Appendix D1

Program:
Internal Audit Governance

INTERNAL AUDIT GOVERNANCE PROGRAM:

OBJECTIVES AND SCOPE
1. Determine the internal audit activity’s level of conformance with the spirit and
intent of The IIA’s International Standards for the Professional Practice of
Internal Auditing (Standards) 1000, 1100, and 1300, Code of Ethics, and the
Definition of Internal Auditing (full external assessment, and self-assessment with
independent validation).

2. Assess the efficiency and effectiveness of the internal audit activity and identify
opportunities and offer ideas to the chief audit executive (CAE)/internal audit
staff for improving their performance and increasing their ability to add value
(full external assessment).

D1-1
Quality Assessment Manual for the Internal Audit Activity

I – PLANNING AND PREPARATION

Initial/
Planning and Preparation Date

1. Review information included in the planning guide for this program segment.

2. Confirm receipt of documents included on the Document Request Checklist.

3. Review survey results for questions denoted for this program segment.

4. Confirm that the list of planned interviews will adequately support the completion of this
program segment. Consider possible additional interview questions to support this program
segment.

5. Identify opportunities to review with the CAE/internal audit staff for improving their
performance and increasing their ability to add value based on your review of planning
documentation. These items will comprise the focus of work completed in step III.

Planning/Preparation Results:

II – OBJECTIVE #1:
CONFORMANCE WITH THE STANDARDS
(Complete for Full External Assessment, Self-assessment with Independent
Validation, and Periodic Self-assessment)

Determine the internal audit activity’s level of conformance with the spirit and intent
of Standards 1000, 1100, and 1300, Code of Ethics, and the Definition of Internal
Auditing (full external assessment and self-assessment with independent validation).

D1-2
Appendix D1: Program: Internal Audit Governance

II.A – Internal Audit Activity Charter Initial/ WP

(Standard 1000 and Definition of Internal Auditing) Date Ref.

1. Review the internal audit activity charter specifically for: (1000)

a. When it was last updated.

b. Approval of the board.

c. Formal definition of the purpose, authority, and responsibility of the internal

audit activity.

d. Alignment of the internal audit activity’s strategy (vision and mission) to that of
the organization.

e. Statement of unrestricted access to all documents, people, and assets to

perform engagements.

f. Reporting lines of the internal audit activity.

g. The definition of the nature of the assurance and consulting work.

h. Incorporation of the mandatory nature of the Code of Ethics, the Definition of

Internal Auditing, and the Standards.

i. Legislation and regulations to which the internal audit activity must adhere.

j. Compare the internal audit activity charter and the audit committee charter to
determine if the responsibilities, reporting lines, etc., as stated in the charter of
the board, correspond with that which is reflected in the internal audit charter.

2. Review the survey and interview results for this program segment. Determine if the
results will have any impact on your results and conclusion.

Results (Standard 1000 and Definition of Internal Auditing):

D1-3
Quality Assessment Manual for the Internal Audit Activity

Standard 1000 and Definition of Internal Auditing – Conformance Assessment Recap

(GC = Generally Conforms, PC = Partially Conforms, DNC = Does Not Conform, or NA = Not Applicable)

Key Conformance Criteria GC PC DNC NA

A. The internal audit charter clearly defines the purpose,

authority, and responsibility of the internal audit activity and is
approved by the board (1000).

B. The internal audit charter defines the nature of assurance and

consulting services (1000.A1 and C1).

C. The internal audit charter includes reference to the mandatory

nature of the Definition of Internal Auditing, the Code of Ethics,
and the Standards (1010).

II.B – Independence and Objectivity Initial/

(Standard 1100 and Code of Ethics) Date WP Ref.

1. Identify the position of the internal audit activity within the organization by
reviewing the organization chart or organigram (1110).

2. Determine if the reporting lines, as stated in the internal audit activity charter, allow
the internal audit activity to carry out its responsibilities in an unbiased manner
(1100).

3. Review the internal audit activity’s policies and procedures regarding reporting of
conflict of interest and review conflict of interest declarations (1120 and 1130).

4. Review the audit committee charter and determine if the charter states the
functional responsibility of the board to the internal audit activity, especially relating
to: (1110)

a. Approval of the internal audit activity charter.

D1-4
Appendix D1: Program: Internal Audit Governance

II.B – Independence and Objectivity Initial/

(Standard 1100 and Code of Ethics) Date WP Ref.

b. Approving the risk-based internal audit plan.

c. Receiving communications from the CAE on the internal audit activity’s

performance relative to its plan and other matters.

d. Approving decisions regarding the appointment, removal, and salary of the CAE.

5. Review minutes of audit committee meetings to determine if functional

responsibilities of the board were carried out (1110).

6. Review the performance evaluation of the CAE and determine the board
participation and the key performance indicators used for the performance
evaluation as indicated by the internal audit activity’s performance measures
(1110).

7. Review the survey and interview results for this program segment. Determine if the
results will have any impact on your results and conclusion. If additional evidence
is needed, consider performing the following steps:

a. Collect the Code of Ethics from internal audit staff and determine if it is signed
by them as read and understood (Code of Ethics).

b. Determine if a register of allocation of internal auditors on consulting

assignments is kept to avoid allocation to assurance assignments before one
year has lapsed (1130).

c. Check with the quality assessment team member assigned to the Internal Audit
Process program segment and determine whether any significant objectivity
issues were noted.

d. Determine if any impairment to independence and/or objectivity exists or Code

of Ethics issues have occurred and have been disclosed to appropriate parties
(1130).

Results (Standard 1100 and Code of Ethics):

D1-5
Quality Assessment Manual for the Internal Audit Activity

Standard 1100 and Code of Ethics – Conformance Assessment Recap

(GC = Generally Conforms, PC = Partially Conforms, DNC = Does Not Conform, or NA = Not Applicable)

Key Conformance Criteria GC PC DNC NA

A. The CAE reports to a level in the organization that allows the

internal audit activity to fulfill its responsibilities (1110).

B. The administrative reporting relationship to senior

management does not interfere with the CAE’s responsibility
to the board (1110).

C. There are no restrictions to the scope, resources, and access

of internal audit activity (1110 and 1130).

D. The nature of the CAE’s functional reporting relationship to the

board provides the direct interaction needed to promote
independence and communicate audit results (1110 and
1111).

E. Auditors are aware they must report any real or perceived

objectivity or Code of Ethics issues as soon as such issues
arise (Code of Ethics and 1120).

F. Audit engagements are performed with an unbiased mental

attitude (1120).

G. There are no restrictions to the scope, resources, and access

of the internal audit activity (1110 and 1130).

H. Any impairments have been disclosed to appropriate parties

(1130).

I. Auditors are aware they must report any real or perceived

objectivity or Code of Ethics issues as soon as such issues
arise (Code of Ethics and 1120).

D1-6
Appendix D1: Program: Internal Audit Governance

II.C – Quality Assurance and Improvement Program (QAIP) Initial/

(Standard 1300) Date WP Ref.

1. Obtain the policy for the QAIP and determine if it consistent with the Standards
(1300). Where applicable, also review the most recent external assessment report.

2. Obtain the most recent self-assessment report and review the report to determine
if conformance with the definition of Internal Auditing, the Code of Ethics, and the
Standards were evaluated and if there were any opportunities to improve the
internal audit activity’s efficiency and effectiveness (1311). If additional evidence is
needed, consider performing the following steps:

a. Review the supporting records for QAIP (ongoing monitoring activities and
periodic self-assessments) and any customer service standards.

b. Determine if any disclosures of nonconformance (1322) were required. If there

were issues, determine that the impact of nonconformance was communicated
to senior management and the board.

3. Obtain the board committee agendas and minutes of meetings for the past year
and determine if the results of the QAIP appeared on any of the agendas (1320).

a. Determine if the results of the QAIP (ongoing monitoring and periodic internal
assessment) is reported at least annually by reviewing the internal audit board
packs for measurement criteria communicated to the board by the CAE (1311).

b. Obtain a QAIP report that was tabled (as per the agenda) at a board meeting
and determine if the results of the self-assessment report include the reviewer’s
or review team’s assessment with respect to the degree of conformance.

c. Determine the means of communication on the implementation of actions to

achieve conformance to the Definition of Internal Auditing, the Code of Ethics,
and the Standards.

4. Review internal audit reports that were issued and determine if the statement
“Conforms with the International Standards for the Professional Practice of Internal
Auditing” is stated on the reports or any other correspondence of the internal audit
activity (1321).

a. Determine if results of the QAIP (both the internal and external assessments)
support this statement by reviewing the quality assessment communications and
reports.

D1-7
Quality Assessment Manual for the Internal Audit Activity

II.C – Quality Assurance and Improvement Program (QAIP) Initial/

(Standard 1300) Date WP Ref.

5. Review the survey and interview results for this program segment. Determine if the
results will have any impact on your results and conclusion.

6. Check with the quality assessment team members assigned to the other program
segments and determine whether any QAIP issues were noted.

Results QAIP (Standard 1300):

Standard 1300 – Conformance Assessment Recap

(GC = Generally Conforms, PC = Partially Conforms, DNC = Does Not Conform, or NA = Not Applicable)

Key Conformance Criteria GC PC DNC NA

A. The CAE has formally established and documented a QAIP

consistent with the Standards (1310).

B. The QAIP enables the internal audit activity to evaluate

conformance with the Definition of Internal Auditing, the Code
of Ethics, and the Standards (1310).

C. The QAIP is used to identify opportunities to improve the

internal audit activity’s efficiency and effectiveness (1311).

D. There is evidence of ongoing reviews of the performance of

the internal audit activity (1311).

E. Periodic self-assessments are being performed according to

the frequency/scope in the QAIP and are consistent with The
IIA’s International Professional Practices Framework (IPPF)
guidance (1311).

F. There is evidence of comprehensive external assessments by

qualified, independent external assessors or assessment
teams (1312).

D1-8
Appendix D1: Program: Internal Audit Governance

Standard 1300 – Conformance Assessment Recap

(GC = Generally Conforms, PC = Partially Conforms, DNC = Does Not Conform, or NA = Not Applicable)

Key Conformance Criteria GC PC DNC NA

G. The results of full external assessments and periodic self-

assessments are formally communicated to senior
management and the board upon completion of such
assessments (1320).

H. The results of ongoing monitoring are communicated to senior

management and the board at least annually (1320).

I. Where applicable, there is appropriate wording in the internal

audit charter and/or audit reports (1321).

J. Any nonconformance with the Definition of Internal Auditing,

the Code of Ethics, and the Standards that impacts the scope
or operation of the internal audit activity will be disclosed to
senior management and the board (1322).

III – OBJECTIVE #2:

OPPORTUNITIES FOR IMPROVEMENT
(Complete for Full External Assessment and Periodic Self-assessment; Optional for
Self-assessment with Independent Validation)

Assess the efficiency and effectiveness of the internal audit activity and identify
opportunities and offer ideas to the CAE/IA staff for improving their performance and
increasing their ability to add value (Full External Assessment). Note: These items
were identified during completion of planning activities.

D1-9
Quality Assessment Manual for the Internal Audit Activity

Initial/
III – Opportunities for Improvement Date WP Ref.

1. Obtain and review any benchmarking information, such as the Global Audit
Information Network (GAIN), related to internal audit governance (e.g., CAE
reporting relationships, audit committee charters, and responsibilities). Identify any
potential opportunities for improvement.

2. Evaluate the internal audit activity’s awareness and use of IPPF resources (e.g.,
Practice Advisories, Practice Guides, and Position Papers) related to internal audit
staffing. Determine if the use of the IPPF and other resources have been used to
improve the quality of their internal audit activity. Identify any potential
opportunities for improvement.

(Left open – to tailor the program per Planning step #5)

Results (Strengths or Opportunities):

D1-10