Guidelines for Internal Audit
1. Purpose
- The purpose of this guideline is to enable Internal Auditing to fully understand its roles and responsibilities in terms of risk management; and
- to assist Internal Auditing in discharging their responsibility for risk management.
Internal Auditing means an independent, objective assurance and consulting activity designed to add value and improve an Institution's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
2. Application
This guideline is applicable to the following Internal Audit functions:
· In-house Internal Audit Function - where there is a fully established internal audit within the Institution;
· Co-sourced Internal Audit Function - where there is a presence of a core internal audit capacity within the Institution, which is supplemented by the services of an external service provider;
· Outsourced Internal Audit Function - where the internal audit function of an Institution is fully outsourced to an external service provider; and
· Shared Internal Audit Function - where more than one Institution shares the pool of internal audit resources.
3. How to navigate the guideline
The guideline has been structured according to the sections noted below. Each of the sections contains underlying information that can be accessed by clicking on the title.
· Legal mandate (Section 4)
· Strategic value of Internal Audit in risk management (Section 5)
· High level responsibilities of Internal Audit (Section 6)
· Evaluation criteria (Section 7)
· Additional reading / reference (Section 8)
4. Legal mandate and corporate governance
4.1 Legal context
Legislating the implementation of risk management in public sector Institutions is part of a macro strategy of Government towards ensuring the achievement of national goals and objectives. The following legislative instruments provide the legal foundation for Internal Audit's responsibility for risk management:
National Departments
· Section 38 (1)(a)(ii) of the Public Finance Management Act (Act 1 of 1999 as amended by Act 29 of 1999) (PFMA);
· Treasury regulations TR3.2.6;
· Treasury regulations TR3.2.7;
· International standards for the Professional Practice of Internal Auditing - Performance standard 2110.
Constitutional Institutions
· Section 38 (1)(a)(ii) of the Public Finance Management Act (Act 1 of 1999 as amended by Act 29 of 1999) (PFMA);
· Treasury regulations TR3.2.6;
· Treasury regulations TR3.2.7;
· International standards for the Professional Practice of Internal Auditing - Performance standard 2110.
Provincial Departments
· Section 38 (1)(a)(ii) of the Public Finance Management Act (Act 1 of 1999 as amended by Act 29 of 1999) (PFMA);
· Treasury regulations TR3.2.6;
· Treasury regulations TR3.2.7;
· International standards for the Professional Practice of Internal Auditing - Performance standard 2110.
Public Entity
· Section 51(a)(ii) of the Public Finance Management Act (Act 1 of 1999 as amended by Act 29 of 1999) (PFMA);
· Treasury regulations TR27.2.6;
· Treasury regulations TR27.2.7;
· International standards for the Professional Practice of Internal Auditing - Performance standard 2110.
Provincial Entity
· Section 51(a)(ii) of the Public Finance Management Act (Act 1 of 1999 as amended by Act 29 of 1999) (PFMA);
· Treasury regulations TR27.2.6;
· Treasury regulations TR27.2.7;
· International standards for the Professional Practice of Internal Auditing - Performance standard 2110.
Municipalities
· Section 165(2)(b)(iv) of the Municipal Finance Management Act (Act 56 of 2003) (MFMA);
· International standards for the Professional Practice of Internal Auditing - Performance standard 2110.
Municipal Entity
· Section 165(2)(b)(iv) of the Municipal Finance Management Act (Act 56 of 2003) (MFMA);
· International standards for the Professional Practice of Internal Auditing - Performance standard 2110.
4.2 Corporate Governance
The Institution can draw guidance from the following:
· King III Report on Corporate Governance; and
· Batho Pele principles.
5. Strategic value of Internal Auditing in risk management
Internal Auditing is accountable to the Accounting Authority / Officer for providing independent, objective assurance on the effectiveness of the Institution’s system of risk management. Hence, Internal Auditing should evaluate the effectiveness of the entire system of risk management and provide recommendations for improvement where necessary.
Although, best practice indicates that Internal Auditing should not be in direct control of the risk management function, Internal Auditing may perform advisory and consulting engagements on risk management in accordance with applicable standards (refer to the International standards for the Professional Practice of Internal Auditing - Performance standard 2110).
Internal Auditing should pursue a risk based approach to planning as opposed to a compliance approach that is limited to evaluation of adherence to procedures. A risk-based internal audit approach has the benefit of assessing whether the process intended to serve as a control is an appropriate risk measure.
6. High level responsibilities of Internal Auditing
To derive optimal benefits, risk management ought to be conducted in a systematic manner, using proven methodologies, tools and techniques.
In terms of the International Standards for the Professional Practice of Internal Auditing, determining whether risk management processes are effective is a judgment resulting from the Internal Auditor’s assessment that:
· Institutional objectives support and align with the Institution’s mission;
· significant risks are identified and assessed;
· risk responses are appropriate to limit risk to an acceptable level; and
· relevant risk information is captured and communicated in a timely manner to enable the Accounting Officer / Authority, Management, Risk Management Committee, Audit Committee and other officials to carry out their responsibilities.
Other responsibilities of Internal Auditing in risk management include:
· Providing assurance that the risk management culture in the Institution is an appropriate one;
· Providing assurance that the risk register is an appropriate reflection of the risks facing the Institution;
· Providing assurance that risk management is carried out in a manner that benefits the Institution; and
· Providing assurance that the risk management strategy, risk management implementation plan and fraud prevention plan have been effectively implemented within the Institution.
In case where the Internal Auditing assumes the role of the Chief Risk Officer, his/her risk management responsibilities include:
· assisting Management to develop the risk management policy, strategy and implementation plan;
· maintaining and developing the risk management framework;
· championing establishment of risk management;
· co-ordinating risk management activities;
· facilitating identification and assessment of risks;
· recommending risk responses to Management; and
· developing and disseminating risk reports.
When assisting Management in establishing or improving risk management processes, Internal Auditing must refrain from assuming management responsibilities for risk management. Internal auditing should provide Management with advice; and challenge or support the decisions of Management on risk management. Internal Auditing should document the nature of their responsibilities in the Internal Auditing Charter for approval by the Audit Committee.
7. Evaluation
Insofar as it concerns the responsibilities of Internal Auditing for risk management, the Accounting Officer / Authority should evaluate the performance of Internal Auditing through the following and other relevant indicators:
· timeliness and quality of assurance on risk management;
· timeliness and quality of recommendations to improve risk management; and
· adoption of risk based auditing.
8. Additional reading / reference
A catalogue of additional resources is included below to assist Internal Auditing to facilitate implementation of risk management. Click on the relevant link to access these documents.