Skip to main content

Internal audit for CIPS

A Q&A on the vital role internal audit can play in an organization’s systems

The internal audit function plays a key role in assessing and reporting on an organization’s risk management, internal controls, and reviewing management information systems. Internal audit functions are seen as business partners, adding value to the organization beyond compliance.

Management of an organization with an internal audit function should have a general understanding of its role and contribution, with its audit committee able to confirm that the function is properly constituted, has the necessary resources, and operates professionally. Boards of medium to large organizations that do not have an internal audit function should assess the need at least annually.

Management within the Commerce, Industry and Public Sector industry (CIPS) operating in Luxembourg, need to understand the contribution of internal audit and to realize the best practices which can be implemented.

The Audit Committee is responsible for ensuring that management has implemented an effective system of internal control to manage the risks facing the organization. In larger and more complex organizations, an internal audit function can provide cost-effective and independent assurance that internal control is effective, provided that it has an appropriate role and mandate

.The following questions, together with related guidance, will put senior management in a position to understand what internal audit functions they need and what they may already have in place.

Many medium and large organizations have an internal audit function. This is a requirement for companies listed on the Luxembourg Stock Exchange and for banks and other financial institutions with major fiduciary responsibilities. Other companies have an internal audit function as it is considered to be a valuable element of management control which provides assurance to the audit committee and adds to the organization’s credibility with investors and creditors.

Management is responsible for establishing and maintaining a system of internal financial controls and, in some cases, may be required by regulators to provide written certification of the adequacy of such controls. Legal and regulatory requirements are changing fast and companies must make sure they are aware of the latest rules.

In smaller organizations, managers are usually close enough to daily operations that they can effectively supervise and monitor the activities of their staff. When the volume and/or complexity of transactions becomes too great, management may need to add people whose primary role is to check the work of others and thereby strengthen internal control.

Organizations that do not have an internal audit function should give strong consideration to establishing one if their size and type of business, source of capital, and risk factors warrant it. The potential benefits of the internal audit function should be assessed and compared against the estimated costs.

Internal auditing is a valuable resource for management and the audit committee because of its objectivity, auditing skills, and in-depth knowledge of the organization. Internal audit does not perform the internal controls since this is a line management responsibility, but their role does provide another level of assurance to management and the audit committee that controls are effective. Historically, the emphasis was on compliance with company policy and the deterrence, prevention, and detection of fraud and errors—which are still important elements of the internal audit function.

Over time, many internal audit functions have addressed broader aspects of control and provide services in other areas, including:

  • Reviewing controls over major projects and new systems to help anticipate problems. This can enable timely corrective action and allows for controls to be “built in” rather than retro-fitted after being detected by a subsequent audit or system failure;
  • Conducting audits of the efficiency and effectiveness of operations;
  • Assessing the risks related to reputation, customer service, the environment, privacy, etc.;
  • Providing consultation and advisory services on enterprise risk management and control;
  • Participating in the investigation of fraud.

The role of the internal audit should be formally defined in a written charter, approved by the audit committee, with annually reviewed activities outlined in an audit plan.

Internal auditors need a mandate that provides the authority they
need within a structure that supports their independence and
objectivity. This can best be achieved through a written charter that is
aligned with an approved mandate, compatible with best current
practices, and needs of the audit committee. Any restrictions by
management should be disclosed to, and approved by, the audit committee.

Internal audit should not have any operational accountability or
perform functions that would be subject to subsequent internal audit
review. The internal audit charter is reviewed and updated regularly and
includes:

  • Role and responsibilities of the internal audit function;
  • Functional reporting relationship to the audit committee;
  • Administrative reporting relationship;
  • Access to corporate employees, facilities, and records (including those of contractors);
  • Any restrictions of the scope or authority of internal audit;
  • Requirement that managers cooperate with internal audit and respond to reports;
  • Code of ethics;
  • Internal audit standards;
  • Relationship with external auditors;
  • Distribution of audit reports and summaries;
  • Follow up of recommendations;
  • Specific mention of areas such as fraud, technology, safety, environment, etc. as may be required for clarification;
  • The right of the chief audit executive to attend audit committee meetings.

Internal auditing activities can be conducted by:

  • In-house resources: The organization may assign
    responsibility for audit activities to a corporate internal audit
    department or include some audit activities in the responsibilities of
    line functions (for risks such as safety, environment, etc.). The
    internal audit department may include staff from other departments as
    part of the audit team.
  • Outsourcing: The organization may fully outsource the
    internal audit by engaging an external firm to perform the entire
    function and who will then report to a designated executive.
  • A combination of the above: The organization may outsource
    specific activities or projects to specialist firms or include one or
    more outside experts with internal audit staff on a project team.

The internal audit function is a major source of information and
assurance to the audit committee on internal financial controls and
other risk management activities. For this reason, most internal audit
functions have a functional reporting relationship to the audit
committee which is defined in the charter of internal audit and the
audit committee. A key element of this relationship is a direct channel
of communication between the chief audit executive and the audit
committee. This typically includes provisions for the chief audit
executive to have access to the chair of the audit committee and attend
audit committee meetings to present the plan for approval and to report
findings.

The CFO and chief audit executive are usually present at all audit
committee meetings. Much of the work performed by the committee relates
to the roles of these individuals and one or the other may take a role
in supporting the committee’s planning activities. There is generally no
requirement for the CEO to be present at such meetings, but in many
cases he or she may attend for information purposes.

Chief audit executives do not generally attend Board meetings. At
least annually, the chair of the audit committee should report to the
Board, referencing internal audit’s effectiveness, capabilities, the
results of its work, and any concerns.

An annual plan is the key element of the internal audit function and its
ability to meet the needs and expectations of the audit committee,
external auditors, and senior management. An audit plan is prepared
based on a comprehensive review and analysis of the organization’s
business activities and associated risks. Where an enterprise risk
management process is already in place, this will provide a critical
basis for developing a plan aligned with corporate priorities. It
includes all projected internal audits and other activities, including
reviews of the development of new systems and critical business
projects. The audit plan includes the budget and staff resources
required to accomplish its goals but allows flexibility to respond to
unforeseen issues and events during the year. A regular review and
update is essential to consider any changes.

The prevention, deterrence, and detection of fraud are the
responsibility of management. The usual role of internal auditors is to
develop audit programs and procedures to evaluate the internal controls
that management has established in order to manage the risk of fraud. In
practice, auditing sometimes deters employees from committing fraud and
occasionally detects a fraud, but these are not usually the major
objectives of auditors.

The term “fraud” covers a number of activities, some of which could be:

  • Property fraud: The theft or misuse of assets and, sometimes, the related information;
  • Financial reporting fraud: The manipulation of information to mislead or deceive stakeholders.

Internal audit may participate in the investigation of fraud and
provide forensic accounting services—provided that it is cost-effective
to do so. The skills to investigate fraud may be within the internal
audit function, or in a separate security department.

It is critical that the internal audit staff have the diverse set of
skills, industry knowledge, and experience (supplemented where
necessary by external resources) to provide the control assurance and
related advice that the audit committee requires.

Consideration should be given to using the expertise of other
corporate staff, engaging outside experts, or outsourcing where the
necessary skills do not reside within internal audit.

Internal audit periodically reports to the audit committee on its
staff capabilities, including academic and professional qualifications
and years of audit, industry, and organizational experience.

Audit reports and findings are in writing and include the scope and
objectives of the audit, the findings, and recommendations for improving
control. These reports:

  • Are action-oriented and include comments and proposals for corrective action from the management of the audited business unit;
  • Are balanced, reporting the positive risk and control practices as well as the weaknesses observed;
  • Identify the best practices observed throughout the organization;
  • Rate recommendations as high, medium, or low in order to assist management in assigning priority to the issues raised.

The chief audit executive provides summaries of audit reports to
senior management and the audit committee. The level of detail depends
on the size of the organization, but is sufficient to allow the audit
committee to understand the types and frequency of control issues that
internal audit raises and how management is responding to them.

Good internal audit functions have processes for assessing their own effectiveness. They use the results, together with feedback from the stakeholders, to monitor trends over time and achieve continuous improvement in their practices and performance. Examples of measurement techniques include customer satisfaction surveys, post audit debriefing, and internal quality assurance reviews.

How Deloitte can help

Deloitte is recognized as leader in internal audit services in Luxembourg. Through years of experience, we have developed an extensive expertise in a wide range of regulated and non-regulated industries such as transportation, public entities, healthcare, real estate, technology, research centers, and manufacturing.

Deloitte helps organizations to establish and improve their internal audit functions by supporting companies in:

  • Creation: We help build value-adding and leading functions adaptable to our client’s environment;
  • Co-sourcing: We offer a flexible solution to supplement your internal audit team with external resources of specialized skills;
  • Outsourcing: We can fully adopt the role and serve as the organization’s internal audit department;
  • Strategic audit plan development: We analyze risk-driven plans to reach specific management or Board objectives using a prioritized risk universe;
  • Internal audit function review and enhancement: We can measure the internal audit quality, benchmark, and transformation;
  • Internal audit training, methodology, and tools: As our team stays abreast of the latest trends and guidelines, we are able to offer tuition for both staff and management.

Did you find this useful?

Thanks for your feedback

If you would like to help improve Deloitte.com further, please complete a 3-minute survey