Auditing is an independent, objective, assurance and consulting activity that adds value to and improves an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
The risk-based approach toward auditing is mandated by the IIAs International Standards for the Professional Practice of Internal Auditing (Standards) and is the only way to ensure that the priorities of the OIG activity are consistent with the organization's goals. Such an approach provides OIG auditors with the opportunity to become intimately knowledgeable of the organization's risk appetite and tolerance allowing them to target high-impact areas, appropriately allocate scarce resources, and be well positioned to advise management on vulnerabilities and corrective actions.
The Institute of Internal Auditors (IIA) is the internal audit profession’s global voice, recognized authority, acknowledged leader, chief advocate, and principal educator worldwide. Established in 1941, the IIA serves members from all around the world in internal auditing, governance, internal control, IT auditing, education, and security.
Independence: The audit charter should establish independence of the internal audit activity by the dual reporting relationship to management and the organization’s most senior oversight group. Specifically, the CAE should report to executive management for assistance in establishing direction, support, and administrative interface; and typically to the audit committee for strategic direction, reinforcement, and accountability. OIG should have access to records and personnel as necessary, and be allowed to employ appropriate probing techniques without impediment.
Objectivity: To maintain objectivity, OIG auditors should have no personal or professional involvement with or allegiance to the area being audited; and should maintain an unbiased and impartial mindset in regard to all engagements.
Although they are independent of the activities they audit, OIG auditors are integral to the organization and provide ongoing monitoring and assessment of all activities. On the contrary, external auditors are independent of the organization, and provide an annual opinion on the financial statements. The work of the OIG and external auditors should be coordinated for optimal effectiveness and efficiency.
Enterprise Risk Management is a structured and coordinated entity-wide governance approach to identify, quantify, respond to, and monitor the consequences of potential events. Implemented by management, ERM is evaluated by the OIG auditors for effectiveness and efficiency.
OIG auditors support management's efforts to establish a culture that embraces ethics, honesty, and integrity. They assist management with the evaluation of internal controls used to detect or mitigate fraud, evaluate the organization's assessment of fraud risk, and are involved in any fraud investigations.
As part of The IIA's Professional Practices Framework, the International Standards for the Professional Practice of Internal Auditing (Standards) outline the tenets of the internal audit profession. Other applicable guidance, pronouncements, and regulations also may have an impact on how internal auditing is performed; and may provide clarification and delineation of acceptable and recommended processes.
Effective prioritization involves staying in sync with the organization's risk priorities and taking a risk-based approach to internal audit planning. By continuously monitoring organizational changes that might alter the plan, the Inspector General should be well equipped and positioned to make informed and educated recommendations to management and the board on the most effective use of audit resources.