Case Study
Guidelines to conform with Domain III
Domain III sets out how the Internal Audit function should be governed. The better the function is governed, the more effective it becomes. This Domain requires co-operation between the Chief Audit Executive, the Board/Audit Committee and senior management.
- Establish suitable governance structure
- Establish Audit Committee oversight of the Internal Audit function through the Audit Committee Charter and the Internal Audit Charter.
- Ensure the Chief Audit Executive (CAE) reports functionally to the Audit Committee.
- Ensure the CAE reports administratively to a member of senior management who:
- understands and supports Internal Audit’s role in the organisation.
- can ensure the function operates without interference. Best practice suggests it should be the CEO.
- Develop Internal Audit Mandate and Internal Audit Charter in conjunction with Board and senior management.
- CAE must be suitably qualified and continue to enhance qualifications and competencies.
- CAE must report to Board on
- Independence of the function.
- Impairment of independence due to CAE’s other roles in the organisation or CAE’s reporting line.
- Information Board needs to conduct oversight role (Standard 8.1).
- Disagreements between CAE, and senior management on aspects that may impair Internal Audit’s ability to deliver on its Mandate.
- Sufficiency and adequacy of resources and impact on its ability to deliver on its Mandate.
- Develop, implement and maintain Quality Assurance and Improvement Program
- Internal Assessment.
- External Assessment.
- Report annually on Internal Assessment.
- External Assessment at least every 5 years.
- Discuss these essential conditions with Board and senior management to inform them of the importance of the conditions and gain alignment on
- Authority, role and responsibility of Internal Audit.
- Internal Audit Mandate.
- Content of the Internal Audit Charter.
- Recognition, support and promotion of Internal Audit in the organisation.
- (Unrestricted) access to data, records, information, staff and physical locations and assets.
- Communication protocols.
- Reporting relationships for CAE.
- Approval process for charter, audit plan, budget and resource plan.
- Protocol to deal with restrictions placed on Internal Audit’s activities.
- (Unrestricted) access to the Board.
- Appointment and removal of CAE.
- Management of CAE development, performance, evaluation and remuneration.
- Management of actual and potential impairments if CAE fulfills other roles.
- Qualifications, experience and competencies required for CAE within the specific organisation and industry.
- Frequency and content of communication between Board, CAE and senior management (Standard 8.1).
- Escalation protocols.
- Resource requirements to fulfil Internal Audit Mandate.
- Quality Assurance and Improvement Program.
- Plans to address quality deficiencies and opportunities for quality improvement.
- Internal Audit function’s performance objectives.