Internal Audit Staffing Guideline

Internal Audit Staffing Guideline

Objectives

The internal audit staffing guideline is intended to meet the following objectives:

• To ensure that host boards hire sufficient staff:
• To conduct internal audits “in-house” where specialists are not required and
• To be accountable to the audit committees in their region (attending meetings, presentation of audit plan, presentation of audit findings, etc.)
• To ensure that host boards are given sufficient flexibility in the funding allocation to utilize the resources as effectively as possible.
• To ensure boards have sufficient core staff to service the needs of all the boards in their region.

Types of Internal Audits

Appendix A details the type of internal audits. Of the 6 types of audits / engagements listed, the regional internal audit team should possess the required skills to complete all but two areas - information technology (IT) audits and investigations - that could require the services of specialists.

IT Specialists:

• IT is the only category in the existing audit universe that would routinely require outside expertise.
• Of the 53 processes in the universe, approximately 6 (Develop IT Strategy, Develop & Deploy Applications, Network and Application Access Management, Manage IT Security, Data Management and Back-up ) or would require IT specialists for all or part of the audit. Given that there would be areas in these processes where the existing audit team could audit or provide assistance (e.g. disaster recovery).

Fraud investigations:

• Fraud investigations are outside the responsibilities of the regional internal audit team. They may participate in the investigation but the board who is requesting the investigation must cover any related costs.

Flexibility:

• The funding allocation recognizes that boards need some flexibility in the decision as to whether they should hire additional staffing in order to minimize their travel requirements.

Recommended Staffing Complement

Therefore, the recommended staffing to support the internal audit function is as follows:

• For the 2010/11 fiscal year, minimum core staffing of 50% of the staffing component of the grant regulation
• For the 2011/12 fiscal year and onwards, minimum core staffing of 75% of the staffing component of the grant regulation

Appendix 1: Types of Internal Audit Engagements & Skill Sets Required

The following is a list of the audits types and other engagements relevant to the sector, with comments on whether the core RIAT will have the knowledge and expertise to execute the engagement:

• Operational Audit – A non-financial audit that involves an evaluation of effectiveness, efficiency, and economy of operations under management’s control. The process verifies the existence and effectiveness of management controls over the achievement of operating objectives. As an accounting or audit designation provides the skill set required, this type of audit can be executed by the RIAT staff.

• Financial Audit – Provides a level of assurance to the audit committee and senior management on the adequacy and effectiveness of controls surrounding the financial reporting activities. As an accounting or audit designation provides the skill set required, this type of audit can be executed by the RIAT staff.

• Compliance Audit – Determines degree of compliance with internal or external policies, plans, procedures, contracts, laws or regulations. As an accounting or audit designation provides the skill set required, this type of audit can be executed by the RIAT staff.

• Information Technology Audit – Evaluates IT functions and information systems from different perspectives, such as security, quality, service, efficiency, reliability, confidentiality and capacity. These audits are typically performed by those with, or working toward, the CISA (Certified Information Systems Auditor) designation. Many audit departments have an IT auditor(s) on staff, while others outsource this function. If the RIAT does not have a CISA designated auditor on staff, this type of audit would require specialist services external to the district school board.

• Investigations – An investigation into suspected or alleged fraud or other irregularities. Depending on the nature of the investigation, specialist services external to the district school board may be required. Fraud investigations are typically performed by those with, or working toward, the CFE (Certified Fraud Examiner) designation.

• Consulting Services – Other activities performed for the district school board that do not result in assurance or an opinion being provided. These may include:
• Responding to queries regarding policies, procedures and internal controls.
• Providing advice as members of committees (such as standing or temporary management committees and project teams).
• Performing formal engagements as defined in a written engagement letter.

Given that the provision of services would be based on the knowledge of the audit team, these services can be provided by the RIAT staff.

Internal Audit Staffing Guideline – September 9, 2010 & V2

Page 1 of 2