Resource Management and IPPF.
IPPF requires that internal audit activity does a proper resource management.
Standard | Requirement | Interpretation |
1110 | Board to approve internal audit budget and resource planBoard to inquire with management and CAE to determine the inadequacy of scope and resource limitation | Internal audit cannot execute an internal audit plan without proper resources. With the approval of IA plan and resources to execute the IA plan, performance of IA activity can be measured. |
1130 | Inadequacy of resources to execute Internal audit plan will lead to impair of objectivity or Independence | Resources should be commensurate to execute Internal audit plan in terms of quantity and quality. |
1220.A1 | IA to consider the extent of work needed to achieve the engagement’s objective. | IA need to ascertain the objective of engagement, extent of work needed, resources required to complete the assignment. |
1220.C1 | IA to consider the extent of work needed to achieve the engagement’s objective. | IA need to ascertain the objective of engagement, extent of work needed, resources required to complete the assignment. |
2020 | CAE must communicate the IA plan and resource requirements including impact of resource limitations | CAE need to estimate the quantum of efforts required, available and gap between two, if any. |
2030 | CAE to ensure IA resources are appropriate, sufficient and effectively deployed to achieve the approved plan | CAE need to understand the efforts required, type of efforts required, resources available, need to deploy them effectively and monitor them. |
2060 | CAE to report performance of IA relative to IA plan | CAE to demonstrate the budget vs achievement, within time or beyond time, within resources or extra utilization, etc. |
2200 | Internal auditors must develop and document a plan for each engagement, including the engagement’s objectives, scope, timing, and resource allocations. | Allocation of resources and relevant documentation |
2230 | Internal auditors must determine appropriate and sufficient resources to achieve engagement objectives based on an evaluation of the nature and complexity of each engagement, time constraints, and available resources. | Engagement planning in details |
2240 | Internal auditors must develop and document work programs that achieve the engagement objectives. | Documented work programs with responsibility |
2340 | Engagements must be properly supervised to ensure objectives are achieved, quality is assured, and staff is developed. | Supervision to ensure achievement of objective, quality and staff development. Quality of work would mean right testing, adherence to processes, documentation, etc.Staff development would mean giving constructive feedback. |
Reference to ‘resource’ in INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS)
1110 – Organizational Independence
The chief audit executive must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities. The chief audit executive must confirm to the board, at least annually, the organizational independence of the internal audit activity.
Interpretation:
Organizational independence is effectively achieved when the chief audit executive reports functionally to the board. Examples of functional reporting to the board involve the board:
- Approving the internal audit charter;
- Approving the risk based internal audit plan;
- Approving the internal audit budget and resource plan;
- Receiving communications from the chief audit executive on the internal audit activity’s performance relative to its plan and other matters;
- Approving decisions regarding the appointment and removal of the chief audit executive;
- Approving the remuneration of the chief audit executive; and
- Making appropriate inquiries of management and the chief audit executive to determine whether there are inappropriate scope or resource limitations.
1110.A1 – The internal audit activity must be free from interference in determining the scope of internal auditing, performing work, and communicating results.
1130 – Impairment to Independence or Objectivity
If independence or objectivity is impaired in fact or appearance, the details of the impairment must be disclosed to appropriate parties. The nature of the disclosure will depend upon the impairment.
Interpretation:
Impairment to organizational independence and individual objectivity may include, but is not limited to, personal conflict of interest, scope limitations, restrictions on access to records, personnel, and properties, and resource limitations, such as funding.
The determination of appropriate parties to which the details of an impairment to independence or objectivity must be disclosed is dependent upon the expectations of the internal audit activity’s and the chief audit executive’s responsibilities to senior management and the board as described in the internal audit charter, as well as the nature of the impairment.
1130.A1 – Internal auditors must refrain from assessing specific operations for which they were previously responsible. Objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for which the internal auditor had responsibility within the previous year.
1130.A2 – Assurance engagements for functions over which the chief audit executive has responsibility must be overseen by a party outside the internal audit activity.
1130.C1 – Internal auditors may provide consulting services relating to operations for which they had previous responsibilities.
1130.C2 – If internal auditors have potential impairments to independence or objectivity relating to proposed consulting services, disclosure must be made to the engagement client prior to accepting the engagement.
1220 – Due Professional Care
Internal auditors must apply the care and skill expected of a reasonably prudent and competent internal auditor. Due professional care does not imply infallibility.
1220.A1 – Internal auditors must exercise due professional care by considering the:
- Extent of work needed to achieve the engagement’s objectives;
- Relative complexity, materiality, or significance of matters to which assurance procedures are applied;
- Adequacy and effectiveness of governance, risk management, and control processes;
- Probability of significant errors, fraud, or noncompliance; and
- Cost of assurance in relation to potential benefits.
1220.A2 – In exercising due professional care internal auditors must consider the use of technology-based audit and other data analysis techniques.
1220.A3 – Internal auditors must be alert to the significant risks that might affect objectives, operations, or resources. However, assurance procedures alone, even when performed with due professional care, do not guarantee that all significant risks will be identified.
1220.C1 – Internal auditors must exercise due professional care during a consulting engagement by considering the:
- Needs and expectations of clients, including the nature, timing, and communication of engagement results;
- Relative complexity and extent of work needed to achieve the engagement’s objectives; and
- Cost of the consulting engagement in relation to potential benefits.
2020 – Communication and Approval
The chief audit executive must communicate the internal audit activity’s plans and resource requirements, including significant interim changes, to senior management and the board for review and approval. The chief audit executive must also communicate the impact of resource limitations.
2030 – Resource Management
The chief audit executive must ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan.
Interpretation:
Appropriate refers to the mix of knowledge, skills, and other competencies needed to perform the plan. Sufficient refers to the quantity of resources needed to accomplish the plan. Resources are effectively deployed when they are used in a way that optimizes the achievement of the approved plan.
2060 – Reporting to Senior Management and the Board
The chief audit executive must report periodically to senior management and the board on the internal audit activity’s purpose, authority, responsibility, and performance relative to its plan. Reporting must also include significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by senior management and the board.
Interpretation:
The frequency and content of reporting are determined in discussion with senior management and the board and depend on the importance of the information to be communicated and the urgency of the related actions to be taken by senior management or the board.
2200 – Engagement Planning
Internal auditors must develop and document a plan for each engagement, including the engagement’s objectives, scope, timing, and resource allocations.
2230 – Engagement Resource Allocation
Internal auditors must determine appropriate and sufficient resources to achieve engagement objectives based on an evaluation of the nature and complexity of each engagement, time constraints, and available resources.
2240 – Engagement Work Program
Internal auditors must develop and document work programs that achieve the engagement objectives.
2240.A1 – Work programs must include the procedures for identifying, analyzing, evaluating, and documenting information during the engagement. The work program must be approved prior to its implementation, and any adjustments approved promptly.
2240.C1 – Work programs for consulting engagements may vary in form and content depending upon the nature of the engagement.
2340 – Engagement Supervision
Engagements must be properly supervised to ensure objectives are achieved, quality is assured, and staff is developed.
Interpretation:
The extent of supervision required will depend on the proficiency and experience of internal auditors and the complexity of the engagement. The chief audit executive has overall responsibility for supervising the engagement, whether performed by or for the internal audit activity, but may designate appropriately experienced members of the internal audit activity to perform the review. Appropriate evidence of supervision is documented and retained.
Impairment
Impairment to organizational independence and individual objectivity may include personal conflict of interest, scope limitations, restrictions on access to records, personnel, and properties, and resource limitations (funding).