Back

Define and assign the internal audit manager's roles and responsibilities.


CONTROL ID
00680
CONTROL TYPE
Establish Roles
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Define the roles and responsibilities for personnel assigned to tasks in the Audit function., CC ID: 00678

This Control has the following implementation support Control(s):
  • Report audit findings by the internal audit manager directly to senior management., CC ID: 01152
  • Assign the internal audit manager's compensation and performance review to the Board of Directors or audit committee., CC ID: 01186


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • An example of a function that non-significant firms can outsource is internal audit. Firms that elect to do so are not required to have an individual approved as the Head of Internal Audit Senior Management Function (SMF5) under the SM&CR, but must allocate a Prescribed Responsibility for overseeing… (§ 3.12, SS2/21 Outsourcing and third party risk management, March 2021)
  • The accounting officer (AO) is responsible for ensuring that information risks are assessed and corrected to a level that is acceptable. The accounting officer is responsible for the following: • Leading and fostering a culture that protects, values, and uses information for the public good. This … (Accounting Officer, Guidance on Mandatory Roles (AO, SIRO, IAO), March 2009)
  • (¶ 2.2, Smith Guidance on Audit Committees, UK FRC, January 2003)
  • Risk-based plans should be developed by Chief Audit Executives (CAEs) at least annually to determine the internal audit activity's priorities and they should be consistent with the goals and strategies. The audit group that will be responsible for planning and overseeing the business application aud… (§ 2 ¶ 1, § 4.8 ¶ 1, IIA Global Technology Audit Guide (GTAG) 11: Developing the IT Audit Plan)
  • Executive management should be encouraged by the Chief Audit Executive (CAE) to address how the organization controls, manages, and protects collected personal information with the audit committee. When managing the audit function, the CAE must take a significant amount of privacy issues and ramific… (§ 2.2 (Privacy Controls) ¶ 1, § 5.8 ¶ 2, IIA Global Technology Audit Guide (GTAG) 5: Managing and Auditing Privacy Risks)
  • Chief Audit Executives (CAE) must assign an appropriate number of auditors that have the necessary skills and experience to conduct the audit. When auditors are assigned to an audit on a full-time basis, the CAE should assign his/her current duties to another person, so the assigned auditor can focu… (§ 2 (Design of Controls), IIA Global Technology Audit Guide (GTAG) 8: Auditing Application Controls)
  • The Internal Audit Manager should be responsible for conducting unannounced compliance audits; investigating suspected computer crimes; ensuring audit trails are implemented; ensuring implemented controls are effective and adequate; inspecting reports to determine if a crime has occurred; and review… (Pg 12-II-37, Protection of Assets Manual, ASIS International)
  • Security audits should be validated by competent individuals. (SI.01.01.03h, The Standard of Good Practice for Information Security)
  • Security audits should be validated by competent individuals. (SI.01.01.03h, The Standard of Good Practice for Information Security, 2013)
  • ensuring the selection of audit teams and the overall competence for the auditing activities by assigning roles, responsibilities and authorities, and supporting leadership, as appropriate; (§ 5.4.1 ¶ 1(c), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • An audit team should be selected, taking into account the competence needed to achieve the objectives of the individual audit within the defined scope. If there is only one auditor, the auditor should perform all applicable duties of an audit team leader. (§ 5.5.4 ¶ 2, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • The individual(s) managing the audit programme should assign the responsibility for conducting the individual audit to an audit team leader. (§ 5.5.5 ¶ 1, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • The assignment should be made in sufficient time before the scheduled date of the audit, in order to ensure the effective planning of the audit. (§ 5.5.5 ¶ 2, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • Verify that the practitioner in charge of the engagement has an understanding of the role of the organization's quality control system. (Ques. AT411 Item 1, Reporting on Controls at a Service Organization Checklist, PRP §21,100)
  • Independence – In order to ensure that internal auditors remain objective, the internal audit function must be organizationally independent. Specifically, the internal audit function will not defer ultimate judgment on audit matters to others, and shall appoint an individual to head the internal a… (Section 15.C., Annual Financial Reporting Model Regulation, NAIC MDL-205, 3rd Quarter 2015)
  • The internal audit manager should be appointed by the Board of Directors or audit committee, be a member of management, have audit expertise, and be independent of the organization's operations. The internal audit manager should be responsible for implementing the audit policies and procedures; comm… (Pg 4, Pg 5, Pg 17, FFIEC IT Examination Handbook - Audit, August 2003)