The ability of the internal audit function to achieve desired objectives depends largely on the independence of audit personnel. Generally, the position of the auditor within the organizational structure of the institution, the reporting authority for audit results, and the auditor's responsibilities indicate the degree of auditor independence. The board should ensure that the audit department does not participate in activities that may compromise, or appear to compromise, its independence. These activities may include preparing reports or records, developing procedures, or performing other operational duties normally reviewed by auditors.
The auditor's independence is also determined by analyzing the reporting process and verifying that management does not interfere with the candor of the findings and recommendations. For an effective program, the board should give the auditor the authority to:
- Access all records and staff necessary to conduct the audit, and
- Require management to respond formally, and in a timely manner, to significant adverse audit findings by taking appropriate corrective action.
Internal auditors should discuss their findings and recommendations periodically with the audit committee or board of directors.
Ideally, the internal audit manager should report directly to the board of directors or its audit committee regarding both audit issues and administrative matters.Administrative matters in this context include routine personnel matters such as leave and attendance reporting, expense account management, and other departmental matters such as furniture, equipment and supplies. Alternatively, an institution may establish a dual reporting relationship where the internal audit manager reports to the audit committee or board for audit matters and to institution executive management for administrative matters. The objectivity and organizational stature of the internal audit function are best served under such a dual arrangement if the internal audit manager reports administratively to the chief executive office (CEO), and not to the chief financial officer (CFO) or a similar officer who has a direct responsibility for systems being audited. The board or its audit committee should determine the internal audit manager's performance evaluations and compensation.
The formality and extent of an institution's internal IT audit function depends on the institution's size, complexity, scope of activities, and risk profile. It is the responsibility of the audit committee and management to carefully consider the extent of auditing that will effectively monitor the internal control system subject to consideration of the internal audit function's costs and benefits. For larger institutions or institutions with complex operations, the benefits derived from a full time manager of internal audit or an audit staff will likely outweigh the cost. For small institutions with few employees and/or simple operations, these costs may outweigh the benefits. Nevertheless, an institution without an internal auditor can ensure that it maintains an objective and independent internal function by implementing comprehensive internal reviews of significant internal controls. The key characteristic of such reviews is that the person(s) directing or performing the review is (are) not also responsible for managing or operating those controls.
Independence and Staffing of Internal IT Audit