A primary lesson from the financial failure and collapse of numerous organizations is that good governance, risk management, and internal controls are essential to corporate success and longevity. Because of its unique and objective perspective, in-depth organizational knowledge, and application of sound audit and consulting principles, the internal audit function is well-positioned to provide valuable support and assurance to an organization and its oversight entities. However, these services cannot be delivered in the absence of well-documented and well-communicated policies and procedures, which comprise the audit manual.
A Basis for Operations
IIA Standard 2040: Policies and Procedures states: "The chief audit executive (CAE) must establish policies and procedures to guide the internal audit activity." Policies form the written basis of operation in the audit department. They represent the group's position on the topics covered, prescribe limits, identify responsibilities, and indicate the parameters under which the department operates. More broadly, they can be viewed as rules or expectations related to the department's mission, goals, and functions. For example, a policy relating to the audit plan might read: "The CAE prepares the annual audit plan by the last day of November, and the audit committee reviews it by the last day of December. This plan is developed on risk assessments with input from the board, senior management, and the external auditors. The approved plan is the authority for conducting audits organizationwide."
Procedures give directions and step-by-step instructions for carrying out policies and outline sequences of activities for interpreting those policies. For example, procedures for the annual audit plan policy might include performing a risk assessment, defining the audit universe, translating risks into measurable risk factors, choosing weights for risk factors, and linking the audit plan to the organization's strategic plan.
There are policies and procedures for almost every business function. Documenting these items constitutes effective quality assurance practice and, in some cases, fulfills regulatory and accreditation requirements. An audit manual outlines the authority and scope of the internal audit function, documents standards, and provides cohesive guidelines and procedures. These guidelines promote consistency, stability, continuity, acceptable performance standards, and a means of coordinating the efforts of audit staff effectively.
An audit manual usually contains an overview of the industry risk factors facing an organization as well as the protocol of the audit process, the tools and methodologies for conducting the audit, forms to be completed, and people to contact. As such, it facilitates orientation and saves time on training newly appointed staff on the audit activity — auditors can begin audit engagements immediately.
Although an audit manual is an extensive compilation of resource material intended to be used by internal audit staff, other departments may find it useful as a guide to improve their own operations through creating or updating their own manual, policies, procedures, and practices. A well-developed and appropriately communicated audit manual can:
- Serve as a guide to those responsible for internalaudit activities.
- Represent a key benchmark by which internal audit can be measured.
- Be a reference for undertaking an audit assignment.
- Aid in making effective decisions.
- Assist in undertaking staff appraisals, training, and development.
- Enhance staff morale and productivity.
- Assist in clarifying audit issues, audit staff job routines, and measurements.
When faced with an external quality assessment, the first item the assessor will ask for is information to help him or her understand the organization's audit function. Where litigation is required and audit evidence must be submitted as evidence in a court of law, a judge likely will ask whether the evidence presented conforms to the organization's audit policies and procedures. In such cases, an audit manual can be a lifesaver.
In many organizations, the content already exists and would only require a dedicated effort to bring it all together into one centralized policies and procedures manual with regular review and maintenance. An audit manual typically is divided into several sections:
- The Internal Audit Profession and Related Material The IIA's International Professional Practices Framework, COBIT, ISACA standards, and regulatory requirements.
- Corporate Operating Policies Vision, mission, organizational structure and business fundamentals, industry risk profile, corporate governance, and control frameworks.
- Overview of the Internal Audit Function Audit charter, enterprise risk management charter, audit committee charter, departmental chart, risk universe, audit universe, and annual audit plan.
- Audit Procedures and Techniques Audit process, audit software, engagement planning, audit fieldwork, audit reporting, audit effectiveness questionnaire, follow-up information, operational auditing, IT auditing, and fraud auditing and investigation.
- Audit Staff Resources Staff levels, job descriptions, training and development, tuition assistance, transfers, rotational staff, and use of outside resources.
- Audit Administration Staff meetings, intranet, acquiring routine and capital items, department's budget and monthly performance reports, corporate credit cards, audit committee reports, annual reporting, staffing and management surveys, and benchmarking and key performance indicators.
- Reference Material Acronyms; glossary; governance, risk, and control resources; audit manual maintenance; and audit library.
An audit manual containing at least this basic information is a powerful tool for a sustainable, well-respected audit function.
Maintenance is key to having a current manual, as auditors want to be sure they are using the latest technology, audit methodology, audit standards, and risk information when conducting their audits. An out-of-date manual can be a serious blow to the audit department's reputation, which may take years to rebuild.
An audit manual should be kept up-to-date by assigning someone to keep abreast of developments within the organization (e.g., corporate reports and memos), outside the organization (e.g., regulatory changes, business trends, and geopolitical issues) and within the profession (e.g., internal audit periodicals and guidance). For example, auditors could leverage information from the second edition of GTAG 4: Management of IT Auditing — which contains approaches to new technology-related risks — to help keep IT audit methodology current. In an effort to enhance understanding of the audit function, foster mutual respect, and facilitate smooth audits, CAEs should share copies of the manual with audit staff and appropriate senior management regularly.
A Valuable Benefit
Organizations that do not have an audit manual are missing out on the valuable benefits that such a manual affords. In addition, they run the risk of relying on people in the audit group who have the requisite knowledge but who may leave one day. This scenario impacts the continuity of the audit effort and adversely impacts governance, risk, and control throughout the organization.