The document outlines best practices for internal audit departments across five key areas: roles and structure, people, process, technology, and knowledge. It provides examples of best practice features for each area and a template for departments to evaluate the evidence of these features in their own practices. The template can be used to assess areas as low, medium, or high and identify opportunities for improvement. The document aims to help internal audit departments evaluate their practices against industry standards and enhance their ability to add value through continuous improvement.
The 3rd Intl. Workshop on NL-based Software Engineering
Model i best practice evaluation worksheet for ia
1. Page 1 of 8
Source : www.knowledgeleader.com
Best Practices Evaluation Worksheet for Internal Audit Departments
Best
Practice
Framework
Best Practice Features
Evidence of this
feature in
internal audit
(L : Low, M : Medium,
H : High)
Description of evidence
Opportunity for
improvement
recommendations
1. ROLES &
STRUCTURE
1.1 Internal Audit (IA) operates as an independent,
objective assurance and consulting activity designed
to add value and improve the organization’s
operations.
1.2 IA is viewed as a proactive "business partner"
helping the organization achieve its objectives by
bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk
management, control and governance processes.
1.3 IA is appropriately integrated into the
organization’s Business Risk Management Process
(BRMP):
1- Establishing goals/infrastructure
2- Assessing risks
3- Developing risk solutions
4- Designing & Implementing controls
5- Monitoring performance
6- Improving process
7- Providing information for decision making
1.4 IA's role, scope and objectives are clearly
defined and communicated at all levels of the
organization.
1.5 IA manages relationships with External Auditors
and supervisory authorities to ensure audit coverage
is accomplished effectively and efficiently.
1.6 IA is perceived as a positive career development
opportunity and a training ground for future business
leaders.
2. Page 2 of 8
Source : www.knowledgeleader.com
Best
Practice
Framework
Best Practice Features
Evidence of this
feature in
internal audit
(L : Low, M : Medium,
H : High)
Description of evidence
Opportunity for
improvement
recommendations
1.7 The structure of the IA department is aligned
with the business and is effectively communicated to
its customers, resulting in efficient service delivery.
1.8 A balanced set of performance measures is used
to monitor the timeliness, cost-effectiveness and
quality of IA's performance and to drive continuous
improvement to the IA organization and audit
process.
2. PEOPLE
Qualitative 2.1 An appropriate competency model is in place
(which defines the skills, knowledge and attributes
required of IA professionals to deliver value to
customers) to ensure that career and skill
development programs are consistent with the
business and its needs.
2.2 Career and skill development programs for IA
professionals are in place and effective.
2.3 IA professionals are recruited from both
traditional and non-traditional (operational)
backgrounds to maximize performance and create a
diverse, balanced IA organization.
2.4 Policies on training, appraisal, career
development, roles and responsibilities, job
descriptions, etc. are documented and consistent
with corporate policies.
2.5 Regular initiatives are promoted to raise the
profile of internal audit, attract and motivate suitably
qualified professionals, and reduce IA professionals’
turnover.
2.6 The appraisal process is clearly defined and
communicated to auditors. It is used as a means of
performance review and to update career and skills
development programs.
3. Page 3 of 8
Source : www.knowledgeleader.com
Best
Practice
Framework
Best Practice Features
Evidence of this
feature in
internal audit
(L : Low, M : Medium,
H : High)
Description of evidence
Opportunity for
improvement
recommendations
2.7 Succession planning is in place to allow
continuity in IA management and the audit process.
It is aligned with career development programs.
Quantitative 2.8 Training time averages between 60-100 hours
per person per year
2.9 Cost of IA department per auditor in USD:
- between X and Y (Benchmarks for this information
can be obtained from annual GAIN surveys available
from the Institute of Internal Auditors)
2.10 Headcount of auditors per 1000 employees :
- Close to 5
2.11 Group revenue per auditor in USD :
(Benchmarks for this information can be obtained
from annual GAIN surveys available from the
Institute of Internal Auditors)
3. PROCESS
Risk
assessment
and planning
3.1 A straightforward, “top-down” business risk
identification and assessment process drives audit
planning.
3.2 The company risk profile is formally and regularly
reviewed to ensure it reflects development in the
business risk environment and is linked to a rolling
audit plan.
3.3 A common language exists across the
organization to ensure consistent approach of risks
at all level in the organization.
3.4 Major stakeholders (Management, External
Auditors, and Audit Committee) are involved in risk
assessment and planning.
4. Page 4 of 8
Source : www.knowledgeleader.com
Best
Practice
Framework
Best Practice Features
Evidence of this
feature in
internal audit
(L : Low, M : Medium,
H : High)
Description of evidence
Opportunity for
improvement
recommendations
3.5 Management and Audit Committee formally
approve the audit plan.
3.6 A systematic approach is in place for planning
and scheduling work programs and performance is
monitored to allow optimum resources allocation.
3.7 Job scheduling and planning is organized to
ensure auditors with the right competencies are
assigned to the right job.
Audit
execution
3.8 Terms of reference, covering issues such as
scope, objectives and timing, are agreed with
management before each audit begins.
3.9 The audit process, and status of the audit
program are effectively communicated to audit
customers in order to promote awareness and
greater "buy-in"
3.10 Clearly defined standard audit methodologies
are in place.
3.11 The format, content and use of working papers
and audit files is standardized across the IA
organization to maximize efficiency and promote
consistency.
3.12 There is a systematic process in place to link
business risks to business processes. Evaluation of
business controls is based on assessment of these
process risks.
5. Page 5 of 8
Source : www.knowledgeleader.com
Best
Practice
Framework
Best Practice Features
Evidence of this
feature in
internal audit
(L : Low, M : Medium,
H : High)
Description of evidence
Opportunity for
improvement
recommendations
3.13 The audit process is applied to the whole of the
organization's BRMP and is not limited to looking at
process controls.
3.14 Best practices (both internal and external) are
used for evaluations of controls and
recommendations.
3.15 Open communication is maintained with
management throughout the audit process.
3.16 A formal closing meeting is held to discuss all
open issues with management.
3.17 Self-assessment techniques are used to
identify and analyze risks and controls. This helps
the audit customers understand how controls help to
meet business objectives.
3.18 Knowledge sharing is built into the audit
execution process to allow effective contribution by
auditors and control and approval by audit
management.
Reporting and
follow-up
3.19 The report approval, sign-off and distribution
process is clearly defined and documented.
3.20 Final reports are prepared and issued on site.
3.21 Standard, pre-defined report formats are used
to promote a concise, consistent and efficient
approach. Report formats reflect audit customer
requirements (summary with appropriate level of
detail on major issues for Audit Committee, more
detailed report for Management).
6. Page 6 of 8
Source : www.knowledgeleader.com
Best
Practice
Framework
Best Practice Features
Evidence of this
feature in
internal audit
(L : Low, M : Medium,
H : High)
Description of evidence
Opportunity for
improvement
recommendations
3.22 Issues and recommendations are regularly
reported and prioritized using clear and agreed upon
criteria (risk importance, ease of implementation,
etc.).
3.23 Overall control ratings are assigned, based on
audit findings, using a clearly defined rating scale
communicated to IA staff and customers.
3.24 Reports include action plans setting
responsibilities and target dates embraced by
Management.
3.25 Regular follow-up is made by IA to ensure that
agreed action plans are implemented.
3.26 There is a clearly defined process to capture
customer satisfaction ratings and gather customer
feedback on IA's performance to ensure IA services
match the needs of the business
4. TECHNOL-
OGY
4.1 Communication technology is widely used to
support the IA's knowledge sharing process.
Technology used by IA is integrated with the
company’s technology platform.
4.2 Voting technology is used to facilitate risk and
control self-assessment meetings and allow efficient
team decision-making.
4.3 Technology is used to facilitate continuous risk
and control self-assessment across the organization.
7. Page 7 of 8
Source : www.knowledgeleader.com
Best
Practice
Framework
Best Practice Features
Evidence of this
feature in
internal audit
(L : Low, M : Medium,
H : High)
Description of evidence
Opportunity for
improvement
recommendations
4.4 Workflow technology is used to enable more
effective and efficient implementation of standard
audit processes (planning, electronic workpaper,
etc.)
4.5 Data-mining technology is used to allow efficient
retrieval and analysis of relevant corporate data for
risk analysis.
4.6 Technology is used to capture and integrate
audit data sources to provide comprehensive
management information to support the BRMP.
4.7 Auditors are equipped with, and trained to use,
appropriate technology to increase personal
productivity (laptop computers, standard software,
modem, printer, etc.).
4.8 Responsibility for maintenance of tools (and
license agreements) is given to IT specialists within
the company or outside providers if needed.
5.
KNOWLEDGE
5.1 Standard, organization-wide knowledge sharing
process and technology in place.
5.2 Culture in place that facilitates, encourages and
rewards knowledge sharing. The sharing of
knowledge is measured.
5.3 Local and remote access available to internal
and external knowledge databases and resources
that facilitate auditors and audit management in the
performance of their duties (best control practices,
best practices for auditing, industry specifics,
benchmarking information etc).
8. Page 8 of 8
Source : www.knowledgeleader.com
Best
Practice
Framework
Best Practice Features
Evidence of this
feature in
internal audit
(L : Low, M : Medium,
H : High)
Description of evidence
Opportunity for
improvement
recommendations
5.4 A knowledge manager is appointed to ensure
responsibilities are clear and define the process in
place to allow contribution in an organized way.
5.5 Responsibilities for controlling the quality of
content/knowledge (ensure regular updates and
upgrades, additions and consistency within the IA
organization) are clearly identified.