Practices/Back to Basics
June 2017 16 Internal audItor
To commen T on this article,
email the author at firstname.lastname@example.org
praise or criticize the audit team, regardless of how the team
Key Stakeholder Surveys
Managers over the areas where assurance or advisory activities
are being provided are not the most important customer of the
audit. First and foremost, internal audit serves the needs of the
audit committee, followed closely by executive management.
To ensure it’s meeting key stakeholder needs, the department
should have a mechanism in place such as a “Key Stakeholder
Survey” (see on this page).
By surveying key stakeholders, the audit department
can assess whether it is addressing Standards 2010: Planning,
2110: Governance, 2120: Risk Management, and 2420:
Quality of Communications. The audit committee and executive management are in the best position to provide insight
into the effectiveness of the department in addressing these
standards as they consider the overall audit plan and results
communicated throughout the year. While survey questions
related to these standards can be asked of management over
each audit area, key stakeholders see the broader value audits
bring to the organization as a whole.
Using another department such as Communications
or a third party and making the survey anonymous will
Statements should be ranked and opportunity for
» Internal audit is independent and objective in performing its work.
» Internal audit possesses the knowledge and skills,
such as insurance industry knowledge and technology skills, needed to perform its responsibilities.
» Internal audit understands company business operations and strategy.
» The audit plan is risk-based.
» I receive adequate updates on the progress of
achieving the audit plan.
» Internal audit evaluates risk exposures and the adequacy and effectiveness of related controls regarding:
» Achievement of strategic objectives.
» Reliability and integrity of financial and operational information.
» Effectiveness and efficiency of operations and
» Compliance with laws, regulations, policies, procedures, and contracts.
» Safeguarding of assets.
improve the chances that key stakeholders will be more
candid. Survey results should be shared with the audit
committee, executive management, and external audit.
Scores that are less than desirable, or comments that may
indicate improvement opportunities, should be discussed
along with action plans. These plans should be tracked
with progress reported periodically to the audit committee
and executive management.
Create a Repeatable Process
Performing key stakeholder surveys regularly, ideally annually, helps the CAE more quickly identify areas of concern
rather than waiting for them to surface as part of an external
quality assessment review or, worse yet, from complaints that
may go to the audit committee regarding the department.
While many management surveys are performed at the
conclusion of each assurance or advisory activity, these surveys
may not provide feedback from the most important group of
customers. Departments should create a repeatable process
to survey the audit committee, executive management, and
external audit and incorporate this into their QAIP.
Se Th DaviS, cia, cPa, cFSa, ciSa, is vice president of
internal audit at RLI Insurance in Peoria, Ill.
» Internal audit adequately assesses and provides
appropriate recommendations for helping improve
the governance process at the organization,
» Promoting appropriate ethics and values within
» Ensuring effective organizational performance
management and accountability.
» Communicating risk and control information to
appropriate areas of the organization.
» Coordinating the activities of and communicating
information among the board, external auditors,
» Internal audit reports and communications are clear,
accurate, and issued timely.
» The conclusions reached in audit reports and the
opinions rendered are appropriate.
» Internal audit shares information and coordinates
activities with other internal and external providers of assurance and advisory activities to ensure
adequate coverage and minimize any duplication
KEy STAKEholdER SuRvEy