Assignment1TeresaRichardon1237669 Question 3 Memorandum Date: September 21, 2013 To: John Smith, CEO From: Teresa Richardson, CAE

RE: Independence and Objectivity of the Internal Audit Department As requested, I have prepared the following outline with the goal of reassuring senior management that the internal audit department is both independent and objective. I have provided detail on what is considered independence and objectivity, based on guidance from the International Institute of Internal Auditors (IIA). I have also outlined steps taken by TechNet to ensure the internal audit department is in fact independent and objective. The internal audit department at TechNet is in full compliance with the IIAs International Standards for the Professional Practice of Internal Auditing. Standard 1100 of the IIA require that the internal audit activity must be independent, and internal auditors must be objective in performing their work. Independence refers to the freedom of the internal auditor to carry out activities in an unbiased manner. Objectivity refers to an unbiased mental attitude of the internal auditor without subordinating their judgement to others. To assist organizations in accomplishing independence and objectivity the IIA sets out mandatory guidelines that must be followed. At TechNet, we comply with those guidelines. Various controls and safeguards such as reporting relationships and segregation of duties are in place at TechNet to ensure independence. Independence requires that the internal audit activities are free from interference in determining the scope of the internal audit, freedom to perform the work and freedom to communicate the results. This requires the CAE to report to a level in the organization which would allow the internal audit activity the ability to perform these responsibilities. Standard 1110 states this independence can be achieved by the auditor functionally reporting to the board of directors. At TechNet, the CAE reports functionally to the audit committee which is made up of members of the board of directors that are external to the organization. As per IIA Practice Advisory 1110-1, this will allow for unrestricted internal audit coverage and helps to ensure audit recommendations are adequately acted upon. This functional reporting consists of the audit committee approving the Internal Audit Charter; the riskbased audit plan; the internal audit budget and resource requirements; and the CAEs appointment, removal and remuneration. The audit committee reviews the performance of the internal audit department as well as any scope and budgetary limitations that may impede the internal audit function. Administratively, the CAE reports to the CEO. This reporting relationship is strongly recommended by IIA Practice Advisory 1110-1. This administrative reporting relationship helps to facilitate the day to day operations of the internal audit department including management accounting, human resources administration, administration of the organizations policies and procedures and internal communications. By reporting to the 1

Assignment1TeresaRichardon1237669 CEO, threats to independence are reduced. The auditors are not threatened as may be the case if they reported to someone such as the Controller, for example, whose department they may be required to audit. Independence is also ensured by our Internal Audit Charter which does not allow internal auditors to undertake responsibility for functions that do not relate to assurance or consulting and are considered non-audit related. Standard 1130.A1 requires that internal auditors refrain from assessing specific operations for which they were responsible in the previous year. This segregation of duties helps to ensure independence of the audit function from operational departments. Independence refers to the environment the internal audit department functions within and can be successfully controlled with various safeguards. Standard 1120 requires internal auditors be impartial, unbiased attitude and avoid conflict of interest. This individual objectivity refers to a state of mind in which the auditor is neutral and free from bias or influence, there is an honest belief in the work performed and quality concessions are made. The individual auditor ultimately is accountable for objectivity making it a more complicated matter. The complexity of objectivity can be augmented in an organization such as TechNet where there is a high degree of competition fostered among various departments and internal auditors are often assigned from a pool of managers from the operating areas of the organization. There may be a perception that if an auditor is assigned from within the organization they may have cognitive biases or a pre-conceived prejudice fostered by the competitive nature of the organization. To ensure independence and objectivity threats are managed at the individual, engagement, functional and organizational levels. In addition to all audit staff receiving substantial training to recognize and mitigate threats to objectivity, the list below highlights some of the methods we use to ensure objectivity. Ive included the related IIA standard or practice advisory for reference. The CAE gathers information from staff pertaining to conflicts of interest that could impair objectivity of the internal auditor. Assignments are always prepared by the CAE with prevention of conflict of interest a consideration. Audit teams are engaged to perform audits versus individuals in order to balance out potential individual biases and audit staff is rotated and reassigned where feasible in order to prevent familiarity and potential biases (Practice Advisory 1120-1 paragraph 2). The CAE has set up a quality assurance and improvement program that covers all aspects of the internal audit function to ensure conformance to the standards (Standard 1310). Performance of the internal audit function is monitored on a daily basis as audits are executed. Various policies and practices are in place to ensure conformance (Standard 1311). A party outside of the internal audit function assesses conformance with the IIA standards at a minimum of every 5 years (Standard 1312). The results of internal and external assessments are communicated to the board upon completion and daily monitoring results are communicated to the board annually (Standard 1320).

Assignment1TeresaRichardon1237669 Auditor results are reviewed by the CAE before any communication is released (Practice Advisory 1120-1 paragraph 3). Internal auditors do not audit operations they were responsible for within the previous year. They can provide consulting services to these operations; if potential impairments exist relating to a consulting service, disclosure is made to the engagement customer before acceptance of the service (Standard 1130.A1). Audit staff can recommend standards for systems and procedures before implementation; but, they can not design, install or draft procedures. This prevents the threat of self-review (Practice Advisory 1120-1 paragraph 4). Internal auditors are not allowed to accept gifts that may create impairment or the appearance of impairment of their objectivity (Practice Advisory 1130-1, paragraph 4). Outsourcing will be undertaken if the threat to objectivity is sufficiently high. (Practice Advisory 1130.A2-1)

If impairment in organizational independence or individual objectivity exists in fact or appearance, the threat is assessed and mitigated if possible. If unresolved threats remain, the details must be disclosed to the appropriate individuals as described in the Internal Audit Charter. Auditors must report impairment to the CAE so the duties may be reassigned. Any scope limitations and their impacts are communicated in writing to the Board. As outlined above, the Internal Audit Department at TechNet puts a great deal of emphasis on independence and objectivity. This is evident in the strict adherence to the standards and guidelines of the International Standards for the Professional Practice of Internal Auditing. Our policies and procedures are designed to ensure the audit function is truly independent and objective. Any questions or concerns can be directed to the Chief Audit Executive.