I.6 Examples of Engagement Performance Best Practices

  1. Over time, a number of activities, procedures, and processes have been developed and, upon introduction, have been found to be very successful. Subsequently, other organizations have utilized these practices, often with some modification, until they have become generally accepted as valuable tools for the profession, termed “best practices.” A number of such best practices are listed below for consideration. There are, of course, many other successful practices that have not been included.

Conducting Enterprise Risk Assessment

  1. The need for risk assessment has long been recognized and is included in the Institute of Internal Auditors’ (IIA) “Internal Auditing’s New Definition.” A more recent addition to the risk assessment universe is enterprise risk. Enterprise risk management is “A rigorous and coordinated approach to assessing and responding to all risks that affect the achievement of an organization’s strategic and financial objective. This includes both upside and downside risks.”

Utilizing Risk and Control Self-assessment (CSA)

  1. These assessments are techniques used in an audit or in place of an audit to assess risk and control strengths and weaknesses against a control framework. The self-assessment refers to the involvement of management and staff in the assessment process, often facilitated by internal auditors.

Using Internal Control Processes Based on Control Frameworks such as COSO, CoCo, KING, CadbURy

  1. The Committee of Sponsoring Organizations (COSO) issued a document in 1992 titled Internal Control—Integrated Framework. The document was later updated in 2013 According to COSO, “Internal control is broadly defined as a process, affected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following three categories: effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations.” In addition to these goals, COSO identified five interrelated components of internal control:

    1. the control environment, which includes the integrity, ethical values, and competence of an organization’s people;

    2. risk assessment;

    3. control activities;

    4. information and communication; and

    5. monitoring.

  2. These components combine to form an integrated system of controls. To conclude that internal control is effective in any category of objectives, all five components must be present and functioning.

Partnering with Management

  1. Many partnering opportunities are appropriate. One of the most common is seeking input from interdepartmental management to be included in the risk assessment process, and into the annual audit plan. Sharing proposed audits with the customer well in advance of the review and allowing suggestions about the audit scope is another opportunity. An additional possibility is establishing an interdepartmental committee to advise the chief audit executive (CAE).

Integrating Concepts of Corporate Governance into Practice

  1. There are four major groups involved in the governance process of the Office of the Auditor General of Canada (Office). They include

    1. the oversight group, comprising the Auditor General, the Executive Committee, and the Audit Committee;

    2. the stewardship group, which is the management category;

    3. the performance group consisting of operating and support management and staff; and

    4. the assurance group, which includes the internal audit activity.

  2. The Practice Review and Internal Audit (PRIA) activity should contribute to the Office’s governance process by evaluating the processes through which (1) values and goals are established and recommended; (2) accomplishment of goals is monitored; (3) accountability is ensured; and (4) values are preserved (see Standard 2130).

Increasing Staff Performance

  1. This might be accomplished by education and training. Introduction of mechanized tools, such as computer-assisted audit techniques (CAATs), can increase productivity for internal auditors. Establishing stretch objectives and introducing performance measures can also help.

Communicating More Effectively

  1. This might be done by creating a user-friendly report format with an appropriate executive summary and clear, concise information. Providing interim audit summary reports to the Audit Committee, the Auditor General, and senior management is a good technique. Communicating about PRIA activity by using the INTRAnet can be effective. Also significant is the adoption of an appropriate internal audit activity charter which clearly specifies its mission, authority and responsibilities.

Developing Staff, both Personally and Professionally

  1. Most PRIA activities require a competency level to include a bachelor’s degree from a university or business school. Graduate degrees are encouraged. In addition, the best internal audit activities try to obtain a balance of certifications by the staff, such as Certified Internal Auditors (CIAs), Certified Information Systems Auditors (CISAs), professional accounting designations (Chartered Professional Auditors (CPAs), and many others. In addition, a goal of 80 hours of annual training per auditor is frequently found. This includes audit training primarily but also general business and information technology (IT) training, as well as other areas. Continuous training is essential for staff to keep up with changes in the profession and to offer value to the Office.

Using More Technology to Increase Staff Efficiency

  1. To utilize technology effectively, the first step is to populate PRIA with some people with the necessary IT qualifications. Continuous training is required to keep up the skill levels. Tools required by IT auditors include software packages for data extraction and analysis, fraud prevention/detection, network security assessment, automated working papers, and e-commerce control to name a few. In addition, CAATs tools are often developed for/by auditors to accomplish specific tasks.

Conducting Audits in Emerging Areas

  1. Most PRIA activities have in their charters a broad mandate to help achieve organizational objectives, bringing a systematic, disciplined approach to evaluate/improve effectiveness of risk management, control, and governance processes. In discharging its duties a PRIA activity must examine all relevant facets of the Office’s operations. To carry out its charge, PRIA needs experienced people with multidisciplinary skills. Larger organizations may be able to add such people to the internal audit activity’s permanent staff. Another choice for any size organization might be to transfer people (non-auditors) from elsewhere in the organization for the duration of an engagement. Another choice is to co-source specific activities or audits with external specialists, if needed. Some disciplines required include IT, environmental, engineering, legal, quality management, and self-assessment.

Utilizing Performance Measurements

  1. Measurement criteria are useful in setting annual objectives for PRIA, for presentations to the Audit Committee, the Auditor General, and senior management, and for effectively performing the tasks at hand.

  2. One of the most significant measurements is “cycle time,” which measures elapsed time from engagement field completion to final report issuance. In many organizations, some audits may take six months or longer cycle time.

  3. The number of recommendations accepted is another significant measure. If the percentage is high, it indicates good communications during the engagement and satisfaction by the customer of the auditor’s work.

Last modified:
2018-03-27