TIAPS ALB_Module 2D. Managing the Internal Audit Activity

2D. Managing the Internal Audit Activity 

2D Learning Outcomes 

On completion of this section, students will be better able to: 

• Differentiate between the roles and responsibilities of internal audit managers and 

chief audit executives. 

• Develop a strategic plan for internal audit function. 

• Promote advanced professional audit practices (e.g., agile auditing, data analytics, 

using digital tools, alternative reporting methods, auditing ESG, and auditing 

cybersecurity). 

2D.1 Managing the Internal Audit Function 

IIA Internal Audit Competency Framework: Internal Audit Strategic Planning and 

Management 

General Awareness: Recognize the importance of aligning the internal audit strategic plan 

with the organization’s strategy. Differentiate various internal audit roles, including the 

engagement supervisor and chief audit executive. Identify key activities in supervising 

engagements. 

Applied Knowledge: Create the internal audit strategic plan in alignment with the 

organization’s strategy, risk profile, and risk management strategy; create an effective and 

efficient budget for the internal audit activity. Manage internal audit personnel (including 

recruiting, developing, motivating, managing conflict, building teams, delegating, retaining 

talent, and succession planning); create policies and procedures for managing internal audit 

operations. Supervise engagements. 

Expert: Assess the internal audit strategic plan; evaluate and recommend improvements to 

the budget for the internal audit activity. Assess the talent management efforts of the internal 

audit activity; appraise policies, procedures, and administrative activities of the internal audit 

activity. Assess engagement supervision activities to ensure the quality of the internal audit 

activity. 33 

There are many roles a manager must adopt, and these apply to a leadership positions 

within the internal audit function as much as anywhere. Henry Mintzberg, for example, 

identified ten key roles for managers: 

1. Figurehead. 

2. Leader. 

3. Liaison. 

4. Monitor. 

5. Disseminator. 

6. Spokesperson. 

7. Entrepreneur. 

8. Disturbance handler. 

9. Resource allocator. 

10. Negotiator. 34 

33 

Internal Audit Competency Framework, The IIA, 2022. 

34 Mintzberg, Henry Mintzberg on Management, Free Press, 1989. 

49

A manager manages tasks and activities, people, budgets, information, time, talent, and 

relationships by using tools like goal setting, planning, performance monitoring and 

evaluation, communication, training, motivation, delegation, diplomacy, and leading by 

example. 

Structures of internal audit functions can vary according to the resources available and the 

nature of the work. In the smallest possible functions, one person acts as the chief audit 

executive and the sole internal auditor, perhaps supported by guest auditors or outsourced 

services. In this case the individual is responsible for everything, although full compliance 

with the requirements of the IPPF and adequate coverage of the significant risks and 

controls of the organization can be challenging. In larger teams the head of the function can 

choose to stratify roles according to an appropriate hierarchy to assist with the tasks of 

coordinating, directing, and leading. As the IPPF makes clear, the head of internal audit may 

choose to delegate but retains the ultimate responsibility (see for example Standard 2440 – 

Disseminating Results: “When the chief audit executive delegates these duties, he or she 

retains overall responsibility.” 35 ) 

Roles in order of ascending seniority may include: 

• Junior auditor. 

• Senior auditor. 

• Audit supervisor. 

• Audit manager or lead auditor. 

• Audit director. 

• Head of internal audit. 

As well as being a way of organizing activities and resources, such hierarchical structures 

can help with defining career paths for individuals who are ambitious. There may also be 

specialized positions for activities such as IT. Individuals may also be expert in key 

processes. Value for money (performance) audits, evaluations, and investigations are 

sometimes part of the audit function (although this is not required by the Standards) and in 

other situations are managed separately. The head of the function must ensure there is 

sufficient expertise to cover the scope as defined in the charter and deliver the assurance 

engagements in the approved plan. This is stated in Standard 1210 – Proficiency: 

Internal auditors must possess the knowledge, skills, and other competencies needed to 

perform their individual responsibilities. The internal audit activity collectively must 

possess or obtain the knowledge, skills, and other competencies needed to perform its 

responsibilities. 36 

A similar point is made regarding the supervision of audit engagements in Standard 2340 – 

Engagement Supervision. 

Engagements must be properly supervised to ensure objectives are achieved, quality is 

assured, and staff is developed. 

35 

International Professional Practices Framework, The IIA, 2016. 

36 


50

Interpretation: The extent of supervision required will depend on the proficiency and 

experience of internal auditors and the complexity of the engagement. The chief audit 

executive has overall responsibility for supervising the engagement, whether performed 

by or for the internal audit activity, but may designate appropriately experienced 

members of the internal audit activity to perform the review. Appropriate evidence of 

supervision is documented and retained. 37 

In addition to the general managerial roles listed above, managers in internal auditing have 

specific responsibilities as defined by the International Standards for the Professional 

Practice of Internal Auditing included within the IPPF, according to which the head of internal 

audit (the CAE) must: 

The CAE must 

Standard 

Periodically review the internal audit charter. 

Standard 1000 – Purpose, 

Authority, and Responsibility 

Discuss the mandatory elements of the IPPF with senior Standard 1010 – Recognizing 

management and the board. 

Mandatory Guidance in the 

Internal Audit Charter 

Disclose interference in the work of internal audit to the Standard 1110 – 

board and discuss the implications. 

Organizational Independence 

Communicate and interact directly with the board. Standard 1110 – 

Organizational Independence 

Obtain competent advice and assistance if internal Standard 1210 – Proficiency 

auditors lack the competencies to perform planned 

assurance engagements and decline consulting 

engagements or obtain competent advice and assistance 

if internal auditors lack the competencies to perform 

planned advisory engagements. 

Develop and maintain a quality assurance and 

Standard 1300 – Quality 

improvement program (QAIP). 

Assurance and Improvement 

Discuss the form and frequency of external assessments 

and the qualifications and independence of assessors with 

the board and encourage board oversight of external 

assessments to reduce potential conflicts of interest. 

Communicate results of the QAIP to senior management 

and the board. 

Disclose any nonconformance with the Code of Ethics of 

Standards and its impact with senior management and the 

board. 

Manage the internal audit function effectively. 

Establish, communicate, and seek approval for a riskbased 

plan of engagements in consultation with senior 

management and the board, adjusting the plan in 

response to organizational and situational changes as 

needed. 

Program 

Standard 1312 – External 

Assessments 

Standard 1320 – Reporting on 

the Quality Assurance and 

Improvement Program 

1322 – Disclosure of 

Nonconformance 

Standard 2000 – Managing the 

Internal Audit Activity 

Standard 2010 – Planning 

37 


51

Ensure sufficiency of resources to deliver the plan. 

Establish policies and procedures for internal auditing. 

Share information, coordinate activities, and consider 

relying on the work of other assurance providers. 

Report periodically to senior management and the board 

on performance relative to the plan. 

Set and implement policies for retention and access to 

engagement records. 

Communicate corrected information if final communication 

contains significant errors or omissions. 

Review, approve, and communicate results of audits to 

appropriate parties. 

Establish and maintain a system to monitor the disposition 

of results. 

Discuss situations with senior management where level of 

risk accepted by management is unacceptable and, if 

unresolved, communicate the matter with the board. 

Standard 2030 – Resource 

Management 

Standard 2040 – Policies and 

Procedures 

Standard 2050 – Coordination 

and Reliance 

Standard 2060 – Reporting to 

Senior Management and the 

Board 

Standard 2330 – Documenting 

Information 

Standard 2421 – Errors and 

Omissions 

Standard 2440 – Disseminating 

Results 

Standard 2500 – Monitoring 

Progress 

Standard 2600 – 

Communicating the 

Acceptance of Risk 

To carry out these roles, the head of the function must enjoy unrestricted access to senior 

management and the board (Standard 1100 – Independence and Objectivity) and report to a 

level that allows internal audit to fulfil its responsibilities, including reporting functionally to 

the board (Standard 1110 – Organizational Independence). In some cases, the head of the 

internal audit unit is the only member of the team. In such situations the head does not have 

responsibility for managing other people but is expected to plan, perform, and communicate 

engagements as well as fulfil the duties listed above. The most important of these relate to 

the relationship with senior management and the governing body, safeguarding 

independence, and managing the quality assurance and improvement program. 

2D.1: Reflection 

Consider the 10 manager roles listed by Mintzberg given above. 

Are all these roles appropriate for the head of an internal audit unit, and if not, why not? 

Of the 10 roles listed, which do you see yourself currently fulfilling as part of your job? 

Identify all that apply. 

Of the 10 roles listed, for which do currently have the necessary competency to fulfil? 

Of the 10 roles listed, for which do you most need to develop your competency to fulfil 

successfully? 

52

2D.2 Internal Audit Strategic Planning 

There are three important levels at which planning should take place: 

• Individual engagements (work program). 

• Multiple engagements (audit plan). 

• Internal audit strategy (strategic plan). 

2D.2.1 Engagement Work Program 

Creating the work program is usually a task for the internal auditor. It describes the process, 

resources, and timelines needed to fulfil the audit objectives, and it should be approved by 

the head of internal audit or a designee. The requirements for the work program are 

described in Standard 2201 – Planning Considerations and Standard 2240 – Engagement 

Work Program. 

2D.2.2 Internal Audit Plan 

IIA Internal Audit Competency Framework: Audit Plan and Coordinating Assurance 

Efforts 

General Awareness: Identify sources of potential engagements, including industry trends 

and emerging risks. Describe coordination of internal audit efforts with the external auditor, 

regulatory oversight bodies, and other internal assurance functions, and potential reliance on 

other assurance providers. 

Applied Knowledge: Conduct a risk assessment, prioritize engagements, develop a riskbased 

internal audit plan, and obtain board approval. Prepare a risk assurance map. 

Expert: Evaluate and revise a risk-based internal audit plan to meet the organization’s 

evolving needs. Coordinate assurance efforts with other providers to ensure proper coverage 

and minimize duplication of efforts. 38 

The audit plan is often created for a 12-month period although the Standards do not require 

it to be an annual plan. Increasingly, internal audit functions are developing shorter plans to 

allow for greater flexibility and responsiveness. As part of the audit plan, resources and 

timelines are allocated to individual engagements. The requirements for the audit plan, 

including that it be risk-based, are defined in Standard 2010 – Planning. The head must also 

ensure sufficiency of resources (Standard 2030 – Resource Management). As part of the 

audit plan, the head of internal audit may identify opportunities for using the findings of other 

internal and external assurance providers to avoid unnecessarily repeating work. There is 

also an important role to play in coordinating assurance across an entity to ensure 

sufficiency and efficiency of coverage (see Standard 2050 – Coordination and Reliance). 

However, the opportunity to use the work of other assurance providers may be limited if 

there are no risk and compliance functions performance audits. Even where such audits 

have been conducted, internal audit must first determine the reliability by considering factors 

such as relevance, use of standards, competence, degree of independence of the provider 

from the activity under review, and objectivity of the auditors deployed. The due diligence 

required to confirm the reliability of the work of other providers can be time-consuming. 

38 


53

A more agile approach to internal audit planning with a span shorter than 12 months requires 

more frequent review and updating of the plan to keep the upcoming period in view. This is 

possible in practical terms if the approvals process for the audit plan (by the audit committee 

or governing body) is similarly agile. Sometimes bureaucratic processes necessitate a more 

traditional approach to planning, often within an annual cycle. The head of the internal audit 

unit can advocate for change on the basis of the benefits an agile approach can provide in 

terms of greater responsiveness and relevance to changing conditions, and greater value to 

support management oversight and decisions. 

2D.2.3 Internal Audit Strategic Plan 

The Standards do not refer to a strategic plan for internal audit. However, Implementation 

Guidance for Standard 2000 – Managing the Internal Audit Activity gives a very clear 

direction in stating that “the CAE develops an internal audit strategy and approach that 

aligns with the goals and expectations of the organization’s leadership.” 39 A strategic plan is 

not simply a multi-year audit plan. It represents a medium- to long-term program for 

enhancing and improving the internal audit function and the services it delivers to better 

serve the current and future needs of the organization. To prepare for this, the head of the 

function should consider the following: 

• The internal audit function’s purpose and responsibility as defined in the charter or by 

legislation. 

• The organization’s structure, reporting relationships, and resources. 

• Organizational stakeholders and their needs and expectations, most notably: 

o The governing body. 

o Senior management. 

o Unit managers. 

o Line ministries or equivalent where applicable as well as central government 

priorities. 

o External audit (comprising the Supreme Audit Institution and any other 

external audit service providers). 

o Service users (individuals, organizations). 

o Suppliers. 

• The organization’s vision, mission, goals, and strategies. 

• Risks in relation to the organization’s vision, mission, goals, and strategies, taking 

account of trends and emerging issues. 

• The International Professional Practices Framework. 

• Risk management maturity. 

• The current strengths and weaknesses of the internal audit function. 

• Other information about the organization, its position and activities, the sector in 

which it operates, its culture, and so on. 

39 


54

Common tools for analyzing the internal and external environment include: 

• A SWOT analysis for the organization: 

o Strengths and weaknesses of the organization, its current performance, 

position, and prospects. 

o Opportunities and threats (which collectively may be considered as risks) that 

may impact future performance, position, and prospects. 

• A SWOT analysis for the internal audit function. 

• A PESTEL analysis, covering the following classes of local, regional, national, and 

international factors, trends, and shifts: 

o Political (election cycles, leadership, political factions, policies). 

o Environmental (natural resources, waste disposal, pollution). 

o Social (demographics, opinions, habits, rule of law, education, poverty). 

o Technological (innovation, adoption, hazards). 

o Economic (GDP, inflation, unemployment). 

o Legislation. 

When developing a strategy for internal audit, it is very useful to create a vision statement. 

This is designed to capture and communicate a succinct expression of ambition. Examples 

of internal audit vision statements are given below: 

• To be known for providing superior internal audit services and to continually 

challenge ourselves to provide them in a value added, best practices manner. Fairfax 

County. 

• To be recognized by VUMC management and the Board of Directors as 

an independent and sought after resource that actively supports the organization’s 

identification, evaluation and mitigation of risks and serves as a proponent for internal 

controls and continuous improvement. Vanderbilt University Medical Center. 

• To be a valued partner with MUW management by providing assurance and 

consulting services that help the University meet goals through building trust, 

partnerships, and exhibiting a high skill level and a thorough understanding of the 

University. Mississippi University for Women. 

• To be a trusted and innovative internal audit service provider to public sector 

management and other stakeholders. General Department, Republic of Kenya. 

A vision should define a desired future state of the internal audit function. 

Many internal audit strategic plans also include a mission statement to describe the 

function’s purpose and how it will reach its vision. The IPPF includes a generic mission 

statement for the profession and many internal audit functions adopt and adapt this: 

To enhance and protect organizational value by providing risk-based and objective 

assurance, advice, and insight. 40 

Critical success factors are those essential elements on which the success of the strategic 

plan depends. The IIA Practice Guide: Developing the Internal Audit Strategic Plan offers 

three questions to consider that help identify those success factors: 

40 


55

• Positioning – Is the internal audit activity strategically positioned and supported? 

• Processes – Are the internal audit activity’s processes enabling and dynamic in 

meeting business needs? 

• People – Does the internal audit activity have the right people strategy to deliver its 

mission? 41 

The major portion of the internal audit strategic plan should describe key initiatives to be 

undertaken to support the achievement of vision and mission and continue to drive the 

performance of the function forward. As part of the strategic (and potentially developed as a 

separate but related strategy), the following major areas are likely to require detailed 

consideration: 

• Talent strategy, including remuneration, recruitment, onboarding, retention, training, 

performance monitoring and evaluation, recognition, reward, promotion, and 

succession planning for key individuals. (Managing people is covered in section 2B.) 

• Resource strategy, including digital transformation and use of digital tools for audit 

planning, management, monitoring, and reporting. (Use of digital tools is covered in 

section 2D.3 and data analytics in 2E.) 

• Process development strategy, including continuous evolution of policies, 

procedures, audit manuals, and so on. 

• Quality assurance strategy, incorporating self-assessment, target-setting for 

improvement, supervision, training, peer review, and external assessments. (Quality 

assurance is covered in section 2C.) 

Many internal audit functions consciously identify and promote a coherent brand as part of 

their strategy linked to their mission and goals. This may be effected through consistency in 

communications (emails, reports, presentations, and so on). 


What is the period covered by the internal audit plan (i.e., the plan of engagements)? 

What are the pros and cons of creating a 12-month audit plan each year compared with 

something longer or shorter? 

Does your internal audit function have a well-defined strategy and strategic plan? 

If your internal audit unit has a vision and/or mission statement, share and discuss them 

with your fellow students. If not, or if you are not aware of them, how you would state the 

vision and the mission for the internal audit unit? 

41 

Practice Guide: Developing the Internal Audit Strategic Plan, The IIA, 2012. 

56

2D.3 Advanced Professional Practices 

IIA Internal Audit Competency Framework: Communication 

General Awareness: Recognize the value of advocacy and the importance of maintaining 

stakeholder relationships (e.g., board, senior management, audit clients, other assurance 

providers, external stakeholders). Describe appropriate communications between internal 

auditors and stakeholders, including key performance indicators; recognize that the chief 

audit executive reports on the overall effectiveness of the organization’s internal control and 

risk management processes to senior management and the board. Recognize the 

importance of written and verbal communication skills, including soft skills such as conflict 

management, influence, and persuasion. 

Applied Knowledge: Manage the internal audit activity’s reputation and stakeholder 

expectations; demonstrate sincerity, honesty, and empathy in communications with 

stakeholders to build trust and maintain relationships. Prepare relevant and appropriate 

communications for internal audit stakeholders, including reports to senior management and 

the board (e.g., significant risk exposures, key performance indicators, etc.). Demonstrate 

soft skills (conflict management, influence, and persuasion); provide insightful consultation to 

contribute to the organization’s effectiveness; detect opportunities for change and facilitate 

change. 

Expert: Assess stakeholder relationships and recommend actions to achieve improvements; 

evaluate the advocacy efforts of the internal audit activity. Assess internal audit 

communications with stakeholders, including key performance indicators to evaluate the 

success of the internal audit activity, and recommend improvements. Assess the internal 

audit activity’s written and verbal communication skills, soft skills, and innovation; 

recommend improvements. 42 

As a profession, internal auditing and its practices continue to evolve. This does not happen 

at an even rate around the world. The maturity of internal auditing depends on many factors, 

including leadership, resources, culture, sector, organizational objectives, legislative and 

regulatory requirements, and the risk management maturity of the organization. Internal 

audit leaders have a responsibility to ensure their clients receive the best possible service 

aligned to organizational needs. They should stay informed about developments in the 

profession as well as advancing their own expertise. This can be achieved through 

networking with peers, training, reading, listening to stakeholders, and harnessing the 

potential within their own team by encouraging innovation. Audit leaders should be unafraid 

to experiment and to challenge perceived orthodoxy in pursuit of continuous improvement. 

Audit functions, especially in the public sector, can be small and fully stretched in delivering 

internal audit services. it is a challenge to find the time and resource to commit to innovation 

and improvement, including experimentation with different approaches such as agile 

methodologies. The support and encouragement of the Central Harmonization Unit, audit 

committee (where such exists), and senior leadership are crucial. The head of the internal 

audit unit must persuade those to whom they are accountable of the need for continuous 

development. Strategic goals must be realistic, but it is imperative to establish forward 

42 


57

momentum, to remain relevant, to keep up with the ever-changing internal and external 

environments, to serve the organization and its stakeholders successfully. 

How should a head of internal audit go about persuading whoever controls their budget (the 

audit committee, governing body, senior management, central government). In a 2019 blog, 

Anand Bhakta, writing for AuditBoard, provided some useful suggestions to help win the 

argument for more resources. 43 

• Know your organization’s culture. Internal audit needs to be aligned with what 

matters most to those who control the budgets. 

• Consider your CFO’s communication style. The head of internal audit must appeal to 

the primary decision-maker regarding budgets by providing information in a way best 

suited to their personal preferences. 

• Start with prior wins. It always helps to highlight improvements that have resulted 

from internal audit recommendations and this is even more effective when they are 

quantifiable in terms of costs saved, errors corrected, waste reduced, fraud 

discovered or averted, timelines shortened, higher levels of compliance, productivity 

increased, and user satisfaction improved. (Internal audit metrics are considered in 

Module 3.) 

• Make the business case. Speak the language of finance and link internal audit 

successes with financial performance. (Financial ratios are considered in Module 3.) 

• Show the cost comparison. If the head of internal audit is asking for an increase in 

resources, it is fair to ask for a comparison with the value this will add. Cost savings 

may be achieved by employing a new auditor rather than relying on outsourced 

expertise, for example, or investing in automation to reduce time and costs spent in 

manual tasks while increasing coverage and accuracy. 

• Keep an open mind. A process of negotiation is more likely to be successful if you 

are prepared to compromise. 

• Know how to follow up. The end of a conversation or a meeting usually requires 

follow agreements and actions where it is important for the head of internal audit to 

be proactive. 

The head of internal audit must be an advocate for change. Internal audit functions – whose 

purpose is to act as a catalyst for continuous improvement – should (subject to resources) 

set an example by embracing innovation. The following sections consider what may be 

regarded as “advanced professional practices,” reflecting some observed innovation 

happening in internal audit functions. 

2D.3.1 Using Digital Tools 

The use of computer assisted audit tools and techniques (sometimes abbreviated to 

CAATTs) continues to develop as the potential of technology advances. We can make a 

broad distinction between the two main uses internal auditors make of technology: 

• To manage audit processes (such as planning, documentation, and communication). 

• To test and analyze data. 

43 

7 Ways to Win the Internal Audit Budget Argument with your CFO, AuditBoard, 2019. 

58

For further detail, see Computer Assisted Audit Techniques (CAATS): Definition, types, 

advantages and disadvantages 44 . 

There is a wide variety of audit software designed to automate the audit process, enabling: 

• Collaborative, participatory, continuous, comprehensive, dynamic, and anticipatory 

activities, seamlessly integrating multiple perspectives and systems. 

• Dynamic and agile planning. 

• Remote auditing and supervision. 

• Cloud-based storage for streamlined documentation, ready access, sharing, 

monitoring, and review. 

• Easy access to and manipulation of big data. 

• Advanced analysis and evaluation techniques. 

• Continuous communication and reporting. 

• Integration with other systems, including risk and control platforms, and the potential 

for continuous risk assessment and continuous auditing. 

• Ongoing monitoring for follow-up. 

Increasingly organizations have digital assets (such as cryptocurrency (in environments like 

Blockchain) and non-fungible token (NFTs)) that form part of the audit universe, although to 

a lesser extent in the ublic sector compared with private sector organizations. In addition, 

technological innovations such as robotic process automation (RPA), machine learning (ML), 

natural language programming (NLP), artificial intelligence (AI) and data analytics tools offer 

huge potential for internal auditors, including: 

• Reduced costs and time. 

• Increased efficiency, speed, agility, accuracy, and quality. 

• Ability to automate mundane, laborious tasks. 

• Ability to evaluate much larger volumes of data. 

• Potential to deliver greater insights and value. 

• Opportunities for real-time and continuous auditing. 

• Improved processes for planning, creating work papers, retaining documents, testing, 

evaluating results, reporting, and monitoring for follow up. 

• Enhanced experiences for the internal auditor and the client. 

Many of the agile auditing practices described in the next section (2D.3.2) are enabled or 

greatly assisted by the use of technology. 

Adoption of digital tools has generally been slower in the public sector and is proportionate 

to internal audit maturity and available economic resources. Progress can be made 

incrementally, starting with small steps. Excel offers huge potential beyond offering a useful 

grid for holding data. IDEA is an example of a commonly used audit software with options to 

implement on a modular basis. Without seizing such opportunities, there is a real danger 

internal auditing will be regarded as outmoded and irrelevant. However, when planning for 

44 

Computer Assisted Audit Techniques (CAATS): Definition, types, advantages and disadvantages, Accounting Hub. 

59

the introduction of CAATTs, internal audit managers should be clear about their objectives 

for doing so and consider the potential pitfalls. 

• There is likely to be a license cost for the desired app, software, platform, or system, 

plus installation and integration with existing IT. 

• It is very important to ensure users receive the necessary training. 

CAATTs can be a distraction and there should be a plan for the introduction of additional 

capabilities to ensure they genuinely improve the quality of internal audit services and meet 

the needs of audit clients. You can be seduced by the sophisticated modeling and 

visualizations but that is no guarantee the findings are relevant. There will always be a need 

for human judgment and insight. 

These tools can be used to enable automated controls testing, as described in Module 1 

Audit and Assurance section 1C.3.2. 

2D.3.2 Agile Auditing 

The term “agile auditing” can be used informally to describe professional practices that are 

flexible and responsive. A more technical use refers to the application of the Agile manifesto 

and principles to internal auditing. 

The Agile manifesto was developed by software engineers in 2001 to define principles to 

optimize the value of work produced for clients with the utmost efficiency. The 12 principles 

are: 

1. Our highest priority is to satisfy the customer through early and continuous delivery of 

valuable software. 

2. Welcome changing requirements, even late in development. Agile processes harness 

change for the customer’s competitive advantage. 

3. Deliver working software frequently, from a couple of weeks to a couple of months, 

with a preference to the shorter timescale. 

4. Business people and developers must work together daily throughout the project. 

5. Build projects around motivated individuals. Give them the environment and support 

they need, and trust them to get the job done. 

6. The most efficient and effective method of conveying information to and within a 

development team is face-to-face conversation. 

7. Working software is the primary measure of progress. 

8. Agile processes promote sustainable development. The sponsors, developers, and 

users should be able to maintain a constant pace indefinitely. 

9. Continuous attention to technical excellence and good design enhances agility. 

10. Simplicity – the art of maximizing the amount of work not done – is essential. 

11. The best architectures, requirements, and designs emerge from self-organizing 

teams. 

12. At regular intervals, the team reflects on how to become more effective, then tunes 

and adjusts 

its behavior accordingly. 45 

45 

www.agilemanifesto.org 

60

This can also be expressed as choosing to value: 

• Individuals and interactions over processes and tools. 

• Working software over comprehensive documentation. 

• Customer collaboration over contract negotiation. 

• Responding to change over following a plan. 

From the focus on reflective, self-organizing teamwork – especially in principles 11 and 12 – 

the idea of scrums and sprints was also developed. A daily scrum is a 15-minute team 

meeting to review and plan. A sprint is a session in which short term plans are created by the 

team through which priorities and goals are set and agreed. A scrum board is a simple 

display providing a quick visualization of actions divided into: 

• To do. 

• Doing. 

• Done. 

Kanban is a similar framework for implementing Agile principles, relying on real-time 

communication of capacity and progress. 

The Agile approach can be applied to internal auditing. Deloitte, for example, has developed 

an internal audit agile manifesto. 

1. Outcome-driven | Value-driven. 

2. Just-in-time | Proactive approach to the “right projects at the right depth/focus.” 

3. One size does not fit all – customized project focused on value and risk. 

4. Collaborative approach – take the journey with our clients. 

5. Mix it up a little bit, break some eggs – challenge “that’s the way we’ve always done 

it.” 

6. Decisioning “as you go” with transparency and alignment. 

7. Continuous communication with all stakeholders. 

8. Be quick and iterative versus confined to a plan. 

9. Impact over thoroughness – “good enough” (80/20 rule). 46 

In practice this means: 

• Managing a flexible and responsive audit plan rather than a rigid 12-month schedule 

of engagements. Often an initial plan is created, perhaps with firm dates for the next 

period (three or six months), while the subsequent period is considered provisional 

so that changes can be made as circumstances, risks, and priorities evolve. (See, for 

example, “Planning for uncertainty: the rise of the flexible audit plan.” 47 ) 

• Customizing processes and formats to meet the needs of the client rather than 

sticking with a standard approach and templates. 

• Communicating with the client continuously, sharing findings and agreeing 

management responses during the engagement as far as possible. 

• Blending assurance and advisory engagements. 

46 

Becoming agile: A guide to elevating internal audit’s performance and value, Deloitte, 2017. 

47 

“Planning for uncertainty: the rise of the flexible audit plan,” AuditBoard, 2022. 

61

• Adopting innovative styles of report, focusing on the truly essential, and dispensing 

with superfluous details. (See, for example, “One page audit report: maximizing 

efficiency, elevating impact.” 48 ) 

2D.3.3 Lean Auditing 

A close relative of agile auditing is lean auditing, as described by James Paterson in his 

2015 book Lean Auditing: Driving Added Value and Efficiency in Internal Audit. 49 Lean 

production methods were developed in the 1980s by car manufacturer Toyota. The 

philosophy is a combination of just-in-time and right-first-time thinking, using only as much 

resource as is needed to deliver quality services. We sometimes get bogged down in 

following time-honored practices that we fail to see that some of the inputs are unnecessary. 

Internal audit’s deliverable is not the audit report but the impact on the organization. The aim 

of lean approaches is to reduce defects, lead times, costs, and waste while improving 

capacity productivity, responsiveness, and customer satisfaction. 

The key aims can be expressed as follows: 

• Understand value from the point of view of the customer. 

• Identify the value stream. 

• Create activities that flow. 

• Pull through to deliver “just in time”. 

• Aim for perfect process without waste/rework or bottlenecks. 50 

According to Paterson, to transfer the principles of lean production to internal auditing 

requires the following: 

• Be clear who are the key customers of our audit work. 

• Be clear what those customers really want (and what they do not want). 

• Pay close attention to identifying Muda (waste). 

• Resource assignments appropriately. 

• Plan assignments carefully. 51 

Paterson also identifies four important ways in which productivity can be improved during 

engagements. 

• Testing. The key is to know how much is enough. There is a tendency to over-audit 

above the level of risk or desired level of assurance. 

• Root cause analysis. While less time may be spent in many cases on testing, more 

time can be usefully applied to analysis and identifying root causes. Audit reports 

often pull their punches by presenting findings but providing inadequate insight. 

48 

“One page audit report: maximizing efficiency, elevating impact,” AuditBoard, 2022. 

49 

Paterson, James, Lean Auditing: Driving Added Value and Efficiency in Internal Audit, Wiley, 2015 

50 

Lean Auditing (Part 1): Rethinking Internal Audit Using Lean Techniques to Enhance Value and Improve Productivity, 

efficientlearning.com. 

51 



62

• Driving value in effective audit reporting. Reports should focus on what is important, 

avoiding a common temptation to describe in detail every action taken by the auditor 

and every piece of evidence collected. 

• Audit team culture. As modeled by the head of unit, the internal audit function must 

be committed to the principles of lean auditing, working with pace and energy to drive 

organizational improvements. 52 

2D.3.4 New and Evolving Risk Areas 

The World Economic Forum publishes a list of the top ten risks every year. They are not 

specifically risks for organizations or any particular sector but for the world. Each 

organization has its own risk profile related to its objectives and circumstances. However, 

consideration of global risks is a useful exercise for organizations and their internal audit 

functions. The latest report for 2023 lists the following short-term and long-term risks. 53 

Short-term (two years) 

Long-term (10 years) 

Risk Category Risk Category 

1. Cost of living crisis Societal 1. Failure to mitigate climate Environmental 

change 

2. Natural disasters and Environmental 2. Failure of climate change Environmental 

extreme weather events 

adaptation 

3. Geoeconomic 

Geopolitical 3. Natural disasters and Environmental 

confrontation 

extreme weather events 

4. Failure to mitigate climate Environmental 4. Biodiversity loss and Environmental 

change 

ecosystem collapse 

5. Erosion of social 

Societal 5. Large-scale involuntary Societal 

coherence and societal 

polarization 

migration 

6. Large-scale 

environmental damage 

Environmental 6. Natural resource crises Environmental 

incidents 

7. Failure of climate change 

adaptation 

Environmental 

7. Erosion of social 

cohesion and societal 

polarization 

8. Widespread cybercrime 

and cyber insecurity 

8. Widespread cybercrime Technological 

and cyber insecurity 

9. Natural resource crises Environmental 9. Geoeconomic 

confrontation 

10. Large-scale involuntary Societal 

migration 

10. Large-scale 

environmental damage 

incidents 

Societal 

Technological 

Geopolitical 

Environmental 

As they are not specific to objectives, we can regard these broadly speaking as risk areas. 

There is a high degree of uncertainty and volatility in each of these. We can use the WEF 

categories to consider areas of new and emerging risks relevant for most organizations that 

should be considered as part of internal audit’s risk-based planning. 

52 



53 

Global Risks Report 2023, World Economic Forum, 2023. 

63

WEF Categories of Global 

Risks 

Societal 

Technological 

Environmental 

Geopolitical 

Economic 

Important Organizational Risk Areas 

Culture, fraud 

Cybersecurity, cloud computing, BYOD (bring your own 

device), Blockchain 

ESG, water and food shortages 

Supply chain disruption, third party vendors 

Rising inflation, wealth inequality 

Many of these are overlapping and inter-related. For example, environmental, geopolitical, 

and economic factors can all impact supply chains. 

The European Confederation of Institutes of Internal Auditors ECIIA also produces an annual 

compendium of key risks. 54 

For internal audit, the underlying processes for evaluating the significance of any risks to the 

organization and its objectives are the same. The auditor would consider a series of 

questions regarding management’s actions: 

• Has the risk been correctly identified? 

• Has the risk been analyzed and evaluated? 

• Have appropriate responses to the risk been implemented? 

• Are those responses operating as expected? 

• Is the organization operating within agreed and appropriate risk appetite and 

tolerances or is it exposed to an unacceptable level of risk? 

Auditors can use a generic model such as the COSO Internal Control – Integrated 

Framework as the basis for considering the effectiveness of internal control in regard to any 

class of risks. In addition, there are special considerations needed. There are also tools and 

guidance to support this work. 

Culture 

Culture is an intangible but significant component of organizations influencing many aspects 

about what it does and how it does it. The IIA’s Practice Guide: Auditing Culture quotes this 

definition of culture and its related element of conduct: 

Culture represents the invisible belief systems, values, norms, and preferences of the 

individuals that form an organization. Conduct represents the tangible manifestation 

of culture through the actions, behaviors, and decisions of these individuals. 55 

The audit function is required to “assess and make appropriate recommendations to improve 

the organization’s governance processes” in accordance with Standard 2110 – Governance. 

Culture is specifically referenced in the Implementation Guidance for Standard 2100 – 

Nature of Work: 

To devise an appropriate strategy for assessing the organization’s governance, risk 

management, and control processes, the CAE typically considers the level of 

54 

See Risk in focus 2023: more risky, uncertain, and volatile times ahead, ECIIA, 2023. 

55 

Practice Guide: Auditing Culture, The Institute of Internal Auditors, 2019. 

64

maturity of the three processes as well as the organization’s culture and the seniority 

of the individuals who maintain responsibility for the processes. 56 

Problems with culture can lead to significant failures. There are many well-known examples 

in the private sector but the same is true for public sector entities. Examples of weaknesses 

in culture that can precipitate risks for an organization are itemized in the Practice Guide: 

• Unreasonable expectations including deadlines, profitability, or levels of efficiency. 

• Incentives not aligned with values. 

• Employees (including internal auditors) lack knowledge of key risk management 

activities and potential risk impacts. 

• An inflexible hierarchy impeding the flow of information up, down, and across the 

organization. 

• A pervasive environment of mistrust toward auditors and regulators including a lack 

of understanding of the role of controls in achieving business objectives. 

• An attitude of hubris (e.g., “That will not happen here.” Or “That has never happened 

to us before.”) 

• Lack of accountability, especially at senior levels of the organization. 

• Failure to enforce codes of conduct and related policies and procedures. 

• Management (and, in some cases, the board) refusing to acknowledge information 

contrary to their opinions. 

• Disregard of laws and regulations if they are not conducive to the organization 

achieving its objectives. 57 

We may add that one of the weaknesses in culture can be poor organizational 

understanding among employees and managers. This can extend to limited awareness of 

organizational purpose, a lack of a sense of shared purpose, and uncertainty about the roles 

played by key functions. It is not uncommon for employees to misunderstand the nature and 

purpose of internal auditing which they may equate with inspection or internal control. 

The Practice Guide also illustrates features of a healthy culture. 

• Positive tone from the top. 

• Clear communication. 

• Open dialogue. 

• Employee engagement. 

• Incentives aligned with core values. 

Culture may be intangible buts its impacts, such as conduct, are not. When assessing 

culture and conduct risks, there is a wide spectrum of potential sources of information to 

consider. These include: 

• Any value statements (may be labeled mission or vision statements or contained 

within these documents) published by the organization. 

• Top-level, business-line level, and process-level strategies, objectives, and business 

plans. 

56 


57 


65

• Risk appetite statements. 

• Organization charts (high level and business units) and related reporting lines. 

• Roles, responsibilities, and accountabilities of other control functions (e.g., 

compliance, risk management) and senior management. 

• Governance framework. 

• Tone at the top and leadership communications with employees. 

• Products/services approvals and selling processes. 

• Risk escalation protocols. 

• Documentation of exceptions and management overrides. 

• Codes of conduct/ethics including policies and procedures on speaking up, 

nonretaliation, and treating customers fairly. 

• Ethics hotline information and training materials. 

• Results of culture-related training and testing programs (e.g., sexual harassment, 

ethics, code of conduct). 

• Employee survey results. 

• Exit interview data. 

• Board and relevant committee minutes (e.g., governance, risk, nomination and 

remuneration, and ethics committees). 

• Management’s risk and control self-assessments (RCSAs) including management’s 

action plans and their status. 

• Relevant culture-related and risk management policies including incentives and 

compensation policy, requirements, reports, and expectations. 

• Recruitment, onboarding, performance management, retention, and exiting 

processes. 

• Status of issues raised by internal audit or other control functions, external auditors, 

and regulators taking into consideration repeated and long outstanding issues and 

root causes that may be related to culture. 

• External auditor’s report on the audited financial statements and letter of 

representation. 58 

When planning the audit plan, managers may decide to include an assurance engagement 

with a focus on culture. Alternatively, culture can be considered as part of other 

engagements and used in aggregate to formulate an opinion. 

Fraud 

Auditing fraud risk management is covered in Module 1 Audit and Assurance section 1A.5. 

Cybersecurity 

Auditing IT and cybersecurity risk management is covered in Module 1 Audit and Assurance 

section 1A.5. 

58 


66

ESG 

IIA Internal Audit Competency Framework: Social Responsibility and Sustainability 

General Awareness: Describe corporate social responsibility and sustainability. 

Applied Knowledge: Examine the organization’s approach to social responsibility and 

sustainability. 

Expert: Recommend actions to improve the organization’s approach to social responsibility 

and sustainability. 59 

The term ESG (environmental, social, and governance) is used to cover a range of related 

risks. Often the focus is on reporting ESG-related matters and the risks associated with 

accuracy, compliance, and reputation. Arguably organizations, especially those in the public 

sector, have responsibilities beyond reporting requirements related to public service, 

stewardship of resources, and accountability. The Sustainable Development Goals (SDGs) 

were adopted by all members of the United Nations in recognition of our collective 

responsibility to people and the planet. The 1987 United Nations Brundtland Commission 

defined sustainability as “meeting the needs of the present without compromising the ability 

of future generations to meet their own needs.” Addressing profound social and 

environmental concerns is something that affects us all. 

Internal auditors can make a significant contribution to ESG by: 

• Staying informed. 

• Acting as an advocate for sustainable practices. 

• Helping organizational leaders understand and accept their economic, political, 

regulatory, societal, and ethical responsibilities for sustainability of operations. 

• Identifying legislative and regulatory requirements for sustainability and evaluating 

organizational risks. 

• Providing advisory services to support the changes needed to address the 

management of sustainability risks, including requirements for ESG reporting. This is 

likely to include arrangements for gathering and validating data on such matters as 

measures for access, diversity, equity, and inclusion, water usage, waste disposal, 

and carbon emissions. 

• Providing assurance on data integrity and internal and external reporting. 

The IIA paper Internal Audit’s Role in ESG Reporting identifies the following assurance and 

advisory roles: 

• Assurance roles: 

o Review reporting metrics for relevancy, accuracy, timeliness, and consistency 

o Review reporting for consistency with formal financial disclosure filings. 

o Conduct materiality or risk assessments on ESG reporting. 

o Incorporate ESG into audit plans. 

• Advisory roles: 

o Build an ESG control environment. 

o Recommend reporting metrics. 

o Advise on ESG governance. 60 

59 


67

Third-Party Risks 

Unless an organization is entirely self-sufficient (which is practically impossible), it needs to 

leverage and rely upon the services of others. In doing so, it is exposing itself to risks related 

to downstream consequences if the expected supply of goods and services fails, including 

when the vendor itself fails. There are also risks associated with the potential for the third 

party knowingly or unknowingly to abuse the relationship, for example by misusing or 

exposing confidential or personal data. Reputational and sometimes legal damages can 

occur by association with an organization that misbehaves. 

To help auditors evaluate the risks and controls associated with third party relationships, the 

IIA has released a Practice Guide: Auditing Third Party Risk Management. This includes the 

following questions to be considered: 

• Does the organization have a comprehensive inventory of its third-party providers? 

• Does the organization’s third-party risk management program align with its risk 

appetite? 

• Does the organization have a list of the types of risks (reputational, strategic, 

compliance, financial, human resources, IT, etc.) third parties may pose? 

• How does the organization identify, define, and manage third-party risks? 

• What are the appropriate assessment criteria for third-party risks (e.g., impact and 

likelihood scales)? 

• How does the organization gauge the impact individual third parties may have on its 

business continuity strategy? 

• How far down the supply chain should third parties be considered? Should 

subservice or fourth-party providers be monitored? 

• What metrics should be reviewed to ensure a third-party provider is performing within 

the organization’s risk tolerance? 

• Will the organization have recourse to recover damages from a third party if problems 

arise? 

• Do contracts with third parties include the right for the contracting organization’s 

internal audit activity or other control functions to conduct audits if there is a need or 

desire to do so? 

• Is the third party handling data that requires a specific level of control? How does the 

organization validate that the third party is following all relevant laws, regulations, and 

technical requirements for data security? 

• How does internal audit coordinate with the organization’s second line of defense 

(e.g., legal, compliance, procurement) that may be performing risk management 

activities regarding third parties? 

• How does the organization ensure ethical behavior by the third parties? 61 

Common controls include conducting due diligence in advance of entering into an agreement 

with a vendor, considering alternative providers, ensuring contracts offer sufficient 

60 

Internal Audit’s Role in ESG Reporting, The IIA, 2021. 

61 

Practice Guide: Auditing Third Party Risk Management, The IIA, 2018. 

68

protections and rights, maintaining regular communication and continued monitoring, and 

reviewing and renewing agreements on a cyclical basis. 

Further consideration relates to the ability of the organization to cope with an unexpected 

disruption to supplies which may be caused by failures of the vendor or other event and 

circumstances outside of the vendor’s control. What contingencies are in place to draw 

essential goods and services from alternative sources? How quickly could such a switch be 

achieved? 


Does your internal audit function use digital tools for audit planning, management, and 

data analytics? What are the biggest inhibitors in making greater use of these tools? 

Are the principles and practices of Agile auditing well-suited to your organization? Does 

your internal audit function have plans to introduce innovations such as: flexible, responsive 

planning; continuous auditing; continuous client engagement; audit dashboards; and shorter, 

non-traditional reporting formats? 

Which of the following groups of risks are included in your audit plan: sustainability, thirdparty 

contracts, artificial intelligence, cybersecurity, and organizational culture? How do 

senior management and the governing body currently receive assurance regarding control 

over these risks? 

Can your internal audit function do more as an advisor to help senior management and the 

governing body anticipate, identify, and manage new and emerging risks? 

69

TIAPS ALB_Module 2D. Managing the Internal Audit Activity

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?