Appendix C1:Interview Guide: Chief Audit Executive

Appendix C1:Interview Guide: Chief Audit Executive

Appendix C1

Interview Guide:
Chief Audit Executive

ABC Organization

Interviewee: / Position:
Interviewer: / Date:
Additional comments regarding interview:

Internal Audit Governance

1.Comment on the charter and audit practice environment (be sure to review Internal Audit Governance Planning Guide, which also asks questions about the audit charter, and tailor your questions depending on whether the chief audit executive [CAE] or a subordinate completed it). (D1)

1.1Has the charter been kept current and relevant? Did the board approve it?

1.2Does the charter establish adequate role, authority, and scope of work of the internal audit activity? If not, please define what areas internal audit is not allowed to review.

1.3Is the charter easily accessible (electronically or by hard copy) to management and staff in the organization?

1.4Do the work environment, culture, and empowerment within the internal audit activity promote a customer orientation by providing frequent contact, quality work, and a partnering relationship?

1.5Is the internal audit activity free from management decision-making functions and operational responsibilities?

______

______

______

______

2.Comment on the independence, structure, and scope of work of the internal audit activity. (D1)

2.1Does the nature/level of the internal audit activity’s reporting lines to senior management and the board ensure its independence? Are you satisfied with your independence and your staff’s independence?

2.2How is the board involved in the appointment, replacement, dismissal, and compensation of the CAE?

2.3Does the organization structure of the internal audit activity promote achievement of its mission/goals?

2.4Do you have adequate budgetary resources to enable you (as the CAE) to provide adequate audit coverage of the risk and exposure of the activities and special projects as outlined in the annual audit plan?

2.5Is the audit plan sufficient to cover the organization’s major risks?

2.6Are you aware of any impediment to independence (actual or attempted by management)?

2.7Has there ever been an instance when nonconformance with The IIA’s Definition of Internal Auditing, Code of Ethics, or International Standards for the Professional Practice of Internal Auditing (Standards) impacted the overall scope or operation of the internal audit activity? If so, did you disclose the nonconformance and its impact to senior management and the board? How did you do this?

______

______

______

______

3.Describe the board/audit committee’s oversight of the internal audit activity. (D1)

3.1Are you satisfied with the support (availability of committee members, resources, and follow-up) that you receive from the board?

3.2Is the board’s input sought during the annual planning and risk assessment of the internal audit activity?

3.3Does the board approve the annual audit plan? The hiring/termination of the CAE?

3.4Describe the method and frequency of your meetings with, and reporting to, the board.

3.5Do you meet privately with the board or the audit committee chair? If so, how frequently?

______

______

______

______

4.Comment on the internal audit activity’s quality assurance and improvement program, including ongoing monitoring mechanisms (e.g., engagement supervision, benchmarking, and measurement criteria) and internal and external quality assessments. (D1)

4.1What are the significant quality/process improvement actions currently underway or planned for the near term in the following areas:

4.1.1.Customer relations (e.g., partnering, self-assessment, and consulting on management processes)?

4.1.2.Reducing audit cycle time (e.g., early and frequent involvement in audit planning and audit result, reduction of reporting and follow-up intervals, and streamlining of audit procedures)?

4.1.3.Empowerment of staff and customers (e.g., self-review and accountability, and team auditing)?

4.1.4.Benchmarking and comparison with leading practices?

4.1.5.Other areas (adoption of successful practices)?

4.2How do you monitor effectiveness of the quality assurance and improvement program?

______

______

______

______

5.Describe the frequency and nature of your interactions with the senior executive to whom you report. (D1)

5.1To whom do you report administratively?

5.2How often do you meet with the senior executive?

5.3Describe the methods of your meetings with, and reporting to, the senior executive.

5.4Do you seek the senior executive’s input during the internal audit activity’s annual risk assessment and planning?

5.5Is the annual audit plan discussed with the senior executive before the board approves the plan?

5.6Do you attend strategic planning meetings or other senior management meetings? What is your role in those meetings?

______

______

______

______

INTERNAL AUDIT STAFF

6.Comment on the capabilities/professionalism of the internal audit activity’s staff. (D2)

6.1Does the internal audit activity foster an identifiable culture of professionalism and continuous improvement?

6.2Are you satisfied with the staff’s understanding of the internal audit activity’s core values, mission, and goals/objectives?

6.3Does the internal audit activity staff have a reasonable understanding of corporate governance, enterprise risk, and opportunities for service beyond traditional audit activities?

6.4Do staff members have the right skills to audit operational, financial, performance, and IT areas of the organization? Do they have business acumen? Do they have the skills to identify indicators of fraud?

6.5Are the staff’s views sought and considered for management and audit policy/planning deliberations? How is this done?

6.6Are competency models (position descriptions), performance standards, or other means used to define the expectations and accountabilities of the staff?

6.7How often are staff performance appraisals conducted?

6.8How many staff members have professional certifications? What support is given to obtaining certifications?

6.9Do the auditors comply with The IIA’s Standards and the Code of Ethics?

6.10Do management and the board give you the ability to employ enough audit staff to carry out the audit plan? Do you have the different levels of audit experience within your staff necessary for the audit plan?

6.11Do you perform a collective staff training needs analysis and obtain training based on these needs?

6.12Are you able to engage outside expertise when the staff lacks specialized knowledge or skills for an engagement? Have you done so? Have you declined an engagement because your staff lacked the needed expertise?

6.13Has job rotation within the organization (in and out of the internal audit activity) been considered?

______

______

______

______

Internal Audit management

7.Comment on the organization’s overall governance processes and the internal audit activity’s role in governance. (D3)

7.1What are the key governance activities and how effective are they?

7.2Do you feel you have a “seat at the table” in discussions of organizational strategy?

7.3In what other ways does the internal audit activity help improve the organization’s governance processes?

7.4Does the internal audit activity evaluate specific governance processes? Which ones? Does it evaluate the overall governance process? How?

7.5Does the internal audit activity evaluate the organization’s ethics-related objectives, programs, and activities?

______

______

______

______

8.Describe how risks are identified, measured, and managed in the organization. (D3)

8.1What are the most important risks and opportunities?

8.2Who is the most senior executive responsible for overall risk management?

8.3How is risk management “rolled up” so that the CEO and the board can evaluate and oversee the “big picture”?

8.4How does the internal audit activity assist management in the identification and management of significant risks?

8.5Have you ever felt that management was accepting a level of risk that was unacceptable to the organization as a whole? If so, did you report it to the board? What was the response? (Also D1)

______

______

______

______

9.Describe how the internal audit activity evaluates the risk management process. (D3)

9.1Does the internal audit activity evaluate the overall risk management process if an integrated process exists?

9.2Does the internal audit activity evaluate the risk management process within areas being audited?

______

______

______

______

10.Comment on other assurance functions (such as compliance, risk management, or special investigations) and on the external audit firm in relation to the internal audit activity. (D3)

10.1Indicate the roles of other assurance functions in the organization.

10.2How do you ensure adequate coordination with the assurance functions and prevent overlapping work while providing sufficient coverage?

10.3Does the internal audit activity follow up or assist in implementation of the recommendations of the other assurance functions?

10.4Are reporting processes and terminology consistent enough among these functions to facilitate comprehension by executives and the board?

10.5Is there an adequate coordination between the internal audit activity and the external auditor (and regulators) to minimize duplication or redundancy?

10.6How often do you meet with the external auditor?

10.7Are you satisfied with the extent to which the external auditor relies on your work?

______

______

______

______

11.Comment on the credibility and effectiveness of the internal audit activity. (D3)

11.1Are you considered a key member of the management team?

11.2How do you ensure that internal auditors have the knowledge and skills to perform their responsibilities?

11.3How do you obtain management and the board’s feedback about the effectiveness of the internal audit activity?

11.4Do you believe that the internal audit activity really adds value to the organization? If so, how does the internal audit activity add value?

______

______

______

______

12.Comment on the internal audit activity’s risk assessment and audit planning. (D3)

12.1How is the audit universe structured (e.g., by organizational unit, business process, or risk category)? Does the organization have its own risk framework? If so, how are the two coordinated?

12.2Were the organization’s strategic business plan and technology plan used in the audit planning process?

12.3Was input sought from key stakeholders (board, senior management, and the external auditor) during the internal audit activity’s annual risk assessment and planning? Is similar input sought more frequently? If so, how?

12.4How is the plan updated for organizational changes that occur between annual planning periods? Does the internal audit activity have enough flexibility to respond to changes in the organization’s risk profile?

12.5Is sufficient attention given to the internal audit activity’s approach to auditing IT?

12.6Are funding, staff mix and skills, technology, and other resources sufficient to fulfill the plan? Does this include funding to co-source with external providers for technical expertise when needed?

______

______

______

______

Internal Audit PROCESS

13.How satisfied are you with the internal audit activity’s processes for assurance engagements? (D4)

13.1Are all aspects of the audit process fully and clearly explained in the audit manual?

13.2Have you found any significant deficiencies in the planning or performance of audits that should have been corrected before your review of the work? If so, how did you address them?

______

______

______

______

14.How satisfied are you with the internal audit activity’s processes for consulting engagements (if any are performed)? (D4)

14.1Is there an up-to-date procedure that sets forth the guidelines for consulting engagements?

14.2Are appropriate audit plans established for each engagement, including scope, objectives, timing, and resource allocations?

14.3Have significant governance, risk management, or control issues ever been identified during consulting engagements? If so, were they communicated to senior management and the board?

______

______

______

______

15.How satisfied are you with the internal audit activity’s processes for overseeing the planning and performing of co-sourced engagements (if any are performed)? (D4)

15.1Are co-sourced engagements performed in accordance with established methodologies and working practices?

15.2Are the co-sourcing vendor’s workpapers made available to the internal audit activity?

15.3How are the co-sourced engagements supervised, and do you think the level of supervision is adequate?

______

______

______

______

16.Do you issue an overall opinion (i.e., on governance, risk management, and/or control for the organization as a whole)? If yes, how did you arrive at this opinion (i.e., plan and aggregate evidence needed to support the opinion, take into account the expectations of senior management, the board, and other stakeholders, etc.)?

______

______

______

______

17.Any additional observations/comments about the internal audit activity or other matters discussed in the interview?

______

______

______

______

Key Issues (with program reference):
Leading Practices (with program reference):
Prepared by: / Date:
Reviewed by: / Date:

C1-1