Domain IV: Managing the internal audit function

Planning strategically requires the CAE to understand the internal audit mandate as well as the organization’s governance, risk management and control processes. A properly resourced and positioned internal audit function develops and implements a strategy to support the organization’s success. The CAE creates and implements methodologies to guide the internal audit function and develop the internal audit plan. 

What’s new/different in Principle 9: 

• The CAE’s understanding of an organization’s risk management processes will need to be more extensive and incorporate direct conversations with the board and senior management. 
• Understanding the organization’s control processes may result in the development of an organization-wide risk and control matrix. 
• Internal audit strategies will need to be more formally documented and include strategic objectives and supporting initiatives that enable fulfillment of the internal audit mandate. 
• Internal audit staff must receive training on the internal audit methodologies, policies and procedures—including 12 methodologies the Standards identify as most likely to be necessary to implement the internal audit strategy. 
• The internal audit plan guidance includes information on the development of an organization-wide audit universe and suggests presenting the “next set of engagements” that would be performed if additional resources were available. 
• Coordination and reliance on other “providers of assurance services” is going to require a more detailed approach and could result in the CAE discussing concerns with senior management and possibly the board. 

Successful resource management—led by the CAE—is crucial for implementing the internal audit function’s strategy and achieving its plan and mandate. Resources—including financial, human and technological—should be utilized according to the function’s established methodology. 

What’s new/different in Principle 10: 

• The budget must be presented for board approval and, if applicable, outline the impact of insufficient financial resources. 
• If the function does not have appropriate or sufficient resources to complete the audit plan, communication with the board and senior management—specifically detailing the impact of resource limitations—is required. 
• Technological limitations that impact effectiveness or efficiency of the function must be communicated to the board and senior management. 

CAE’s must establish ongoing communication with stakeholders to build trust and develop relationships. They must also communicate with the board and senior management on the results of internal audit activities. 

What’s new/different in Principle 11: 

• Provides insight into how to determine key stakeholders and how to identify areas for mutual understanding. 
• Emphasizes the establishment of a methodology on effective communication. 
• Provides specific guidance on communicating engagement conclusions, multiple engagement themes and making conclusions at the level of the business unit or organization. 
• If the CAE determines that management has accepted a level of risk exceeding the organization’s risk tolerance, the CAE must discuss said determination with senior management and the board (if not appropriately addressed by senior management). 

The CAE is responsible for ensuring both the internal audit function’s conformance with the Standards and continuous performance improvement. 

The internal audit function’s quality program must incorporate conformance with both the Standards and the function’s performance objectives. The internal audit function should develop measures for assessing performance and the CAE should use said measures when evaluating progress on performance objectives. 

What’s new/different in Principle 12: 

• Requires the internal audit function to have a methodology for performing internal assessments and provides guidance on what needs to be included in said methodology. If the function is noncompliant with the Standards—and this noncompliance impacts the scope or operation of the function—it must be reported to senior management and the board. 
• The CAE must work with the board and senior management on the development of the function’s performance objectives and, when assessing the function’s performance, the CAE must receive feedback from senior management and the board. 
• Requires methodologies for engagement supervision, quality assurance and the development of competencies. The CAE must verify engagements are performed in conformance with the Standards. 
• The CAE is responsible for supervising engagements—whether performed by internal staff or outside service providers—and ensuring evidence is documented and retained as required by the function’s established methodology.