Internal audit for CIPS


Internal audit for CIPS

A Q&A on the vital role internal audit can play in an organization’s systems

The internal audit function plays a key role in assessing and reporting on an organization’s risk management, internal controls, and reviewing management information systems. Internal audit functions are seen as business partners, adding value to the organization beyond compliance.

Management of an organization with an internal audit function should have a general understanding of its role and contribution, with its audit committee able to confirm that the function is properly constituted, has the necessary resources, and operates professionally. Boards of medium to large organizations that do not have an internal audit function should assess the need at least annually.

Management within the Commerce, Industry and Public Sector industry (CIPS) operating in Luxembourg, need to understand the contribution of internal audit and to realize the best practices which can be implemented.

The Audit Committee is responsible for ensuring that management has implemented an effective system of internal control to manage the risks facing the organization. In larger and more complex organizations, an internal audit function can provide cost-effective and independent assurance that internal control is effective, provided that it has an appropriate role and mandate.

The following questions, together with related guidance, will put senior management in a position to understand what internal audit functions they need and what they may already have in place.

PDF - 2.25MB

Many medium and large organizations have an internal audit function. This is a requirement for companies listed on the Luxembourg Stock Exchange and for banks and other financial institutions with major fiduciary responsibilities. Other companies have an internal audit function as it is considered to be a valuable element of management control which provides assurance to the audit committee and adds to the organization’s credibility with investors and creditors.

Management is responsible for establishing and maintaining a system of internal financial controls and, in some cases, may be required by regulators to provide written certification of the adequacy of such controls. Legal and regulatory requirements are changing fast and companies must make sure they are aware of the latest rules.

In smaller organizations, managers are usually close enough to daily operations that they can effectively supervise and monitor the activities of their staff. When the volume and/or complexity of transactions becomes too great, management may need to add people whose primary role is to check the work of others and thereby strengthen internal control.

Organizations that do not have an internal audit function should give strong consideration to establishing one if their size and type of business, source of capital, and risk factors warrant it. The potential benefits of the internal audit function should be assessed and compared against the estimated costs.

Internal auditing is a valuable resource for management and the audit committee because of its objectivity, auditing skills, and in-depth knowledge of the organization. Internal audit does not perform the internal controls since this is a line management responsibility, but their role does provide another level of assurance to management and the audit committee that controls are effective. Historically, the emphasis was on compliance with company policy and the deterrence, prevention, and detection of fraud and errors—which are still important elements of the internal audit function.

Over time, many internal audit functions have addressed broader aspects of control and provide services in other areas, including:

  • Reviewing controls over major projects and new systems to help anticipate problems. This can enable timely corrective action and allows for controls to be “built in” rather than retro-fitted after being detected by a subsequent audit or system failure;
  • Conducting audits of the efficiency and effectiveness of operations;
  • Assessing the risks related to reputation, customer service, the environment, privacy, etc.;
  • Providing consultation and advisory services on enterprise risk management and control;
  • Participating in the investigation of fraud.

The role of the internal audit should be formally defined in a written charter, approved by the audit committee, with annually reviewed activities outlined in an audit plan.

Internal auditors need a mandate that provides the authority they need within a structure that supports their independence and objectivity. This can best be achieved through a written charter that is aligned with an approved mandate, compatible with best current practices, and needs of the audit committee. Any restrictions by management should be disclosed to, and approved by, the audit committee.

Internal audit should not have any operational accountability or perform functions that would be subject to subsequent internal audit review. The internal audit charter is reviewed and updated regularly and includes:

  • Role and responsibilities of the internal audit function;
  • Functional reporting relationship to the audit committee;
  • Administrative reporting relationship;
  • Access to corporate employees, facilities, and records (including those of contractors);
  • Any restrictions of the scope or authority of internal audit;
  • Requirement that managers cooperate with internal audit and respond to reports;
  • Code of ethics;
  • Internal audit standards;
  • Relationship with external auditors;
  • Distribution of audit reports and summaries;
  • Follow up of recommendations;
  • Specific mention of areas such as fraud, technology, safety, environment, etc. as may be required for clarification;
  • The right of the chief audit executive to attend audit committee meetings.

Internal auditing activities can be conducted by:

  • In-house resources: The organization may assign responsibility for audit activities to a corporate internal audit department or include some audit activities in the responsibilities of line functions (for risks such as safety, environment, etc.). The internal audit department may include staff from other departments as part of the audit team.
  • Outsourcing: The organization may fully outsource the internal audit by engaging an external firm to perform the entire function and who will then report to a designated executive.
  • A combination of the above: The organization may outsource specific activities or projects to specialist firms or include one or more outside experts with internal audit staff on a project team.

The internal audit function is a major source of information and assurance to the audit committee on internal financial controls and other risk management activities. For this reason, most internal audit functions have a functional reporting relationship to the audit committee which is defined in the charter of internal audit and the audit committee. A key element of this relationship is a direct channel of communication between the chief audit executive and the audit committee. This typically includes provisions for the chief audit executive to have access to the chair of the audit committee and attend audit committee meetings to present the plan for approval and to report findings.

The CFO and chief audit executive are usually present at all audit committee meetings. Much of the work performed by the committee relates to the roles of these individuals and one or the other may take a role in supporting the committee’s planning activities. There is generally no requirement for the CEO to be present at such meetings, but in many cases he or she may attend for information purposes.

Chief audit executives do not generally attend Board meetings. At least annually, the chair of the audit committee should report to the Board, referencing internal audit’s effectiveness, capabilities, the results of its work, and any concerns.

An annual plan is the key element of the internal audit function and its ability to meet the needs and expectations of the audit committee, external auditors, and senior management. An audit plan is prepared based on a comprehensive review and analysis of the organization’s business activities and associated risks. Where an enterprise risk management process is already in place, this will provide a critical basis for developing a plan aligned with corporate priorities. It includes all projected internal audits and other activities, including reviews of the development of new systems and critical business projects. The audit plan includes the budget and staff resources required to accomplish its goals but allows flexibility to respond to unforeseen issues and events during the year. A regular review and update is essential to consider any changes.

The prevention, deterrence, and detection of fraud are the responsibility of management. The usual role of internal auditors is to develop audit programs and procedures to evaluate the internal controls that management has established in order to manage the risk of fraud. In practice, auditing sometimes deters employees from committing fraud and occasionally detects a fraud, but these are not usually the major objectives of auditors.

The term “fraud” covers a number of activities, some of which could be:

  • Property fraud: The theft or misuse of assets and, sometimes, the related information;
  • Financial reporting fraud: The manipulation of information to mislead or deceive stakeholders.

Internal audit may participate in the investigation of fraud and provide forensic accounting services—provided that it is cost-effective to do so. The skills to investigate fraud may be within the internal audit function, or in a separate security department.

It is critical that the internal audit staff have the diverse set of skills, industry knowledge, and experience (supplemented where necessary by external resources) to provide the control assurance and related advice that the audit committee requires.

Consideration should be given to using the expertise of other corporate staff, engaging outside experts, or outsourcing where the necessary skills do not reside within internal audit.

Internal audit periodically reports to the audit committee on its staff capabilities, including academic and professional qualifications and years of audit, industry, and organizational experience.

Audit reports and findings are in writing and include the scope and objectives of the audit, the findings, and recommendations for improving control. These reports:

  • Are action-oriented and include comments and proposals for corrective action from the management of the audited business unit;
  • Are balanced, reporting the positive risk and control practices as well as the weaknesses observed;
  • Identify the best practices observed throughout the organization;
  • Rate recommendations as high, medium, or low in order to assist management in assigning priority to the issues raised.

The chief audit executive provides summaries of audit reports to senior management and the audit committee. The level of detail depends on the size of the organization, but is sufficient to allow the audit committee to understand the types and frequency of control issues that internal audit raises and how management is responding to them.

Good internal audit functions have processes for assessing their own effectiveness. They use the results, together with feedback from the stakeholders, to monitor trends over time and achieve continuous improvement in their practices and performance. Examples of measurement techniques include customer satisfaction surveys, post audit debriefing, and internal quality assurance reviews.

How Deloitte can help

Deloitte is recognized as leader in internal audit services in Luxembourg. Through years of experience, we have developed an extensive expertise in a wide range of regulated and non-regulated industries such as transportation, public entities, healthcare, real estate, technology, research centers, and manufacturing.

Deloitte helps organizations to establish and improve their internal audit functions by supporting companies in:

  • Creation: We help build value-adding and leading functions adaptable to our client’s environment;
  • Co-sourcing: We offer a flexible solution to supplement your internal audit team with external resources of specialized skills;
  • Outsourcing: We can fully adopt the role and serve as the organization’s internal audit department;
  • Strategic audit plan development: We analyze risk-driven plans to reach specific management or Board objectives using a prioritized risk universe;
  • Internal audit function review and enhancement: We can measure the internal audit quality, benchmark, and transformation;
  • Internal audit training, methodology, and tools: As our team stays abreast of the latest trends and guidelines, we are able to offer tuition for both staff and management.


Laurent Berliner

Laurent Berliner

Partner | EMEA FSI Risk Advisory Leader

Beside his service responsibilities for many of our clients, Laurent leads the international relations of our Luxembourg firm to sustain our international development from a client, service, talent an... More

Jérôme Sosnowski

Jérôme Sosnowski

Partner | Risk Advisory

Jérôme started his career at Deloitte Luxembourg in 1998 as external auditor and joined the Entreprise Risk Services practice in 2000 covering the financial service industry. He left Deloitte in 2002 ... More

Insert CSS fragment. Do not delete! This box/component contains code needed on this page. This message will not be visible when page is activated.