives.

For example, if your company offers a pension plan then it is not unusual for an actuary to be hired to
look at the reasonableness of future pension liabilities. Or, if your company produces environmental

20
waste, it might be good to hire an outside firm to look at compliance with environmental laws. You
should never think that your department has to be specialist in every area of the organization. It is just
not realistic to think so.

When deciding whether to hire in-house, outsource or possibly do both, you need to ask yourself:

1) What are the priorities for the internal auditing function? If you build in-house, can to hire the
staff that can handle the work? Can they do the work professionally, and get it done on time?

2) If you outsource, can you improve the effectiveness of your department? What are the long-
term implications? Will outsourcing save the company funds? How about long-term needs?

3) Can you source staff internally on a part-time basis to help meet the department’s objectives?
For example, if you had scheduled an environmental audit for the current period, perhaps the
company has an experienced environmental engineer who could help with the audit. An
important issue with this is to make sure the employee maintains his or her objectivity.

The CAE simply needs to realize that outsourcing is a viable option. The company has particular needs
and compliance deadlines and these factors will dictate whether building, outsourcing, or using a
combination of both is right for your company. Each option has its benefits and risks so an analysis
should be conducted to determine which option is the right option.

Some of the things to consider in your analysis are:11

•Independence of the service provider.

•Allegiance of in-house versus external service provider.

•Professional standards followed by the service provider.

•Qualifications of the service provider.

•Staffing – training, turnover, rotation of staff, management.

•Flexibility in staffing resources to meet engagement need or special request.

•Availability of resources.

•Retention of institutional knowledge for future assignments.

•Access to best practices or insight to alternative approaches.

•Culture of the company – receptiveness to service providers.

•Coverage of remote locations (if relevant).

•Coordination with in-house internal audit services.

•Coordination with external auditors.

•Use of internal auditing as a training ground for internal promotions.

•Retention, access to and ownership of working papers.

•Acquisition and availability of specialty skills.

•Cost considerations.

•Good standing membership in an appropriate professional organization.

11
IIA Position Paper on Resourcing Alternatives for the Internal Audit Function, 6/20/05.

21
Drafting Job Descriptions:
By drafting descriptions, it will be much easier for you to determine whether your department is properly
staffed. Having good job descriptions is also an important basis for the recruitment and promotion of
staff.

In Appendix G we have drafted sample job descriptions for the various internal auditing positions. We
included job descriptions for the positions:

•Chief Audit Executive

•Internal Auditing – Manager

•Internal Auditing – Senior Supervisor

•Internal Auditor – Supervisor

It’s unlikely you would have the resources available to initially fill these positions, but again you always
need to be thinking beyond current needs.

22
STEP #8: Establish a plan for the development of Staff
Once you’ve hired the staff, staff development will be an important part of the long-term success of your
department. Staff development consists of training, counseling and performance evaluations.

Training needs to be provided with the goal of providing the staff with the necessary skills to perform
their jobs in the short term, and also to develop and broaden their skills for their long-term
development. Individuals often see training as a benefit and a well-developed training program is an
excellent recruiting tool for the company.

Individuals’ personal desires should be considered, but are not the only consideration. This means that it
is possible that people will be trained, or assigned to, areas and engagements that they are not
personally interested in.

However, not only should training benefit the individual, it should also help the function meet its
organizational goals. As such, some staff may be trained in areas where the function does not currently
have skills, but which are required in the company.

Counseling, or mentoring, is a growing element of staff development. The CAE has a responsibility for
counseling and assisting staff members in their growth in the organization. This is not to say that the
CAE is supposed to have weekly counseling sessions with each member, but the CAE has a responsibility
to step in as needed. In a large internal audit department, there may be a formal counseling/mentoring
program and, in this case, the CAE most likely is responsible for the oversight and management of the
process. Additionally, the CAE may be the counselor for some of the higher-level staff members in the
department.

Performance appraisals should be performed at least annually, and more often if needed. The
performance evaluations need to focus on the skills that are necessary for the individual to perform their
work and for IAA as a whole to perform its duties. These staff evaluations should be seen as a means of
giving internal audit employees the opportunity to identify their weaknesses and give them an
opportunity to improve their performance. The evaluation should not be based on personal likes or
dislikes or other non-job related factors. This is particularly true when the evaluation is an engagement
evaluation of their work on a specific job, and not an annual evaluation.

There should be sufficient time to allow everyone to prepare for conducting the annual evaluation. This
usually involves the auditor and the manager both filling out the evaluation form and preparing for the
meeting. The meeting should be scheduled when both parties are not pressed for time so that anything
that arises during the evaluation can be discussed and addressed without one person trying to hurry
through the evaluation because of other commitments.

The performance evaluation form can be a standard form (and will be a standard form in large companies)
because this provides focus to the evaluation on the areas that are most important. However, for this
process to work as well as possible, the evaluation needs to be carefully thought through by the evaluator
and should not include standard comments that are applicable to everyone. Examples and specific
references to events should be provided and included whenever possible.

Note: See Appendix H for a sample internal auditing evaluation form.

23
STEP #9: Communicate the existence of the Internal Audit
Function in the Company
This next step seems obvious, but it is a very critical part of establishing the internal audit function in
the organization. You have to have some level of confidence that when you actually start your work you
will have the complete cooperation of the employees and departments in the organization. Without their
complete cooperation, you just won’t be able to do your work.

When management communicates the existence of the internal auditing activity they should be
promoting the function as a management orientated resource, not a futile exercise. If they do this,
internal auditors have a better chance of getting what they need.

Sawyer listed some ways for management to market the internal audit function.12

•Brochures. An easily read non-technical booklet can go a long way toward removing the mystery
and hence the fear from internal auditing.

•Bulletins/newsletters. Bulletins can highlight urgent, current findings. Newsletters can be

anecdotal and hence easily understood without getting into internal audit jargon.

•Organization publications. These often include human interest stories on employees. And a well-
written story might be accepted and useful in showing the human side of internal auditing.

•Organization programs. Many organizations sponsor civic or charitable activities. Helping to lead
one of these will present internal auditors in a favorable light.

•Open house/open door. Hosting an open house lets internal auditors meet operating personnel
under relaxed circumstances.

•Client vs. auditee. In both written and oral statements it is preferable to refer to the people being
audited as “clients” or “customers.”

•Advisory board. To develop an interchange of information about organization reorganization,

changes, and developments, develop an advisory board of operating managers, chaired by the chief
audit executive. Subjects discussed could relate to risk exposures and potential problems. The board
is advisory only but can augment the approach to what and when to audit.

•Pre-audit meeting. This is good way to start building a relationship with the client. During the
meeting you can explain internal auditing and its true function – one that is more than the
mysterious resident critic.

•Risk rating. This has generally been regarded as a one-dimension, internal audit function. But by
promoting liaisons between internal auditors and selected operating people, it can be developed into
a problem solving partnership.

•Post audit questionnaire. Properly used, the questionnaire can be a valuable quality assurance
tool. Client opinions can help fine-tune the audit process.

•Client training. This can include courses for client personnel and a period of actually working in
the internal audit function for top-level new hires who are destined for management positions. This
can offer hands-on training in assessing internal controls and valuable experience when the trainees
take on the jobs they were hired for.

•Quality programs. Internal auditors can be in the forefront of the quality quest sweeping the
country. Audit reports receive wide distribution in the organization and should be quality-oriented to
foster the attitude of doing it right the first time.

12
Sawyer’s Internal Auditing, 5th Edition, pages 861-862.

24
STEP #10: Establish a quality assurance program
Our final stage is the establishment of a quality assurance program. It is through this program that we
will be able to measure the success of the internal audit activity.

At this point, you might be asking yourself, “So, who’s going to be auditing the internal auditors?” The
answer, in short is, “they will be auditing themselves.”

So, how can internal auditors, audit themselves? You do this by being objective and by being
professional. The role of auditing the internal auditing function falls on the shoulders of the CAE.

According to the Standards:13

“The CAE should develop and maintain a quality assurance and improvement program (QAIP)
that covers all aspects of the internal audit activity and continuously monitors its effectiveness. This
program includes periodic internal and external quality assessments and ongoing internal
monitoring. Each part of the program should be designed to help the internal auditing activity add
value and improve the organization’s operations and to provide assurance that the internal audit
activity is in conformity with the Standards and the Code of Ethics.”

Thus, it is the QAIP that justifies the internal audit activity, but it will be the CAE doing the justifying.
Therefore, the internal audit function is really auditing itself. But, as we will see later this is only partially
true.

Quality Program Assessment:

The CAE will be responsible for the implementation of a quality program, the monitoring of that quality
program and the assessment of the quality of the program. The quality program should include both
internal and external assessments.

The function of these internal and external assessments is for the company stakeholders 14 to feel
comfortable with the services the IA function is providing to the organization. They’re asking the
question - Is the internal auditing function contributing to the overall success of the organization?

Quality program assessments should include evaluation, if appropriate, of:15

•Compliance with the Standards and Code of Ethics, including timely corrective actions to remedy
any significant instances of noncompliance,

•Adequacy of the IAA’s charter, goals, objectives, policies, and procedures,

•Contribution to the organization’s governance, risk management and control processes.

•Compliance with applicable laws, regulations, and other governmental or industry standards,

•Effectiveness of continuous improvement activities and adoption of best practices, and

•Whether the auditing activity adds value and improves the organization’s operations.

The results of these assessments will then be provided to the above-mentioned stakeholders.

A problem that can often arise when doing quality program assessments is that quality can mean
different things to different people. This is particularly true of service operations such as the internal
audit function. For example, the internal audit department may be conforming to the Standards, but

13
Standard 1300.
14
By stakeholders, we mean top management, audit committee, and external auditors.
15
Practice Advisory 1310-1.

25
that doesn’t mean it’s operating in an effective or efficient manner. To resolve this potential problem,
organizations develop quality circles.

A quality circle is a group of employees (anywhere from five to 15 employees) who are intimately
familiar with an operation and are brought together to improve quality and productivity. They do this by
studying the operation, or problem, making recommendations, and depending on the operation, they
may have the authority to implement recommendations.

Quality circles frequently use benchmarking as a means to improve quality and productivity.
Benchmarking is the process of a company using the standards set by other companies as a target or
model for its own operations. (This is also called best practices.) It is the process of continuously trying
to emulate (imitate) the best companies in the world. By striving to meet the standards of the best
companies, an organization may be able to create a competitive advantage by achieving a higher
standard than its competitors. Benchmarking can use both financial (profit margin) and non-financial (%
of defects).

The company that is used as the benchmark does not necessarily need to be in the same industry as the
company that is trying to improve.

26
Appendix A
16-steps to establishing an Internal Audit Shop
Source: http://www.theiia.org

Step 1: Establish the authority of the internal audit activity and review the new definition of
internal auditing and the International Standards for the Professional Practice of Internal Auditing
(Standards) to become familiar with what is required.

Step 2: Interview senior management and board of directors/audit committee chairman to

build rapport to ensure those at the top have a clear picture of the internal audit function, and to clarify
expectations of all. Use this opportunity to quickly learn and address what management and the board
view as the greatest risks to the organization, while keeping in mind issues, problems, and opportunities
that have already been identified. Develop a system for cataloging such information, including date and
name of person interviewed for quick reference.

Step 3: Obtain and review the audit committee charter. Of course, no sample charter
encompasses all activities that might be appropriate to a particular audit committee, nor will all activities
identified in a sample charter be relevant to every committee. Accordingly, this charter must be tailored
to each committee’s needs and governing rules.

Step 4: Understand “benchmarking” needs, i.e., industry, specialty groups, organizations with same
staff same, etc. Ask senior management who they consider to be leaders and laggards in your
organization’s market niche. Check out IIA’s GAIN services. Review past GAIN surveys.

Step 5: Obtain and review your organization’s written policies and procedures, especially the
policy pertaining to management’s responsibility to control the organization.

Step 6: Discuss with external auditors open and closed internal control issues, which they may
have identified during their reviews.

Step 7: Start to develop the “audit universe,” or the list of all auditable entities.

Step 8: Map the map processes/operations within your organization. Meet with operations
manager, including those in information technology, in order to understand their risks and concerns.

Step 9: Develop a risk assessment for your organization. This should be a macro-level
assessment, which includes both external and internal risk factors.

Step 10: Develop a charter for Internal Audit. Ensure that both senior management and the audit
committee review and approve the charter.

27
Step 11: Build the budget, including personnel and travel.

Step 12: Based on your risk assessment, develop an audit plan. The amount of the plan that can
be accomplished in the allotted time period (usually a year) will depend on the risks identified and the
internal audit resources and staff. You should always leave time in your audit plan for management
request (usually 10 percent).

Step 13: Hire your staff and develop a plan for staff training. Ensure your staff covers the range
of expertise needed based on your risk assessment. You may also consider outsourcing portion of your
audit plan to outside service providers or using professionals internal to the organization.

Step 14: Endure that senior management notifies other departments of your existence and
calls for complete cooperation.

Step 15: Work with management to establish best-practice reporting relationships, to ensure
internal audit is promoted throughout the organization, and to develop a methodology for following up
on audit recommendations and measuring performance.

Step 16: Establish quality assurance program.

28
Appendix B
Summary Outline of The IIA Standards
The professional Standards consist of Attribute Standards, Performance Standards and
Implementation Standards.

•Attribute Standards are concerned with the characteristics of the organization and the parties
who will be performing the audit activities.

•Performance Standards describe the internal audit activities and criteria against which the
performance of these services can be evaluated.

•Implementation Standards apply to the specific types of engagements such as assurance (A) or
consulting (C). For example, Standard 1000 consist of implementation standards 1000.A1, and
1000.C1.

ATTRIBUTE STANDARDS
1000 - Purpose, Authority, and Responsibility

The purpose, authority, and responsibility of the internal audit activity should be formally defined in an
internal audit charter, consistent with the Definition of Internal Auditing, the Code of Ethics, and the
Standards. The chief audit executive must periodically review the internal audit charter and present it
to senior management and the board for approval

1010 – Recognition of the Definition of Internal Auditing, the Code of Ethics, and the
Standards in the Internal Audit Charter

The mandatory nature of the Definition of Internal Auditing, the Code of Ethics, and the
Standards must be recognized in the internal audit charter. The chief audit executive should
discuss the Definition of Internal Auditing, the Code of Ethics, and the Standards with senior
management and the board.

1100 - Independence and Objectivity

The internal audit activity should be independent, and internal auditors should be objective in performing
their work.
1110 - Organizational Independence

The chief audit executive must report to a level within the organization that allows the internal audit
activity to fulfill its responsibilities.
1111 – Direct interaction with the Board
The chief audit executive must communicate and interact directly with the board.
1120 - Individual Objectivity

Internal auditors must have an impartial, unbiased attitude and avoid conflicts of interest.
1130 - Impairments to Independence or Objectivity

If independence or objectivity is impaired in fact or appearance, the details of the impairment should
be disclosed to appropriate parties. The nature of the disclosure will depend upon the impairment.

29
 Note: When used in these Standards, the term "board" is defined as a board of directors, audit committee of
such boards, head of an agency or legislative body to whom internal auditors report, board of governors or
trustees of a nonprofit organization, or any other designated governing bodies of an organization.

1200 - Proficiency and Due Professional Care

Engagements must be performed with proficiency and due professional care.
1210 - Proficiency

Internal auditors must possess the knowledge, skills, and other competencies needed to perform
their individual responsibilities. The internal audit activity collectively must possess or obtain the
knowledge, skills, and other competencies needed to perform its responsibilities.
1220 - Due Professional Care

Internal auditors must apply the care and skill expected of a reasonably prudent and competent
internal auditor. Due professional care does not imply infallibility.

1230 - Continuing Professional Development

Internal auditors must enhance their knowledge, skills, and other competencies through continuing
professional development.

1300 - Quality Assurance and Improvement Program

The chief audit executive must develop and maintain a quality assurance and improvement program that
covers all aspects of the internal audit activity.

1310 – Requirements of the Quality Assurance and Improvement Program

The quality assurance and improvement program must include both internal and external
assessments.
1311 - Internal Assessments
Internal assessments must include:

•Ongoing reviews of the performance of the internal audit activity; and

•Periodic reviews performed through self- assessment or by other persons within the
organization, with knowledge of internal auditing practices.

1312 - External Assessments

External assessments must be conducted at least once every five years by a qualified, independent
reviewer or review team from outside the organization. The chief audit executive must discuss with
the board:

 The need for more frequent external assessments; and

 The qualifications and independence of the external reviewer or review team, including
any potential conflict of interest.
1320 - Reporting on the Quality Assurance and Improvement Program

The chief audit executive must communicate the results of the quality assurance and improvement
program to senior management and the board.

30
 1321 - Use of "Conforms with the International Standards for the Professional Practice
of Internal Auditing"

The chief audit executive may state that the internal audit activity conforms with the International
Standards for the Professional Practice of Internal Auditing only if the results of the quality
assurance and improvement program support this statement.

1322 - Disclosure of Noncompliance

When nonconformance with the Definition of Internal Auditing, the Code of Ethics, or Standards
impacts the overall scope or operation of the internal audit activity, the chief audit executive must
disclose the nonconformance and the impact to senior management and the board.

PERFORMANCE STANDARDS
2000 - Managing the Internal Audit Activity

The chief audit executive must effectively manage the internal audit activity to ensure it adds value to the
organization.
2010 - Planning

The chief audit executive must establish risk-based plans to determine the priorities of the internal
audit activity, consistent with the organization's goals.

2020 - Communication and Approval

The chief audit executive must communicate the internal audit activity's plans and resource
requirements, including significant interim changes, to senior management and to the board for
review and approval. The chief audit executive must also communicate the impact of resource
limitations.

2030 - Resource Management

The chief audit executive must ensure that internal audit resources are appropriate, sufficient, and
effectively deployed to achieve the approved plan.
2040 - Policies and Procedures

The chief audit executive must establish policies and procedures to guide the internal audit activity.
2050 - Coordination

The chief audit executive should share information and coordinate activities with other internal and
external providers of relevant assurance and consulting services to ensure proper coverage and
minimize duplication of efforts.

2060 - Reporting to the Board and Senior Management

The chief audit executive must report periodically to the board and senior management on the internal
audit activity's purpose, authority, responsibility, and performance relative to its plan. Reporting must
also include significant risk exposures and control issues, including fraud risks, governance issues,
and other matters needed or requested by senior management and the board.

31
2100 - Nature of Work

The internal audit activity must evaluate and contribute to the improvement of governance, risk
management, and control processes using a systematic and disciplined approach.

2110 - Governance
The internal audit activity must assess and make appropriate recommendations for improving the
governance process in its accomplishment of the following objectives:

•Promoting appropriate ethics and values within the organization;

•Ensuring effective organizational performance management and accountability;

•Communicating risk and control information to appropriate areas of the organization; and

•Coordinating the activities of and communicating information among the board, external and
internal auditors, and management.

2120 - Risk Management

The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk
management processes.
2130 - Control

The internal audit activity must assist the organization in maintaining effective controls by evaluating
their effectiveness and efficiency and by promoting continuous improvement.
2200 - Engagement Planning
Internal auditors must develop and document a plan for each engagement, including the engagement’s
objectives, scope, timing and resource allocations.

2201 - Planning Considerations

In planning the engagement, internal auditors must consider:

•The objectives of the activity being reviewed and the means by which the activity controls its
performance;

•The significant risks to the activity, its objectives, resources, and operations and the means
by which the potential impact of risk is kept to an acceptable level;

•The adequacy and effectiveness of the activity's risk management and control systems
compared to a relevant control framework or model; and

•The opportunities for making significant improvements to the activity's risk management and
control processes.
2210 - Engagement Objectives

Objectives must be established for each engagement.

2220 - Engagement Scope
The established scope must be sufficient to satisfy the objectives of the engagement.

32
 2230 - Engagement Resource Allocation

Internal auditors must determine appropriate and sufficient resources to achieve engagement
objectives based on an evaluation of the nature and complexity of each engagement, time
constraints, and available resources.
2240 - Engagement Work Program

Internal auditors must develop and document work programs that achieve the engagement
objectives.

2300 - Performing the Engagement

Internal auditors must identify, analyze, evaluate, and record sufficient information to achieve the
engagement's objectives.
2310 - Identifying Information

Internal auditors must identify sufficient, reliable, relevant, and useful information to achieve the
engagement's objectives.

2320 - Analysis and Evaluation

Internal auditors must base conclusions and engagement results on appropriate analyses and
evaluations.
2330 – Documenting Information

Internal auditors must document relevant information to support the conclusions and engagement
results.
2340 - Engagement Supervision

Engagements must be properly supervised to ensure objectives are achieved, quality is assured, and
staff is developed.
2400 - Communicating Results
Internal auditors must communicate the engagement results.
2410 - Criteria for Communicating

Communications must include the engagement's objectives and scope as well as applicable
conclusions, recommendations, and action plans.

2420 - Quality of Communications

Communications must be accurate, objective, clear, concise, constructive, complete, and timely.

2421 - Errors and Omissions

If a final communication contains a significant error or omission, the chief audit executive must
communicate corrected information to all individuals who received the original communication.

2430 – Use of “Conducted in Conformance with the International Standards for the
Professional Practice of internal Auditing”

Internal auditors may report that their engagements are “conducted in conformance with the
International Standards for the Professional Practice of Internal Auditing,” only if the results of the
quality assurance and improvement program support the statement.

33
 2431 Engagement Disclosure of Nonconformance

When nonconformance with the Definition of Internal Auditing, the Code of Ethics or the
Standards impacts a specific engagement, communication of the results must disclose the

 Principle or rule of conduct of the Code of Ethics or Standard(s) with which full
conformance was not achieved:

 Reason(s) for nonconformance; and

 Impact of nonconformance on the engagement and the communicated engagement

results.

2440 Disseminating Results

The chief audit executive must communicate results to the appropriate parties.

2500 Monitoring Progress

The chief audit executive must establish and maintain a system to monitor the disposition of results
communicated to management.

2600 – Resolution of Senior Management's Acceptance of Risks

When the chief audit executive believes that senior management has accepted a level of residual risk that
is unacceptable to the organization, the chief audit executive must discuss the matter with senior
management. If the decision regarding residual risk is not resolved, the chief audit executive and senior
management should report the matter to the board for resolution.

34
Appendix C
The IIA’s Code of Ethics

The purpose of The Institute's Code of Ethics is to promote an ethical culture in the profession of
internal auditing.

A code of ethics is necessary and appropriate for the profession of internal auditing, founded as it is on
the trust placed in its objective assurance about risk management, control, and governance. The
Institute's Code of Ethics extends beyond the definition of internal auditing to include two essential
components:

1) Principles that are relevant to the profession and practice of internal auditing;

2) Rules of Conduct that describe behavior norms expected of internal auditors. These rules are an
aid to interpreting the Principles into practical applications and are intended to guide the ethical
conduct of internal auditors.

The Code of Ethics together with The Institute's Professional Practices Framework and other relevant
Institute pronouncements provide guidance to internal auditors serving others. "Internal auditors" refers
to Institute members, recipients of or candidates for IIA professional certifications, and those who
provide internal auditing services within the definition of internal auditing.

Applicability and Enforcement

This Code of Ethics applies to both individuals and entities that provide internal auditing services.

For Institute members and recipients of or candidates for IIA professional certifications, breaches of the
Code of Ethics will be evaluated and administered according to The Institute's Bylaws and Administrative
Guidelines. The fact that a particular conduct is not mentioned in the Rules of Conduct does not prevent
it from being unacceptable or discreditable, and therefore, the member, certification holder, or candidate
can be liable for disciplinary action.

Principles:
Internal auditors are expected to apply and uphold the following principles:

Integrity
The integrity of internal auditors establishes trust and thus provides the basis for reliance on their
judgment.

Objectivity
Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and
communicating information about the activity or process being examined. Internal auditors make a
balanced assessment of all the relevant circumstances and are not unduly influenced by their own
interests or by others in forming judgments.

35
Confidentiality
Internal auditors respect the value and ownership of information they receive and do not disclose
information without appropriate authority unless there is a legal or professional obligation to do so.

Competency
Internal auditors apply the knowledge, skills, and experience needed in the performance of internal
auditing services.

Rules of Conduct:
1. Integrity
Internal auditors:

1.1. Shall perform their work with honesty, diligence, and responsibility. [In other words, the
auditor does the right thing.]

1.2. Shall observe the law and make disclosures expected by the law and the profession.

1.3. Shall not knowingly be a party to any illegal activity, or engage in acts that are discreditable
to the profession of internal auditing or to the organization.

1.4. Shall respect and contribute to the legitimate and ethical objectives of the organization.

2. Objectivity
Internal auditors:

2.1. Shall not participate in any activity or relationship that may impair or be presumed to impair
their unbiased assessment. This participation includes those activities or relationships that
may be in conflict with the interests of the organization.

2.2. Shall not accept anything that may impair or be presumed to impair their professional
judgment. [For example, a material gift (use of beach house) is considered to impair
objectivity.]

2.3. Shall disclose all material facts known to them that, if not disclosed, may distort the
reporting of activities under review. [For example, there may be some items that were
capitalized instead of expensed. This fact needs to be disclosed to management and the
Audit Committee.]

3. Confidentiality
Internal auditors:

3.1. Shall be prudent in the use and protection of information acquired in the course of their
duties.

3.2. Shall not use information for any personal gain or in any manner that would be contrary to
the law or detrimental to the legitimate and ethical objectives of the organization.

36
4. Competency
Internal auditors:

4.1. Shall engage only in those services for which they have the necessary knowledge, skills, and
experience.

4.2. Shall perform internal auditing services in accordance with the International Standards for
the Professional Practice of Internal Auditing.

4.3. Shall continually improve their proficiency and the effectiveness and quality of their services.

37
Appendix D
Audit Committee Charter - Sample

PURPOSE:
To assist the board of directors in fulfilling its oversight responsibilities for the financial reporting
process, the system of internal control, the audit process, and the company's process for monitoring
compliance with laws and regulations and the code of conduct.

AUTHORITY:
The audit committee has authority to conduct or authorize investigations into any matters within its
scope of responsibility. It is empowered to:

•Appoint, compensate, and oversee the work of any registered public accounting firm employed by
the organization.

•Resolve any disagreements between management and the auditor regarding financial reporting.

•Pre-approve all auditing and non-audit services.

•Retain independent counsel, accountants, or others to advise the committee or assist in the conduct
of an investigation.

•Seek any information it requires from employees-all of whom are directed to cooperate with the
committee's requests-or external parties.

•Meet with company officers, external auditors, or outside counsel, as necessary.

COMPOSITION:
The audit committee will consist of at least three and no more than six members of the board of
directors. The board or its nominating committee will appoint committee members and the committee
chair.

Each committee member will be both independent and financially literate. At least one member shall be
designated as the "financial expert," as defined by applicable legislation and regulation.

MEETINGS:
The committee will meet at least four times a year, with authority to convene additional meetings, as
circumstances require. All committee members are expected to attend each meeting, in person or via
tele- or video-conference. The committee will invite members of management, auditors or others to
attend meetings and provide pertinent information, as necessary. It will hold private meetings with
auditors (see below) and executive sessions. Meeting agendas will be prepared and provided in advance
to members, along with appropriate briefing materials. Minutes will be prepared.

RESPONSIBILITIES:
The committee will carry out the following responsibilities:

38
Financial Statements

•Review significant accounting and reporting issues, including complex or unusual transactions and
highly judgmental areas, and recent professional and regulatory pronouncements, and understand
their impact on the financial statements.

•Review with management and the external auditors the results of the audit, including any
difficulties encountered.

•Review the annual financial statements, and consider whether they are complete, consistent with
information known to committee members, and reflect appropriate accounting principles.

•Review other sections of the annual report and related regulatory filings before release and consider
the accuracy and completeness of the information.

•Review with management and the external auditors all matters required to be communicated to the
committee under generally accepted auditing Standards.

•Understand how management develops interim financial information, and the nature and extent of
internal and external auditor involvement.

•Review interim financial reports with management and the external auditors before filing with
regulators, and consider whether they are complete and consistent with the information known to
committee members.

Internal Control

•Consider the effectiveness of the company's internal control system, including information
technology security and control.

•Understand the scope of internal and external auditors' review of internal control over financial
reporting, and obtain reports on significant findings and recommendations, together with
management's responses.

Internal Audit

•Review with management and the chief audit executive the charter, activities, staffing, and
organizational structure of the internal audit function.

•Have final authority to review and approve the annual audit plan and all major changes to the plan.

•Ensure there are no unjustified restrictions or limitations, and review and concur in the
appointment, replacement, or dismissal of the chief audit executive.

•At least once per year, review the performance of the CAE and concur with the annual compensation
and salary adjustment.

•Review the effectiveness of the internal audit function, including compliance with The Institute of
Internal Auditors' International Standards for the Professional Practice of Internal Auditing.

•On a regular basis, meet separately with the chief audit executive to discuss any matters that the
committee or internal audit believes should be discussed privately.

External Audit

39
 •Review the external auditors' proposed audit scope and approach, including coordination of audit
effort with internal audit.

•Review the performance of the external auditors, and exercise final approval on the appointment or
discharge of the auditors.

•Review and confirm the independence of the external auditors by obtaining statements from the
auditors on relationships between the auditors and the company, including non-audit services, and
discussing the relationships with the auditors.

•On a regular basis, meet separately with the external auditors to discuss any matters that the
committee or auditors believe should be discussed privately.

Compliance

•Review the effectiveness of the system for monitoring compliance with laws and regulations and the
results of management's investigation and follow-up (including disciplinary action) of any instances
of noncompliance.

•Review the findings of any examinations by regulatory agencies, and any auditor observations.

•Review the process for communicating the code of conduct to company personnel, and for
monitoring compliance therewith.

•Obtain regular updates from management and company legal counsel regarding compliance
matters.

Reporting Responsibilities

•Regularly report to the board of directors about committee activities, issues, and related
recommendations.

•Provide an open avenue of communication between internal audit, the external auditors, and the
board of directors.

•Report annually to the shareholders, describing the committee's composition, responsibilities and
how they were discharged, and any other information required by rule, including approval of non-
audit services.

•Review any other reports the company issues that relate to committee responsibilities.

Other Responsibilities

•Perform other activities related to this charter as requested by the board of directors.

•Institute and oversee special investigations as needed.

•Review and assess the adequacy of the committee charter annually, requesting board approval for
proposed changes, and ensure appropriate disclosure as may be required by law or regulation.

•Confirm annually that all responsibilities outlined in this charter have been carried out.

•Evaluate the committee's and individual members' performance on a regular basis.

40
Appendix E
Sample Internal Audit Charter

Mission and Scope of Work:

The mission of the internal audit department is to provide independent, objective assurance and
consulting services designed to add value and improve the company’s operations. It helps the company
by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk
management, control, and governance processes.

Role:
The Internal Auditing Function is established by the Board of Directors, and its responsibilities are
defined by the Audit Committee of the Board of Directors as part of their oversight function.

Professional Standards:
The internal auditing staff shall govern themselves by adherence to The Institute of Internal Auditors’
“Code of Ethics.” The Institute’s “International Standards for the Professional Practice of Internal
Auditing” (Standards) shall constitute the operating procedures for the department. These two
documents constitute an addendum to their charter. The Institute of Internal Auditors’ “Practice
Advisories” will be adhered to as applicable. In addition, Internal Auditing will adhere to the company’s
policies and procedures and Internal Auditing’s Standard Operating Procedures Manual. The Standard
Operating Procedures Manual shall include attribute, performance, and implementation standards to
guide the Department.

Authority:
The chief audit executive and staff of ATM’s internal audit department are authorized to:

•Have unrestricted access to all functions, records, property, and personnel.

•Have full and free access to the audit committee.
•Allocate resources, set frequencies, select subjects, determine scopes of work, and apply the
techniques required to accomplish audit objectives.
•Obtain the necessary assistance of personnel in units of the organization where they perform audits, as
well as other specialized services from within or outside the organization.
•The chief audit executive and staff of the internal audit department are not authorized to:
•Perform any operational duties for the organization or its affiliates.
•Initiate or approve accounting transactions external to the internal auditing department.
•Direct the activities of any organization employee not employed by the internal auditing
department, except to the extent such employees have been appropriately assigned to auditing
teams or to otherwise assist the internal auditors.

41
Organizational Status:
The CAE shall report administratively to the Chief Executive Officer (CEO) and functionally to the Audit
Committee of the Board of Directors.

Independence:
All internal audit activities shall remain free of influence by any element in the organization, including
matters of audit selection, scope procedures, frequency, timing, or report content to permit maintenance
of an independent and objective mental attitude necessary in rendering reports.

Internal auditors shall have no direct operational responsibility or authority over any of the activities
they review. Accordingly, they shall not develop nor install systems or procedures, prepare records, or
engage in any other activity which would normally be audited.

Mission and Scope of Work:

The scope of work of the internal audit department is to determine whether the organization’s network
of risk management, control, and governance processes, as designed and represented by management,
is adequate and functioning in a manner to ensure:

•Risks are appropriately identified and managed.

•Interaction with the various governance groups occurs as needed.
•Significant financial, managerial, and operating information is accurate, reliable, and timely.
•Employees’ actions are in compliance with policies, standards, procedures, and applicable laws and
regulations.
•Resources are acquired economically, used efficiently, and adequately protected.
•Programs, plans, and objectives are achieved.
•Quality and continuous improvement are fostered in the organization’s control process.
•Significant legislative or regulatory issues impacting the organization are recognized and addressed
appropriately.
Opportunities for improving management control, profitability, and the organization’s image may be
identified during audits. They will be communicated to the appropriate level of management.

Audit Planning:
Annually, the CAE shall submit to senior management and the Audit Committee a summary of the audit
work schedule, staffing plan, and budget for the following fiscal year. The audit work schedule is to be
developed based on a prioritization of the audit universe using a risk-based methodology. Any significant
deviation from the formally approved work schedule shall be communicated to senior management and
the Audit Committee through periodic activity reports.

Reporting:
A written report will be prepared and issued by the CAE or designee following the conclusion of each
audit and will be distributed as appropriate. A copy of each audit report and a summarization will be
forwarded to the CAE and the Chairman of the Audit Committee.

42
The CAE or designee may include in the audit report the auditee’s response and corrective action taken
or to be taken in regard to the specific findings and recommendations. Management’s response should
include a timetable for anticipated completion of action to be taken and an explanation for any
recommendations not addressed.

In cases where a response is not included within the audit report, management of the audited area
should respond, in writing, within thirty days of publication to Internal Auditing and those on the
distribution list.

Internal Auditing shall be responsible for appropriate follow-up on audit findings and recommendations.
All significant findings will remain in an open issues file until cleared by the CAE or the Audit Committee.

Periodic Assessment:
The CAE should periodically assess whether the purpose, authority, and responsibility, as defined in this
charter, continue to be adequate to enable the internal auditing activity to accomplish its objectives. The
result of this periodic assessment should be communicated to senior management and the Board of
Directors.

Chief Audit Executive ______________________

Chief Executive Officer ______________________

Audit Committee Chairman ______________________

Date _______________________

43
Appendix F
Schedule of Audit Coverage 2007-09 - Sample

Audit Days

Priority Planned Engagements Description Year 1 Year 2 Year 3

1. Annual Review of Core Systems Compliance and substantive testing to confirm the continuing operation of 30 25 25
key controls operating over the core systems.

This review will be carried out annually and will incorporate the use of data
interrogation as well as manual checks.

The reviews will provide management with assurance that the key controls
within the core financial systems continue to operate effectively.

Additional days

2. Full Review of Core Systems During the 3-year life cycle of the plan, each of the Core Financial Systems
will be subject to full internal audit review in addition to the testing focused
annual review.

The reviews will provide management with an in-depth assurance of the

efficiency and effectiveness of the Core Financial Systems.

• Financial Asset Management Full review of the controls that ensure that assets are effectively and 5 0 0
securely held, used and disposed of, with sufficient, complete and accurate
information available for incorporation into the financial accounts.

• Revenue Sales and trade Full review of controls to ensure that revenue sales are accurately reported, 5 0 0
receivables and trade receivables are promptly and securely collected. In regards to
trade receivables in to also look at the accuracy of the company’s bad debt
accounts.

• Cash and Bank Full review of the controls to ensure that cash and bank accounts are 5 0 0
properly secured.

• Purchases and payables Full review of the controls to ensure that the company achieves value for its 0 5 0
money from its procurement of goods and services and that the procurement
process is effective.

• Financial Treasury Management Full review of controls to ensure that the company’s investments and 0 0 5
financing achieve value and are secure.

44
 • Financial loans Full review of the controls to ensure that payments to credits, primarily to 0 0 5
banks are timely and accurately reported.

• Other financial accounting issues Full review of controls to ensure the insurance, tax and other financial issues 0 5 0
are properly managed.

3. Building and Grounds Full review of the controls that ensure that buildings and estates are 0 15 0
Maintenance efficiently and effectively maintained.

4. Capital Works Full review of controls that ensure that capital projects best meet company 0 0 25
needs, are planned and executed to the budget, and represent the best
value for the money.

5. Human Resources Full review of controls to ensure that the company has sufficient staff with 25 0 0
required skills and experience to meet its objectives.

6. Health and Safety Full review of the control that ensure that the health and safety of staff is 15 0 0
protected as far as is possible and that relevant legislation is complied with.

7. IS - Installation Full review of the controls that ensure the computer systems, hardware and 0 15 0
installation activity operate in a controlled, secure and managed
environment.

8. IS – Networks Full review of the controls that ensure that the company’s network is 0 0 15
effective, robust and secure.

9. IS – Operating controls Full review of the controls that ensure the company’s PC operating systems 15 0 0
are effective, robust and secure.

10. Risk Management An annual review will be made of the risk management process to ensure 5 5 15
that it continues to operate effectively. The review will focus on ensuring that
risks continue to be identified, assessed and managed throughout the
company.

The review will be supplemented by a full review of Corporate Governance,

which will consider the on-going effectiveness of the process in more detail
and in comparison to best practices.

The review will provide management with assurance that the risk
management process continues to be robust and to allow internal audit to
place reliance on the risk management process in providing direction for its
work.

45
Appendix G
Job (Position) Descriptions for Internal Auditing Staff
•Help to facilitate the recruiting by stating explicit job requirements.

•Provide a means to justify salaries.

•Means to express the management’s expectations.

•Method for the internal audit activity to engage in personnel planning.

The following job (position) descriptions are presented in Sawyer’s Internal Auditing 5th edition, pages
839, 846-848.

CHIEF AUDIT EXECUTIVE

Authority:
The chief audit executive is authorized to direct a broad, comprehensive program of internal auditing
within the organization. Internal auditing examines and evaluates the adequacy and effectiveness of the
systems of management control provided by the organization to direct its activities toward the
accomplishment of its objectives in accordance with organization polices and plans. In accomplishing
these activities, the chief audit executive and members of the audit staff are authorized to have full,
free, and unrestricted access to all organization functions, records, property, and personnel.

Responsibility:
The chief audit executive is responsible for:

•Establishing policies for the auditing activity and directing its technical and administrative functions.

•Developing and executing a comprehensive audit programs for the evaluation of management
controls provided over all organization activities.

•Examining the effectiveness of all levels of management in their stewardship of organization

resources and their compliance with established policies and procedures.

•Recommending improvement of management’s controls designed to safeguard organization

resources, promote organization growth, and ensure compliance with government laws and
regulations.

•Reviewing procedures and records for

•Their adequacy to accomplish intended objectives, and appraising policies and plans relating to the
activity or function under audit review.

•Authorizing the publication of reports on audits, including recommendations for improvement.

•Appraising the adequacy of operating management’s actions to correct reported deficient

conditions; accepting adequate corrective action; continuing reviews with appropriate management
personnel on action the chief audit executive considers inadequate until there has been a
satisfactory resolution of the matter.

•Conducting special audits as requested by management, including the reviews of representations

made by persons outside the organization. Acting in a consulting capacity relative to the above
areas of responsibility.

46
INTERNAL AUDITING - MANAGER
Purpose:
•To administer the internal audit activity of an assigned location or operation.

•To develop a comprehensive, practical program of engagement coverage for the assigned location
or operation.

•To obtain accomplishment of the program in accordance with acceptable engagement standards and
stipulated schedules.

•To maintain effective working relations with executive and operating management.

Authority and Responsibility:

Within the general guidelines provided by the chief audit executive:

•Prepares a comprehensive, long-range program of engagement coverage for the location to which
assigned.

•Identifies those activities subject to engagement coverage, evaluates their significance, and
assesses the degree of risk inherent in the activity in terms of cost, schedule, and quality.

•Establishes the related departmental structure.

•Obtains and maintains an audit staff capable of accomplishing the internal audit function.

•Assigns engagement areas, staff, and budget to supervisors.

•Develops a system of cost and schedule control over engagement projects.

•Establishes standards of performance and, by review, determines that performance meets the
standards.

•Provides executive management within the assigned location with reports on engagement
coverage and engagement results, and interprets those results so as to improve the engagement
program and the engagement coverage.

•Establishes and monitors accomplishment of objectives directed toward increasing the internal
audit activity's ability to serve management.

INTERNAL AUDITING - SUPERVISOR

Purpose:
•To develop a comprehensive, practical program of engagement coverage for assigned areas.

•To supervise the activities of staff assigned to the review of various organizational and functional
activities.

•To ensure conformance with acceptable standards, plans, budgets, and schedules.

•To maintain effective working relations with operating management.

•To provide for and conduct research and develop manuals and training guides.

Authority and Responsibility:

Under the general guidance of a manager:

•Supervises the work of staff engaged in the reviews of organizational and functional activities.

47
 •Provides a comprehensive, practical schedule of annual engagement coverage within general areas
assigned by the manager.

•Determines areas of risk and appraises their significance in relation to operational factors of cost,
schedule, and quality. Classifies engagement projects as to degree of risk and significance and as
to frequency of coverage.

•Provides for flexibility in engagement schedules so as to be responsive to management's special

needs.

•Schedules projects and staff assignments so as to comply with management's needs, within the
scope of the internal audit activity's overall schedule.

•Coordinates the program with the organization's public accountant.

•Reviews and approves the purpose, scope, and approach of each engagement project for assigned
areas.

•Directs engagement projects to see that professional standards are maintained in the planning and
execution and in the accumulation of information.

•Counsels and guides staff to see that the approved engagement objectives are met and that
adequate, practical coverage is achieved.

•Reviews and edits engagement communications and, in organizations with the auditor-in-charge
for the assigned project, discusses the communications with appropriate management.

•Presents oral briefing to branch-level management.

•Provides for and performs research on engagement techniques.

•Provides formal plans for the recruiting, selecting, training, evaluating, and supervising of staff
personnel. Develops manuals and other training aids.

•Accumulates data, maintains records, and prepares reports on the administration of engagement
projects and other assigned activities.

•Identifies factors causing deficient conditions and recommends courses of action to improve the
conditions, including special surveys and audits.

•Provides for a flow of communication from operating management to the manager and to the chief
audit executive. Assists in evaluating overall results of the engagements.

INTERNAL AUDITOR - SENIOR

Purpose:
•To conduct reviews of assigned organizational and functional activities.

•To evaluate the adequacy and effectiveness of the management controls over those activities.

•To determine whether organizational units are performing their planning, accounting, custodial, risk
management, or control activities in compliance with management instructions, applicable
statements of policy and procedures, and in a manner consistent with both organizational objectives
and high standards of administrative practice.

•To plan and execute engagements in accordance with accepted standards.

•To report engagement observations and to make recommendations for correcting unsatisfactory
conditions, improving operations, and reducing cost.

48
 •To perform special reviews at the request of management

•To direct the activities of assistants.

Authority and Responsibility:

Under the general guidance of a supervisor:

•Surveys functions and activities in assigned areas to determine the nature of operations and the
adequacy of the system of control to achieve established objectives.

•Determines the direction and thrust of the proposed engagement effort.

•Plans the theory and scope of the engagement, and prepares an engagement work program.

•Determines the engagement procedures to be used, including statistical sampling and the use of
information technology.

•Identifies the key control points of the system.

•Evaluates a system's effectiveness through the application of a knowledge of business systems,

including financial, manufacturing, engineering, procurement, and other operations, and an
understanding of engagement techniques.

•Recommends necessary staff required to complete the engagement.

•Performs the engagement in a professional manner and in accordance with the approved
engagement work program.

•Obtains, analyzes, and appraises information as a basis for an informed, objective conclusion
(opinion) on the adequacy and effectiveness of the system and the efficiency of performance of the
activities being reviewed.

•Directs, counsels, and instructs staff assistants assigned to the engagement, and reviews their work
for sufficiency of scope and for accuracy.

•Makes oral or written presentations to management during and at the conclusion of the
engagement, discussing observations and recommending corrective action to improve operations
and reduce cost.

•Prepares formal written communications, expressing opinions on the adequacy and effectiveness of
the system and the efficiency with which activities are carried out.

•Appraises the adequacy of the corrective action taken to improve deficient conditions.

49
Appendix H
Internal Auditing Department Evaluation Form – Sample

Employee Name Date:

Employee Position
Title

Evaluator

Evaluation Period

Evaluation Factors (circle the appropriate quality for each evaluation factor)
Use comments to describe employee’s strengths, weaknesses, and accomplishments that meet and
exceed expectations. Evaluation factors should be based on the employee’s job description.

XE = Exceeds Expectations – ME = Meets Expectations – NI = Needs Improvement – NA = Not Applicable

1 Quality of work XE ME NI NA

Examples: produces neat and accurate work · performs work thoroughly · expresses self well verbally and in writing.

Comments: Traits personally observed upon which evaluation is based. Use separate page if more space
is needed.

Action: Indicate actions necessary for employee to improve in his or her quality of work.

2 Quantity of work XE ME NI NA

Examples: completes assigned work · completes work in accordance with budget · able to manage a variety of tasks,
or assignments · demonstrates initiative.

Comments: Traits personally observed upon which evaluation is based. Use separate page if more space
is needed.

Action: Indicate actions necessary for employee to improve in his or her quality of work.

50
Internal Auditing Department Evaluation Form (cont.)

Evaluation Factors (circle the appropriate quality for each evaluation factor)
Use comments to describe employee’s strengths, weaknesses, and accomplishments that meet and
exceed expectations. Evaluation factors should be based on the employee’s job description.

XE = Exceeds Expectations – ME = Meets Expectations – NI = Needs Improvement – NA = Not Applicable

3 Work Habits XE ME NI NA
Examples: attends work on a regular basis · complies with instructions · demonstrates knowledge of departmental
policies and procedures · has an interest in developing skill level.

Comments: Traits personally observed upon which evaluation is based. Use separate page if more space is
needed.

Action: Indicate actions necessary for employee to improve in his or her quality of work.

4 Personal Relations XE ME NI NA
Examples: gets along with other employees · gets along with the engagement client · demonstrates effective teamwork ·
demonstrates willingness to help others · is able to think independently, solve issues.

Comments: Traits personally observed upon which evaluation is based. Use separate page if more space is
needed.

Action: Indicate actions necessary for employee to improve in his or her quality of work.

51
Internal Auditing Department Evaluation Form (cont.)
Evaluation Factors (circle the appropriate quality for each evaluation factor)
Use comments to describe employee’s strengths, weaknesses, and accomplishments that meet and
exceed expectations. Evaluation factors should be based on the employee’s job description.

5 Initiative XE ME NI NA
Examples: understands and accepts new situations · performs well with minimal supervision · makes sound decisions in
absence of direct supervision · keeps supervisor informed of status of assigned work

Comments: Traits personally observed upon which evaluation is based. Use separate page if more space is
needed.

Action: Indicate actions necessary for employee to improve in his or her quality of work.

6 Supervisory Skills (if applicable) XE ME NI NA

Examples: plans engagements effectively · assigns engagements to others effectively · demonstrates effective leadership
· provides instruction and training effectively when required · treats supervised personnel fairly

Comments: Traits personally observed upon which evaluation is based. Use separate page if more space is
needed.

Action: Indicate actions necessary for employee to improve in his or her quality of work.

52
Internal Auditing Department Evaluation Form (cont.)

Evaluator’s Additional Comments

You can use this space if you have any other comments or more detailed explanation of any aspect of
the evaluation.

Evaluator’s Signature Date:

Employee’s Signature Date:

Note: Signing this document form does not necessarily mean that the employee agrees with the evaluation.
Employees have the right to responds to this evaluation form within 15 working days if desired.

53