Progress Through Sharing

HOW TO EMPLOY AN

Internal Auditor
A GUIDE TO RESOURCING FOR INTERNAL AUDIT
 Progress Through Sharing
HOW TO EMPLOY AN

Internal Auditor
A GUIDE TO RESOURCING FOR INTERNAL AUDIT

Technical Guidance
Sector: All Economic Sectors • Focus: Internal Audit • Issue Date: 2009/08

2
 Index
OBJECTIVE.....................................................................................................................................................4

PREAMBLE......................................................................................................................................................4

EXECUTIVE SUMMARY..................................................................................................................................4

FOCUS FOR THE AUDIT COMMITTEE............................................................................................................5

FOCUS FOR THE EXECUTIVE..........................................................................................................................5

FOCUS FOR THE CAE.....................................................................................................................................5

FURTHER READING........................................................................................................................................6

ANNEXURE A : ISSUES TO CONSIDER WHEN DECIDING TO OUTSOURCE,

CO-SOURCE OR PROVIDE IN-HOUSE INTERNAL AUDIT SERVICES.............................................................7

ANNEXURE B : CONSIDERATIONS WHEN SELECTING RECRUITMENT

SOURCES........................................................................................................................................................9

ANNEXURE C : SKILLS COMPETENCY MATRIX............................................................................................10

ANNEXURE D : CONSIDERATIONS WHEN OUTSOURCING SOME OR

ALL INTERNAL AUDIT SERVICES....................................................................................................................12

ANNEXURE-E: PRACTICE ADVISORY 1210-1: PROFICIENCY......................................................................14

ANNEXURE-F: PRACTICE ADVISORY 1210.A1-1: OBTAINING SERVICES

TO SUPPORT OR COMPLIMENT THE INTERNAL AUDIT ACTIVITY.................................................................15

ANNEXURE-G: Standard 2000: Managing the Internal Audit Activity . ....................................16

ANNEXURE-H: PRACTICE. ADVISORY 2030-1: RESOURCE MANAGEMENT...............................................17

ANNEXURE-I: PRACTICE ADVISORY 2330.A1.1: CONTROL OF ENGAGEMENT RECORDS........................18

About the Institute....................................................................................................................................19

3
 How to employ an internal auditor
A Guide to resourcing for Internal Audit
Objective
This booklet is intended to act as a guideline for resourcing an
internal audit activity, whether employing staff in-house, co-
sourcing or outsourcing the activity. Where possible the relevant
standards and practice advisories have been included to support
the guidance.
An internal audit activity will be successful if it has the correct
quantity and quality staff, who perform well and have the diversity
of skills required to deliver on challenging demands from a varied
client base. This brochure will aid the reader to match the level
of skill required by the audit activity to the skills of the internal
auditor.
Who will benefit from the document?
• Audit Committee (AC)
• Executive management, Chief Executive Officer (CEO)
• Chief Audit Executive (CAE)
• Human Resources Department (HR)
• Recruitment Agents
Preamble
The decision to have an Internal Audit Activity (IAA) should
be taken at the strategic level of the organisation and should
include consideration of whether to staff the activity with in-house
personnel co-source or outsource. This decision will be influenced
by various factors such as management’s view and understanding
of the value of internal audit, the size, nature and complexity of
the organisation, the culture of the organisation, the cost versus
benefit, the industry norm, the risk profile of the organisation, the
audit maturity and the degree of specialisation required.
For an IAA to be effective the function needs to enjoy the support
of the Audit Committee, executive and senior management. In
SA the establishment of an IAA is legistlated by the PFMA (Public
Finance Management Act) and treasury regulations for central
and provincial government and the MFMA (Municipal Finance
Management Act) for local government.
Executive summary
The decision to secure internal audit services is not a simple one.
Many variables have to be considered, such as the extent to
which the Board are able to manage the structures and activities
of the organisation “hands on”, as well as the level of risk inherent
4
in the various structures and activities of the organisation. The level
of risk in turn will be influenced by, among other things, the size of
the organisation, the current state of change in the organisation,
whether the organisation is acquiring new businesses or unbundling,
the speed at which new products are taken to market etc. These
variables will all impact on the level of skills and experience required
by the internal audit activity and the number of auditors required
to provide sufficient assurance to the Board regarding the state of
internal control, risk and governance within the organisation.
The CAE will play a significant role in the determination of the
intensity of internal audit work required and thus should be the
key figure in the planning of the resourcing of the internal audit
activity.
Cognisance must be taken of the fact that the CAE, irrespective
of how the IAA is sourced, shall be an employee of the company
at an executive level. This is confirmed in a position paper issued
by the IIA Inc. on 20/06/2005 in which the following is stated:
“In cases where total outsourcing is selected as the method for
obtaining internal audit services, The IIA believes that oversight
and responsibility for the internal audit activity cannot be
outsourced. An in-house liaison, preferably an executive or senior
management-level employee should be assigned responsibility for
management of the internal auditing activity. Consideration of the
independence of the assigned in-house liaison must be evaluated
if this individual has other (non-internal audit) responsibilities.
The audit committee’s or equivalent governing body’s role is
also important in the oversight process and the level of active
oversight should be considered. A related publication entitled, The
Professional Practice Framework for Internal Auditing, is organized
to provide a full range of internal audit guidance and includes
The Standards and Ethics, and Practice Advisories, e.g. chief audit
executive’s role and responsibilities, independence considerations,
etc.” The definition of Chief Audit Executive in the Glossary of the
Standards provides further clarity.
The key decision to be made is whether to:
• Have a full internal audit activity within the organisation;
• Co-source i.e. outsource only certain internal audit activities
e.g. where specific specialist skills are required for ad-hoc
projects; or
• Outsource the internal audit activity entirely.
See Annexure A for guidance in this regard.
Irrespective of whether the activity is in-house, co-sourced or
outsourced, the skills matrix required to effectively service the
organisation should be determined and used as the basis for
ensuring the employment of the appropriately skilled resources.
This document advocates that even when the IIA is outsourced
the service provider should provide a full skills mapping to the
requirements of the organisation to ensure that the correct level of
service is being provided. This skills matrix should be drawn up by
the in-house CAE, based on the risk assessment and approved by
the audit committee.
The scope of the work to be covered and the risk profile and size
of the organisation will determine the levels and number of staff
required – there is no realistic benchmark for inter-organisational
comparison. This will also to a large extent be influenced by the
risk appetite of management and their understanding of, and
perceived need for internal audit.
The Annexures to this document provide more detailed guidance
on sourcing internal auditors and include selected Practice
Advisories relating to relevant internal auditing standards
Focus for the audit committee
The audit committee or the equivalent governing body should
provide the stamp of approval over the strategic decision to
employ internal audit in-house, co-source or outsource.
Treasury Regulations (Government Notice No 225 published in
Government Gazette No 27388 on 15 March 2005) as prescribed
under Section 76 of the Public Finance and Management Act
regulate the functioning of internal audit and audit committees
and thus it is important for all public sector entities to have
effective internal audit activities which add value. The Treasury
Regulations require compliance with the International Standards
for the Professional Practice of Internal Audit.
The King II Code fully endorses the International Standards for
the Professional Practice of Internal Audit and recommends that
companies should have an effective internal audit function that
has both the respect and co-operation of both the Board and
management. Should a Board decide not to establish an internal
audit activity full reasons should be disclosed in the annual report
and an explanation provided as to how assurance of effective
internal controls, processes and systems will be obtained.
The Audit Committee should provide confirmation of the skills/
competency mix required to ensure that the objective of the
internal audit activity of the organisation can be accomplished
effectively. This would then provide guidance over the selection
criteria (Annexure C) for the appointment of a CAE, and support
5
both executive management and the human resources activity in
ensuring that a suitable selection is made both in the employment
of an in-house CAE, and audit activity staff, however resourced.
The audit committee should ensure that when outsourcing and
co-sourcing the credentials of the contracting partner/person
and staff meet the skills and competency mix for the internal audit
activity as required by the organisation.
The audit committee should play a role in the appointment,
performance appraisal and, if merited, the dismissal of the CAE.
These roles should be defined in the charters of the audit activity
and the audit committee. The audit committee’s involvement
would serve to strengthen the governance processes surrounding
reporting on internal control processes within the organisation and
strengthen the independence of the CAE. The audit committee
would play the same role with outsourced and co-sourced
activities.
The first decision that has to be made when establishing an IAA
is whether to have an in-house , co-source or outsource activity -
refer Annexure A. Then follows the appointment of the CAE.
Focus for the executive
The executive should appoint the CAE in agreement with the audit
committee. It is reiterated that the IIA believes that oversight and
responsibility for the internal audit activity cannot be outsourced.
Annexure C provides guidance on the skills set that a CAE should
possess. Should one of the executives assume the role of the CAE
and the function be outsourced, then the relevant executive
should ensure that the leader of the appointed outsourced party
should have appropriate CAE skills.
The executive should agree the resourcing plan for the internal
audit activity with the CAE; this would include considerations to
in-source, co-source and outsource the internal audit activity
(refer Annexure H). The executive needs to ensure that all relevant
factors which could affect the provision of an effective internal
audit activity have been considered when determining the
resourcing strategy. Annexure D provides guidance on issues to
consider when making the decision to outsource or co-source.
Focus for the CAE
The key focus for the CAE is to ensure that the internal audit activity
is properly managed in accordance with the guidance provided
in Standard 2000 – refer Annexure G.
The CAE is responsible for sourcing the necessary skills set for the
effective provision of an internal audit service to the organisation:
this would include the establishment of the internal audit activity
including staffing, and/or the acquisition of co-sourced services
and the in-house skills set. Annexure A: Issues to consider when
deciding to outsource, co-source or provide in-house internal audit
services should aid the CAE when considering which resourcing
alternatives to consider.
If outsourcing or co-sourcing is required, Annexure D provides
guidance on issues to consider when concluding contractual
obligations with the service provider.
The CAE needs to ensure that the International Standards
for the Professional Practice for Internal Auditing are applied
when appointing personnel. Standard 1210 – Proficiency needs
to be considered during the screening process - states that:
“Internal auditors should possess the knowledge, skills, and other
competencies needed to perform their individual responsibilities.
The internal audit activity collectively should possess or obtain the
knowledge, skills, and other competencies needed to perform its
responsibilities.” The Practice Advisory relating to this standard is
contained in Annexure E. Annexure C provides guidance on the
skills set (not exhaustive) that a CAE should consider when recruiting
at different skill levels. The CAE should ensure that the outsourced
personnel have the necessary skill to perform the assignment
Annexure B considers some of the advantages and disadvantages
that may be associated with recruiting internal audit personnel
from within the organisation, from external sources or from tertiary
institutions.

Further reading
If you would like to find out more about the subject the following publications may be of interest to you:

PUBLICATION AUTHOR PUBLISHER

The Professional Practices Framework (PPF) - The purpose of IIA Inc IIA Inc
the PPF is to organize the full range of internal audit guidance
and includes the Code of Ethics, The Standards, and Practice
Advisories.
Audit Committee Effectiveness What Works Best – 3rd Edition PricewaterhouseCoopers IIA Research Foundation
20 Questions Directors Should Ask about Internal Audit Canadian Institute of Chartered IIA Research Foundation
Accountants, IIA Research
Foundation
A Balanced Scorecard Framework for Internal Auditing Frigo, ML IIA Research Foundation
Departments
King II report King Committee on Corporate Institute of Directors (IOD)
Governance
Public Finance and Management Act (PFMA) SA Legislature Government Printers
Municipal Finance Management Act (MFMA) SA Legislature Government Printers

6
 Annexure A:
Issues to consider when deciding to outsource,
Co-source or provide in-house internal audit services
The most appropriate manner of resourcing an internal audit
activity (IAA) is an issue which management and Audit Committees
have grappled with over many years. The following are some
guidelines which should be considered when establishing an
IAA, or considering co-sourcing or outsourcing, but also at times
when change occurs in an organisation e.g. workloads increase,
downsizing, mergers and acquisitions and so on.
Definitions
In-house - an internal audit activity staffed mainly by permanent
employees of the entity.
Co-sourced (Partnering/ In-sourcing) - an existing in-house function
which contracts in other skills on a temporary or project basis. These
contracted skills are directly managed and supervised by the in-
house function as though employed by the entity itself.
CONSIDERATION I C
Executive Management and Audit Committee
understanding and expectations of internal audit
X X
• Effective IAA required to add value, provide strong
assurance on risk and control in all facets of the
business on a continuous basis
• IAA needed only as a measure to comply with
legislation or regulation
Size and complexity of the business requiring auditing
• Small, simple operations
• Small, complex operations X X
• Medium, simple operations X X
• Medium, complex operations X X
• Large, simple operations X X
• Large, complex operations X X
Structure of the organisation i.e. centralised /
decentralised/global operations
The structure of the organisation will determine
where the internal auditors will be domiciled. It is X X
usually effective for specialist auditors e.g. treasury
specialists to be centralised at headquarters with
operational auditors being decentralised
Cost
The cost of the IAA will always be a key
consideration; this is particularly relevant in small
organisations. An effective IAA should however be
able to deliver value-added services which should
adequately compensate for the cost of the function.
Operational change in an organisation X
Maturity of internal audit within the organisation X X
Outsourced - an external entity is contracted to provide all aspects
of the full internal audit service. NB – the Chief Audit Executive
(CAE) cannot be outsourced, must be an employee, and the
responsibility for and control over the delivery of service always
remains within the entity.
The decision on which of the methods would be most appropriate
for a particular organisation can be guided by the discussion points
in the table below. Each has advantages and disadvantages, and
the final choice will be determined by the specific circumstances
of the organisation, management’s view of the need for, and
understanding of internal audit and the ready availability of
suitable resources in the market.
Note: I = In-house, C = Co-source, O = Outsource. Where there
is an ‘x’ in more than one column, this indicates that alternatives
could be effective taking into account specific organisational
circumstances.
O COMMENTS
The size and complexity of the organisation should also be taken
X into account.
The CAE should still be accountable for effectively managing the
IAA to ensure that it adds value
X
X The key consideration is the knowledge of the business required by
the internal auditor. The more routine the operations, the easier it
will be for contractors to manage the audit on an ad-hoc basis. The
larger the organisation and the more complex, the easier it will be
for permanent employees to perform a continuous, comprehensive
audit and to be aware of nuances concerning control and risk that
X contractors would miss.
X Co-sourcing if effective where specialization is needed for ad-hoc
projects and it would not be feasible to employ a full time resource
A large decentralised operation works most effectively when it is
in-house, with certain activities co-sourced. Co-sourcing is also cost
effective when sourcing specialised skills which would be more
X
expensive to retain in-house. In addition, outsource service providers
usually have networks and structures, sometimes global, which allow
for such specialists to continuously upgrade their expertise
In-house IAA’s can often be more costly than an outsourced
activity. The latter can however never realistically attain the
same degree of business continuity and knowledge as full-time
employees, or build organisational relationships to the same extent.
When strategic or structural change occurs such as during
mergers and acquisitions or unbundling, there may be the need to
temporarily increase the review activities of internal audit and thus
co-sourcing specialists could be considered.
For start-up functions, the requirements might be much different
than for established internal audit functions. Strategic decisions
X could include merit for co-sourcing the establishment in order to
transfer skill or to establish an in-house function should required
resources be available.
7
General considerations

• In-house staff are always available in case of ad-hoc, urgent requests from management.

• In-house staff can become too close to their clients and risk losing objectivity. It is debatable whether outsourced services are entirely
objective due to their business imperative – both situations can be controlled through effective management.

• Loyalties of in-house staff will lie with their own organisation.

• In-house functions could become isolated within their own environment and not have the same extent of exposure to new or cutting
edge practices that outsourced service providers would.

• In-house IAA’s provide an extremely good training ground/nursery for future senior management. This is because internal auditors gain a
broad understanding of all the entity’s operations and risk exposures. This makes for very effective management succession planning.

• An in-house IAA acts as a constant source of skills transfer to operational staff.

• Certain outsourced staff may well have excellent client management skills which is advantageous when getting buy-in for implementation
of recommended changes. In addition, the external status of outsourced staff may cause them to be viewed by operational staff as
more ‘expert’ or credible than those of an in-house activity.

• Clients in an organisation can become reliant on expertise of certain outsourced staff, particularly as their knowledge of the business
increases. Staff turnover amongst contractors, especially regarding scarce skills, means that such staff are rarely available in the medium
or long term. This means a new learning curve for replacement staff and the risk of ineffective audit evaluations at least initially.

• In organisations where the IAA reports to operational management, the staff of an outsource function may be more independent than
in-house employees.

• Outsource service providers frequently have access to advanced technologies, leading edge methodologies and comprehensive
knowledge bases, which may be beyond the financial or technical reach of an in-house department.

• Co-sourcing can provide savings in the overall cost of audit coverage, by reducing down-time of “contingency staff” and increasing
efficiency through better methodologies and staff skills. This partnering can also serve as effective skills transfer.

• By working together with senior in-house employees, co-sourced staff have a shorter learning curve than a brand-new employee would
have.

• Co-sourcing can improve the IAA by making available specialised skills, industry and process knowledge as required, which the average
in-house function would either not require on a full time basis, or would not be able to hire and retain.

8
 Annexure B:
Considerations when selecting recruitment sources

There are three main sources of internal auditors namely, recruitment from within the organisation, external recruitment and recruitment from
a tertiary institution.

Advantages and disadvantages

RECRUITMENT FROM WITHIN THE
ORGANISATION
• Knowledge of the business operations and
organisational culture
• Will be unable to audit previous area of work
until a year has passed
• Audit training will be required but will be
able to start performing quickly and support
the other internal auditors with in-depth
organisational knowledge.
• May be less objective than external recruit
i.e. have difficulty in critically evaluating the
systems and the culture being influenced by
their previous experience
• No recruitment costs
• The IAA can be used as a training ground
for future senior positions as internal auditors
have a broad understanding of the entire
organisation, especially risk and control.
This allows for effective business succession
planning.
EXTERNAL RECRUITMENT
(including secondment of staff from
professional firms)
• Brings knowledge and experience from
other institutions
• Will take time to learn the business, but may
be able to perform more quickly and require
less supervision than university recruit
• Can view systems and procedures from a
fresh perspective
• Possible enhanced objectivity, but may
have undesirable work habits to be
overcome
• New employees could bring new ideas and
approaches
• May take time to adapt to environment
• Can be expensive particularly if a senior
position
• Unknown capability (although with
secondments from professional firms, one
contracts the firm and not only the individual
– so there is the option to “exchange”
the individual until comfortable with the
capability.
RECRUITMENT FROM TERTIARY INSTITUTIONS
• Can be trained as interns during vacation
• More training required than if recruiting
experienced staff. Learning curve shortened
if qualification includes internal audit
discipline
• Not influenced by any bad habits from
previous work environment
• Will be objective but may accept any
guidance without critical questioning
• May take time to adapt to environment
• Organisation is seen to provide job
opportunities; could aid equity development
• Is able to look at systems and procedures
from a fresh perspective
• No recruitment costs
• Unknown capability and would clearly have
an applied knowledge gap

9
 Annexure C:
Skills competency matrix

ENTRY LEVEL AUDITOR EXPERIENCED AUDITOR ADVANCED AUDITOR/ CAE

MANAGER
QUALIFICATIONS AND EXPERIENCES
Professional designations in Internal IAT i.e. two years of a GIA i.e. three year CIA CIA
Auditing: relevant qualification qualification plus
• IAT - Internal Audit Technician plus two years three years’ relevant and/or specialisation and/or specialisation
(SAQF level 6) experience experience. such as CCSA, CFSA, such as CCSA, CFSA,
• GIA – General Internal Auditor CGAP and CISA CGAP and CISA
(SAQF level 6) Completion of Specialised
• CIA – Certified Internal Auditor IAT would be an certifications CCSA,
(SAQF level 7) advantage CFSA, CGAP and CISA
Specialisations are useful
• CCSA – Certification in Control Self
Assessment Completion of
• CFSA – Certified Financial Systems Auditor GIA would be an
• CGAP – Certified Government Auditing advantage
Professional
• CISA – Certified Information Systems
Auditor
Relevant degree Preferable or Required or 5-10 years Required Required, preferably
e.g. a degree assisting with business studying toward a experience a business degree at
understanding such as nursing in a health relevant secondary Masters level such as
organisation would be relevant. Internal qualification MBA, MCom (Internal
Auditing as a degree or subject is an audit, IT audit, etc).
advantage. CA(SA) can be
appropriate if the core
business of the entity is
financial.
AUDITING SKILL AND COMPETENCE
Auditing experience Awareness Application to Integration Integration
integration
Corporate governance and risk Awareness Application to Integration Integration
management integration
• Risk analysis Awareness Application Integration Integration
Control frameworks Awareness Application Integration Integration
• Identifying types of controls (e.g. Awareness Application to Integration Integration
preventative, detective) integration
General Management Principles Awareness Application Integration Integration
Business knowledge Integration Integration
• Global and corporate view Awareness Application
• Strategic knowledge Awareness
• Operational knowledge Awareness Application
• Corporate politics and sensitivity Awareness Application
Information technology Awareness Application Integration Application
• Use of information technology Application Integration Integration Awareness
Statistical sampling Application Integration Integration Integration
Data collection and analysis Application Application Integration Integration
Fraud awareness and skills Awareness Awareness Awareness Awareness
Current knowledge of the PPF Application Integration Integration Integration
Planning and time management Awareness Application Integration Awareness
PERSONAL QUALITIES - BEHAVIOURAL SKILLS
Assertiveness Medium Medium High High
Emotional stability Medium Medium High High
Lateral thinking Medium Medium High High
Self motivation Medium Medium High High
Diligence High High High High
Good judgement / discernment Medium High High High
Creativity Medium High High High
Honesty, integrity and confidentiality High High High High

10
 ENTRY LEVEL AUDITOR EXPERIENCED AUDITOR ADVANCED AUDITOR/ CAE
MANAGER
PERSONAL QUALITIES - BEHAVIOURAL SKILLS (Continued)
Independence High High High High
Ethics sensitivity High High High High
Leadership Low Medium High High
Objectivity High High High High
Versitility with various levels of management Medium Medium High High
Ability to work independently Medium High High High
Conceptual thinking Medium Medium High High
Critical thinking Low Medium High High
Analytical ability and problem identification Medium Medium High High
INTERPERSONAL SKILLS
Verbal communication Ability to express ideas Medium High Excellent
Written communication including report Ability to express ideas Medium High Excellent
writing
Conflict management and resolution Ability to read the Application Integration Integration
situation
Presentation skills Demonstrable Application Integration Integration
Facilitation Awareness Demonstrable Integration Excellent and proven
Negotiation skills Awareness Application Integration Integration
Persuasion skills Awareness Application Integration Integration
Marketing skills Awareness Demonstrable Demonstrable Integration
Interpersonal relationships including Awareness Medium Excellent and proven Excellent and proven
relationship building
Political awareness Awareness Demonstrable Application Integration
Situational leadership Awareness Application to Integration Integration
integration
Interviewing Application Integration Integration Integration
Staff management, team building and Awareness Application Integration Excellent and proven
team member
Ability to market internal audit Awareness Application Application Integration
OTHER TECHNICAL SKILLS
IFRS, IFAC (where applicable) Awareness Application Integration Integration
Tax (where applicable) Awareness Application Integration Integration
Company law (where applicable) Awareness Application Integration Integration
Accounting (where applicable) Awareness Application Integration Integration
Other relevant Acts, legislation and Awareness Application Integration Integration
regulations
Research skills Awareness Application to Integration Awareness
integration
Financial analysis Awareness Application Application to Integration
integration
Total quality management Awareness Awareness Awareness Awareness
• ISO knowledge Awareness Awareness Awareness Awareness
Change management Awareness Awareness Integration Integration
Speciality area e.g. IT Security, Finance Application Integration Integration Integration
Application – Ability to cognitively apply knowledge to practical solutions within the specific audit environment whilst taking the impact on the audit universe into account
Awareness – Demonstrates an awareness of the competence or skill, but may not yet know how to apply it effectively
Demonstrable – Aware of the competence or skill and beginning to apply it effectively
High – High technical level of expertise in the relevant area and ability to source skill when expertise is lacking
Integration – Ability to strategically and cognitively apply knowledge and experience to practical solutions within the audit universe and across all business entities and
the external business environment
Medium – Medium level of expertise in the relevant area

11
 Annexure D:
Considerations when outsourcing some or all internal audit services

It is imperative that the contract with the service provide be managed to ensure the delivery of an efficient and effective co- or outsourced
service. Practice Advisory 1210.A1-1 provides guidance on acquiring services to compliment the IAA. The following should be considered
when outsourcing internal audit services to a service provider:

• Request for proposal

• Service Provider profile
• Contractual arrangements
• Contract administration
• Other considerations

Request for proposal

• Establish objectives – identify why and what the organisation wants to outsource
• Use the process to re-evaluate the rationale for existing audit work and what is most needed by the organisation
• Willingness to perform audit services in accordance with The Standards for the Professional Practice of Internal Auditing
• Experience and expertise of service provider in the practice of internal auditing
• Business experience of the firm/individuals who will perform the work
• Business arrangement (open records, ownership of deliverables including working papers)
• Supplier performance guarantees

(A model RFP is in preparation)

Service provider profile

The following should be considered when evaluating the internal audit services provider’s profile:

• Audit methodology encompassing the following:

• Internal audit software
• Audit approach which should be in accordance with IIA standards, specifically on risk assessment, planning, execution, reporting and
quality assurance
• Qualifications of the service provider - Experience, qualifications, skills and expertise of audit team including IT, Forensic and Performance
audit knowledge
• Client profile
• Professional membership of audit personnel on the assignment with the IIA
• Rates used versus experience of personnel on the assignment, comparison with similar firms and other in-sourced audit activities
• Independence, especially from the providers of external audit activities and with other clients who are competitors of the organisation
• Organisational culture match including ethical climate and risk management issues
• Proper employee appraisal system that includes measurement criteria as prescribed in the International Standards for the Professional
Practice of Internal Auditing
• Staffing training, turnover, rotation of staff, management
• Flexibility in staffing resources to meet engagement needs or special requests
• Insight into the organization by the service provider
• Coordination with in-house internal audit services
• Qualifications of the service provider’s individual staff members suggested to service the organisation (CV’s)
• References from clients
• Service providers’ detail on its own quality assessment status and outcome of its review

Contractual arrangements

The terms and conditions of the outsourced function should be signed and approved by all parties in writing in a formal contract. The
outsourced service will only be as good as the contract specifications that are used to acquire the service.

12
The contract should include the following:

• Assignment scope – good scope allows the measurement of results – Practice Advisory 1311-2 Establishing Measures (Quantitative Metrics and
Qualitative Assessments) to Support Reviews of Internal Audit Activity Performance provided guidance on potential measurement criteria
• Confidentiality clause
• Liability clause
• Performance criteria and corrective mechanisms
• Termination of contract
• Duration of contract
• Right of the organisation to request removal of supplier personnel for non-performance issues
• Responsibility of both parties
• Ownership of intellectual property by both parties (make it clear who owns what)
• Confidentiality requirements: Third party providers should be required to contractually honour information obtained during the course of
their work, information security and security clearance
• Address the client’s actions and rights if the supplier is found to be negligent
• Minimum requirements to skill sets, qualifications etc of staff to be deployed on this contract
• Reporting arrangements. Ensure that the contract has requirements for suppliers to produce monthly performance reports comparing
actual performance against specifications established in the contract
• Retention, access to and ownership of working papers by third parties and the contracting organisation. Refer to Annexure I. Retain the
right to access and review working papers at anytime. The organisation can also request that the audit be performed according to its
audit manual and procedures and not that of the supplier.
• Professional standards followed by the service provider - Statement that the work will be performed in accordance with the International
Standards for the Professional Practice of Internal Auditing
• Statement that the work performed will be subject to a quality assessment review on the request of the contracting organisation
• Nature of services to be provided (internal audit, risk management, forensic etc)
• Duration of project/s
• Independence of the supplier relative to the other services provided to the organisation (i.e. external audit, line duties normally performed
by management, on-going monitoring of internal controls)
• Supplier to comply with company ethics and governance practices.
• Appropriate approval of the contract
• Limitation of supplier liability may need to be considered

Contract administration

• Conduct ongoing reviews of suppliers work

• Verify accuracy of the measurement tools and the vendor charges
• Review audit cost savings justifications
• Determine that a tracking system is in effect to monitor supplier performance on an ongoing basis

Other considerations

• Allegiance of in-house versus external service provider

• Retention of institutional knowledge for future assignments (transfer of skills and knowledge)
• Access to best practice or insight to alternative approaches
• Culture of the organization e.g. receptiveness to service providers
• Coverage of remote locations
• Coordination with external auditors
• Use of internal auditing as a training ground for internal promotion
• Liaison with Audit Committee as well as other assurance providers in the organisation

13
 Annexure E:
Practice Advisory 1210-1: Proficiency

Primary Related Standard

1210 – Proficiency

Internal auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The internal
audit activity collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities.

Interpretation:

Knowledge, skills, and other competencies is a collective term that refers to the professional proficiency required of internal auditors to
effectively carry out their professional responsibilities. Internal auditors are encouraged to demonstrate their proficiency by obtaining
appropriate professional certifications and qualifications, such as the Certified Internal Auditor designation and other designations offered
by The Institute of Internal Auditors and other appropriate professional organizations.

Practice Advisory

1. The knowledge, skills, and other competencies referred to in the standard include:
• Proficiency in applying internal audit standards, procedures, and techniques in performing engagements. Proficiency means the
ability to apply knowledge to situations likely to be encountered and to deal with them appropriately without extensive recourse to
technical research and assistance.
• Proficiency in accounting principles and techniques if internal auditors work extensively with financial records and reports.
• Knowledge to identify the indicators of fraud.
• Knowledge of key information technology risks and controls and available technology-based audit techniques.
• An understanding of management principles to recognize and evaluate the materiality and significance of deviations from good
business practices. An understanding means the ability to apply broad knowledge to situations likely to be encountered, to recognize
significant deviations, and to be able to carry out the research necessary to arrive at reasonable solutions.
• An appreciation of the fundamentals of business subjects such as accounting, economics, commercial law, taxation, finance,
quantitative methods, information technology, risk management, and fraud. An appreciation means the ability to recognize the
existence of problems or potential problems and to identify the additional research to be undertaken or the assistance to be
obtained.
• Skills in dealing with people, understanding human relations, and maintaining satisfactory relationships with engagement clients.
• Skills in oral and written communications to clearly and effectively convey such matters as engagement objectives, evaluations,
conclusions, and recommendations.

2. Suitable criteria of education and experience for filling internal audit positions is established by the chief audit executive (CAE) who gives
due consideration to the scope of work and level of responsibility and obtains reasonable assurance as to each prospective auditor’s
qualifications and proficiency.

3. The internal audit activity needs to collectively possess the knowledge, skills, and other competencies essential to the practice of the
profession within the organization. Performing an annual analysis of an internal audit activity’s knowledge, skills, and other competencies
helps identify areas of opportunity that can be addressed by continuing professional development, recruiting, or co-sourcing.

4. Continuing professional development is essential to help ensure internal audit staff remains proficient.

5. The CAE may obtain assistance from experts outside the internal audit activity to support or complement areas where the internal audit
activity is not sufficiently proficient.

14
 Annexure F:
Practice Advisory 1210.A1-1:
Obtaining external service providers to support or complement the internal audit activity

Primary Related Standard

1210.A1 – The chief audit executive must obtain competent advice and assistance if the internal auditors lack the knowledge, skills, or other
competencies needed to perform all or part of the engagement.

Practice Advisory

1. Each member of the internal audit activity need not be qualified in all disciplines. The internal audit activity may use external service providers
or internal resources that are qualified in disciplines such as accounting, auditing, economics, finance, statistics, information technology,
engineering, taxation, law, environmental affairs, and other areas as needed to meet the internal audit activity’s responsibilities.

2 An external service provider is a person or firm, independent of the organization, who has special knowledge, skill, and experience in a
particular discipline. External service providers include actuaries, accountants, appraisers, culture or language experts, environmental
specialists, fraud investigators, lawyers, engineers, geologists, security specialists, statisticians, information technology specialists, the
organization’s external auditors, and other audit organizations. An external service provider may be engaged by the board, senior
management, or the chief audit executive (CAE).

3 External service providers may be used by the internal audit activity in connection with, among other things:
• Achievement of the objectives in the engagement work schedule.
• Audit activities where a specialized skill and knowledge are needed such as information technology, statistics, taxes, or language translations.
• Valuations of assets such as land and buildings, works of art, precious gems, investments, and complex financial instruments.
• Determination of quantities or physical condition of certain assets such as mineral and petroleum reserves.
• Measuring the work completed and to be completed on contracts in progress.
• Fraud and security investigations.
• Determination of amounts, by using specialized methods such as actuarial determinations of employee benefit obligations.
• Interpretation of legal, technical, and regulatory requirements.
• Evaluation of the internal audit activity’s quality assurance and improvement program in conformance with the Standards.
• Mergers and acquisitions.
• Consulting on risk management and other matters.

4 When the CAE intends to use and rely on the work of an external service provider, the CAE needs to consider the competence,
independence, and objectivity of the external service provider as it relates to the particular assignment to be performed. The assessment
of competency, independence, and objectivity is also needed when the external service provider is selected by senior management
or the board, and the CAE intends to use and rely on the external service provider’s work. When the selection is made by others and the
CAE’s assessment determines that he or she should not use and rely on the work of the external service provider, communication of such
results is needed to senior management or the board, as appropriate.

5 The CAE determines that the external service provider possesses the necessary knowledge, skills, and other competencies to perform the
engagement by considering:
• Professional certification, license, or other recognition of the external service provider’s competence in the relevant discipline.
• Membership of the external service provider in an appropriate professional organization and adherence to that organization’s code of ethics.
• The reputation of the external service provider. This may include contacting others familiar with the external service provider’s work.
• The external service provider’s experience in the type of work being considered.
• The extent of education and training received by the external service provider in disciplines that pertain to the particular engagement.
• The external service provider’s knowledge and experience in the industry in which the organization operates.

6 The CAE needs to assess the relationship of the external service provider to the organization and to the internal audit activity to ensure
that independence and objectivity are maintained throughout the engagement. In performing the assessment, the CAE verifies that
there are no financial, organizational, or personal relationships that will prevent the external service provider from rendering impartial and
unbiased judgments and opinions when performing or reporting on the engagement.

7 The CAE assesses the independence and objectivity of the external service provider by considering:
• The financial interest the external service provider may have in the organization.
• The personal or professional affiliation the external service provider may have to the board, senior management, or others within the
organization.
• The relationship the external service provider may have had with the organization or the activities being reviewed.
• The extent of other ongoing services the external service provider may be performing for the organization.
• Compensation or other incentives that the external service provider may have.

15
 Annexure-G:
Standard 2000: Managing the Internal Audit Activity

The chief audit executive must effectively manage the internal audit activity to ensure it adds value to the organization.

Interpretation:

The internal audit activity is effectively managed when:

• The results of the internal audit activity’s work achieve the purpose and responsibility included in the internal audit charter;
• The internal audit activity conforms with the Definition of Internal Auditing and the Standards; and
• The individuals who are part of the internal audit activity demonstrate conformance with the Code of Ethics and the Standards.

16
 Annexure-H:
Practice Advisory 2030-1: Resource management

Primary Related Standard

2030 – Resource Management

The chief audit executive must ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the
approved plan.

Interpretation:
Appropriate refers to the mix of knowledge, skills, and other competencies needed to perform the plan. Sufficient refers to the quantity of
resources needed to accomplish the plan. Resources are effectively deployed when they are used in a way that optimizes the achievement
of the approved plan.

Practice Advisory

1. The chief audit executive (CAE) is primarily responsible for the sufficiency and management of internal audit resources in a manner that
ensures the fulfillment of internal audit’s responsibilities, as detailed in the internal audit charter. This includes effective communication of
resource needs and reporting of status to senior management and the board. Internal audit resources may include employees, external
service providers, financial support, and technology-based audit techniques. Ensuring the adequacy of internal audit resources is ultimately
a responsibility of the organization’s senior management and board; the CAE should assist them in discharging this responsibility.

2. The skills, capabilities, and technical knowledge of the internal audit staff are to be appropriate for the planned activities. The CAE
will conduct a periodic skills assessment or inventory to determine the specific skills required to perform the internal audit activities. The
skills assessment is based on and considers the various needs identified in the risk assessment and audit plan. This includes assessments
of technical knowledge, language skills, business acumen, fraud detection and prevention competency, and accounting and audit
expertise.

3. Internal audit resources need to be sufficient to execute the audit activities in the breadth, depth, and timeliness expected by senior
management and the board, as stated in the internal audit charter. Resource planning considerations include the audit universe, relevant
risk levels, the internal audit plan, coverage expectations, and an estimate of unanticipated activities.

4. The CAE also ensures that resources are deployed effectively. This includes assigning auditors who are competent and qualified for specific
assignments. It also includes developing a resourcing approach and organizational structure appropriate for the business structure, risk
profile, and geographical dispersion of the organization.

5. From an overall resource management standpoint, the CAE considers succession planning, staff evaluation and development programs,
and other human resource disciplines. The CAE also addresses the resourcing needs of the internal audit activity, whether those skills are
present or not within the internal audit activity itself. Other approaches to addressing resource needs include external service providers,
employees from other departments within the organization, or specialized consultants.

6. Because of the critical nature of resources, the CAE maintains ongoing communications and dialog with senior management and the
board on the adequacy of resources for the internal audit activity. The CAE periodically presents a summary of status and adequacy of
resources to senior management and the board. To that end, the CAE develops appropriate metrics, goals, and objectives to monitor the
overall adequacy of resources. This can include comparisons of resources to the internal audit plan, the impact of temporary shortages
or vacancies, educational and training activities, and changes to specific skill needs based on changes in the organization’s business,
operations, programs, systems, and controls.

17
 Annexure-I:
Practice Advisory 2330.A1-1: Control of Engagement Records

Primary Related Standard

2330.A1 – The chief audit executive must control access to engagement records. The chief audit executive must obtain the approval of
senior management and/or legal counsel prior to releasing such records to external parties, as appropriate.

Practice Advisory

1. Internal audit engagement records include reports, supporting documentation, review notes, and correspondence, regardless of storage
media. Engagement records or working papers are the property of the organization. The internal audit activity controls engagement
working papers and provides access to authorized personnel only.

2 Internal auditors may educate management and the board about access to engagement records by external parties. Policies relating
to access to engagement records, handling of access requests, and procedures to be followed when an engagement warrants an
investigation, need to be reviewed by the board.

3 Internal audit policies explain who in the organization is responsible for ensuring the control and security of the activity’s records, which
internal or external parties can be granted access to engagement records, and how requests for access to those records need to be
handled. These policies will vary depending on the nature of the organization, practices followed in the industry, and access privileges
established by law.

4 Management and other members of the organization may request access to all or specific engagement working papers. Such access
may be necessary to substantiate or explain engagement observations and recommendations or for other business purposes. The chief
audit executive (CAE) approves these requests.

5 The CAE approves access to engagement working papers by external auditors.

6 There are circumstances where parties outside the organization, other than external auditors, request access to engagement working
papers and reports. Prior to releasing the documentation, the CAE obtains the approval of senior management and/or legal counsel, as
appropriate.

7 Potentially, internal audit records that are not specifically protected may be accessed in legal proceedings. Legal requirements vary
significantly in different jurisdictions. When there is a specific request for engagement records in relation to a legal proceeding, the CAE
works closely with legal counsel in deciding what to provide.

18
 About the Institute
The Institute of Internal Auditors (IIA Inc), established in 1941, is the leading non-profit professional body representing the interests of internal
auditors worldwide. It is the internationally recognized authority, principle educator and acknowledged leader in certification, research
and technology guidance for the profession. It is also the creator and custodian of the International Standards for the Professional
Practice of Internal Auditors, and the Code of Ethics to which all members must adhere. In serving its members, it is dedicated to the
education and advancement of internal auditors.

The Institute of Internal Auditors South Africa (IIA SA) is an association incorporated as a non-profit organisation and is affiliated to the
Institute of Internal Auditors Inc, (IIA Inc) as a National Institute. All funds are applied directly to member benefits and administration.

The Internal Auditor

The scope of the Internal Auditor encompasses the examination and evaluation of the adequacy and effectiveness of the organisation’s
system of internal control and the quality of the organisation’s performance. The importance of the internal auditing function is emphasized
by recognition in the King Report on Governance, and the Public Finance Management Act, the Municipal Finance Management Act
as well as Treasury regulations.

19
2008 Annual Report

ProgressP Through
O Box 2290 Sharing
Bedfordview
2008

Telephone: +27 11 450 1040 • Facsimile: +27 11 450 1070

Website: www.iiasa.org.za