IAFs in the public sector have various customers (see section 2.6) who can benefit from their services (see section 2.7). These customers therefore have specific expectations of the IAF (see section 2.8). In terms of the PFMA, the MFMA and the Treasury Regulations, the IAF represents a major source of information to the AC on the performance of public service institutions (RSA, 1999:s 77; RSA, 2003a:s 166(3)(b); RSA, 2005:para 3.2). The IAF should assist the executive management of a public service institution (AO), its team of senior managers, and the AC in achieving the objectives of the public service institution by maintaining efficient and effective controls, providing assurance, and making recommendations for improvement and enhancement of the organisation’s operations (RSA, 1999:ss 76 & 77; RSA, 2003a:s 60; RSA, 2005:para 3.2). The IAF should make recommendations to operating management which result in the improvement of the public service institution’s operational effectiveness (Anderson, 2003:99). The AGSA can rely on the work of the IAF for purposes of the external audit of a public service institution (SAICA, 2012/2013:ISA 610 para A6). Although operating employees in a public service institution are not directly responsible for implementing the IAF’s
68
recommendations (Sawyer, et al. 2003:1225), they are influenced by the implementation of the IAF’s recommendations (Van der Schyf, 2000:175).
Zomerdijk and De Vries (2007:108-109) argue that the delivery of many services cannot take place without the presence of the customer and their interaction with, and participation in, the service delivery systems. It is therefore necessary to exemplify and exhibit the linkage between the IAF customers and the criteria used by them to assess satisfaction with the services of the IAF in the public service institution.
The study on the service delivery system conducted by Ponsignon, Smart and Maull (2011:339) found that satisfactory customer relationships were contingent on the complexity of the service offerings, the required level of technical and interpersonal skills on the part of both customer and IAF, the extent of employee discretion regarding implementation of recommendations, the potential for automation, and the degree of routine in the service delivery system. Ponsignon, et al. (2011:339) therefore suggest that customers need to outline their requirements, translate them into an agreement, and negotiate these terms and conditions with the service provider.
The IAF in public service institutions is directed and guided by legislation and regulations including the Treasury Regulations, the PFMA, the MFMA, the Constitution, the White Paper on Transforming Public Service Delivery, the Public Service Regulations, the internal audit charters, and the IPPF (RSA, 2009a:2). Collectively these legislation and regulations are intended to enhance the quality of service delivery in public service institutions. IAF customers can therefore use them to assess the services being provided by an IAF.
3.4.1 The audit committee
Based on an analysis of customer expectations and perceptions, Sarens and De Beelde (2006a:18) indicate that the AC sees the IAF as a vital source of information, compensating for its own lack of first-hand information about the organisation. Hence it is the task of the AC to measure the contributions demonstrated and
69
communicated to them by the IAF. Hermanson and Rittenberg (2003:33) suggest that the AC should independently measure the work of the IAF on the provision of assurance regarding controls. As far as measuring satisfaction is concerned, Sawyer, et al. (2003:1334-1335) argue that the AC should establish whether the CAE has:
reviewed the AC charter at least annually and advised the AC on whether the charter addresses all responsibilities directed to the AC in terms of its mandate;
reviewed the planning agenda for the AC's meeting to ascertain whether all required activities have been detailed and completed;
drafted the AC's meeting agenda for the chairperson’s review;
assessed whether the IAF has facilitated the distribution of the meeting material to the AC;
encouraged the AC to conduct periodic reviews of its activities and practices to ensure that its activities are consistent with leading (global best) practices;
assessed whether the IAF is able to meet periodically with the chairperson of the AC to discuss whether the materials and information being furnished to the AC are meeting its needs;
assessed whether the IAF has inquired from the AC if any educational or information sessions or presentations would be helpful, such as training new AC members on risk and controls; and
assessed whether the IAF has asked the AC whether the frequency and time allotted to the AC are sufficient.
One criterion used by customers to measure satisfaction with the IAF is to consider the value added by the IAF (Bou-Raad, 2000; KPMG, 2008; Barac, Plant &
70
Motubatse, 2009). According to the IIA (2010a), it is critical for IAF customers throughout the organisation to understand the value that an IAF adds to operations by identifying opportunities for enhancing efficiencies and effectiveness. The AC can play a role in elevating the image of the IAF by ensuring that it is not misunderstood in the context of adding value. The importance of this role is reinforced by the fact that the IIA has published a checklist of points to be considered by the AC when assessing the value added by the IAF (IIA, 2010a):
“the AC engages in an open, transparent relationship with the CAE;
the AC reviews and approves the internal audit charter annually;
the AC has a clear understanding of the strengths and weaknesses of the organisation’s internal control and risk management systems as a result of discussions with the CAE;
the IAF is sufficiently resourced with competent, objective professionals to execute the internal audit plan, which has been reviewed and approved by the AC;
the IAF is empowered to be independent by appropriate reporting relationships to executive management and the AC;
the AC consults with the CAE on all issues relating to internal auditor independence and objectivity;
the IAF is quality oriented and has in place a quality assurance and improvement programme;
the AC regularly communicates with the CAE about the performance and possible points of improvement of the CAE and the IAF;
71
the AC meets periodically with the CAE without the presence of management.”
Assessing satisfaction with the IAF’s work using the above checklist could be regarded as a means to measure the meeting of customer expectations. The IIA (2010a) has developed the following list of questions that should be answered as part of the process of measuring the AC’s satisfaction with the IAF’s work:
“Does the IAF have a quality assurance and improvement programme in place?
Has the IAF performed its work in accordance with its charter?
Do the internal auditors adhere to the IIA’s Code of Ethics?
Is the IAF’s conduct in accordance with the Standards?
Does the IAF operate effectively and efficiently?
Is the staff size adequate?
Are the existing skill sets appropriate?
Does the IAF contribute to the improvement of organisational operations and do IAF customers perceive it as adding value?
Does the IAF have the tools and other resources it needs?
Does the IAF engage in ongoing internal reviews and analyses regarding supervision, documentation, policies and procedures?
Does the IAF engage in periodic reviews that include customer surveys, risk assessments, working paper reviews and analysis of performance metrics, and best practice benchmarking?
72
Do members of the internal audit team participate in professional development training?
Have internal audit team members acquired professional designations that demonstrate their competency?
Has the IAF obtained an independent external quality assessment in the past five years?”
In relation to the above considerations, Van der Nest, Thronhill and De Jager’s (2008:548) study on ACs and accountability in South African public service institutions recommends that the AC should consider other factors as well, namely: the audit process, the internal auditors' mission, the external auditors' expectations, collaboration and communication with other parties, and the IAF’s findings and recommendations.
3.4.2 Executive and senior management
The preceding section discussed the AC's criteria for measuring satisfaction with the IAF’s services. The focus now turns to the executive and senior management’s approach to measuring the IAF’s performance. The literature indicates that executive and senior management in the public sector look to the IAF for assurance that the business activities meet the legislative mandate as stipulated in section 2.3; they expect the IAF to provide them with ideas that will help them drive the organisation's performance in line with the strategy and service delivery model (Turner, [sa]).
Executive and senior management can use responses to the following questions as criteria to measure whether their expectations of the IAF’s work are being met (Turner, [sa]):
73
“Are the IAF activities aligned to the organisation’s goals and objectives?
Is the role of the IAF periodically reviewed to assess whether it has accommodated changes to business and global events?
Does the IAF understand the business, its key drivers and the impact of developments on the organisation’s risk profile?
Does the IAF consult effectively with executive and senior management, staff and other key customers, and does it contribute ideas and give advice on an ongoing basis?
Does the IAF elevate the focus of its activities to strategic decision making and broader risk management strategies?
Does the IAF provide broader information on and a deeper insight into emerging governance, risk and control issues in a timely manner?
Does the IAF deliver what it promises?”
The above-mentioned criteria are in line with the administrative reporting relationships between the IAF and executive and senior management, as recommended in Practice Advisory 1110-1 of the Standard, Organisational Independence (IIA, 2009a).
3.4.3 Programme and operating management
Programme and operating management can consider the processes the IAF uses for activities such as planning, conducting their work and reporting as criteria to evaluate whether their expectations of the work of the IAF are being met. Therefore, programme and operating management in the public sector assess the IAF against their proposed operational plan.
74
It is essential for the programme and operating management to understand the basic phases of the IAF’s work. The National Treasury has developed an internal audit framework to serve as a reference source to ensure that IAFs comply with the requirements of the legislative framework (RSA, 2009a:2). Programme and operating management expect the IAF to consult with them and seek their inputs and understanding in order to improve the functioning of their programmes and sections. Sawyer, et al. (2003:1238) therefore suggests that internal auditors should demonstrate their consultative attitudes to programme and operating management by fulfilling a consultative and participative role.
3.4.4 External auditors
In South African public service institutions, the external audit function is discharged by the AGSA in terms of the Public Audit Act 25 of 2004 (RSA, 2004). External auditors measure whether an IAF meets their expectations by determining whether they can rely on the work of the IAF. The standard which external auditors use to determine whether such reliance is possible, ISA 610 Using the work of internal auditors (SAICA, 2012/2013), was discussed in section 2.8.4. Gray and Hunton (2011:7), Desai, Roberts and Srivastava (2005:21) and Krishnamoorty (2002:96) concur with this standard, arguing that the IAF should be evaluated on its objectivity, competence and performance of its work. Mihret and Yismaw (2007:474) also agree with ISA 610, that the quality of an IAF is measured by its ability to produce useful findings and recommendations. In their study on the evaluation of IAFs by external auditors, Desai, et al. (2010:543-544) argue that if one of the three criteria (competence, work performance and objectivity) is not satisfied, external auditors will place no reliance on the work performed by an IAF. Fourie (2007/8:45-46) cautions that internal auditors in South Africa do not possess adequate communication skills to ensure that their responsibilities are performed adequately, which could have an impact on external auditors’ reliance on the work of the IAF.
Desai, et al. (2010:545-548) emphasise the need for sustained communication between internal and external auditors. This is confirmed by Yee, Sujan, James and Leung (2008:157), who state that interaction is needed when an IAF has to be assessed by the external auditors in order to determine the degree of reliance that
75
can be placed on the internal audit findings. In their study of IAF characteristics, Ho and Hutchinson (2010:124-125) suggest that the external auditors’ evaluation of the IAF’s competence should include determining whether an IAF training programme exists, and an assessment of the internal auditors’ experience and educational backgrounds.
In accordance with ISA 610 (SAICA, 2012/2013:ISA 610 para 11), external auditors may use the work of internal auditors, provided that external auditors evaluate that work and perform audit procedures on that work to determine its adequacy for external audit purposes. To ensure that the work of internal audit is adequate, the work should be performed by staff with the proper technical training and proficiency as internal auditors; the work should be properly supervised, reviewed and documented; adequate audit evidence should be obtained to form a reasonable basis for the conclusions drawn by the internal auditors; the conclusions drawn should be appropriate, and the reports by the internal auditors should be consistent with the results of the work performed. Any exceptions or unusual matters disclosed by the internal auditors should be properly resolved (SAICA, 2012/2013:ISA 610 para 12).
Standard 2400, Communicating Results (IIA, 2009a) specifies that the IAF should communicate its results promptly. This indicates that the external auditors, as customers of the IAF, should have timeous access to the information in the form of an internal audit report. This interpretation of Standard 2400 is confirmed by the Practice Advisory 2050-1 (IIA, 2009a), which requires the CAE to supply sufficient information to enable external auditors to understand the internal auditors’ techniques, methods and terminology, in order to facilitate reliance by external auditors on the work performed by internal auditors.
Protiviti Inc (2009) developed a list of criteria that external auditors could use to evaluate an IAF. Their criteria address and meet the following requirements of ISA 610 (SAICA, 2012/2013):
76
whether the IAF reports to an officer of sufficient status to ensure broader coverage and adequate consideration of and action on the findings and recommendations of the IAF;
whether the IAF has direct access and reports regularly to those charged with governance;
whether those charged with governance oversee employment decisions relating to the IAF;
whether the educational level and professional experiences of internal auditors are adequate;
whether the internal auditors are maintaining their professional certification and continuing education; and
whether the internal auditors produce high-quality working papers, reports and recommendations.
3.4.5 Operating employees
According to Sawyer, et al. (2003:1224), operating employees are usually below, and report to, the operating management echelons of the organisation. These employees (as discussed in section 2.8.5) are the organisation’s workforce. Their job is to assist programme and operating management to improve their efficiency and effectiveness. Operating employees could ask the following questions to measure whether the IAF meets their expectations (Sawyer, et al. 2003:1225):
Has the audit made a meaningful contribution to the organisation’s operating functions?
77
Were the internal audit recommendations a result of a joint effort by the operating employees and the internal auditors?
Were the internal auditors careful not to disrupt operations?
Did the internal auditors show respect for the operating employees’ expertise during the audit?