1.
The decision of whether to establish and maintain an internal
audit function or outsource the function should be made by the
company’s board of directors and its representatives.
The SEC rule permits internal audit outsourcing to the client’s
independent auditor in the following areas:
1. Operational internal audits that are not related to internal
accounting controls, financial systems, or financial statements.
2. Nonrecurring assessment of discrete items or other programs
unrelated to outsourcing of the internal audit function.

2.
The audit committee can contribute to the success of internal auditors
and the achievement of their value-added activities by ensuring that they
have
1. Sufficient independence from management by reporting to and being
held accountable to the audit committee
2. Adequate resources, competence, and focus to assess the company’s
operational efficiency, internal control effectiveness, ERM, and reliability
of financial reports
3. Proper knowledge of the company’s corporate governance, internal
control, financial reporting, and audit activities
4. The mechanisms and confidence to bring forward controversial
financial reporting issues
5. A process for communicating directly with the company’s audit
committee on a regular and timely basis
6. Access to the audit committee to discuss concerns related to
management activities, financial reporting risk, and fraudulent financial
reporting
7. Audit committee approval of the budget and staffing of the internal
audit function.

3.
Step 1 Reevaluate the risk assessment
Step 2 Prevalidate stakeholder
expectations.
Step 3 Align the internal audit plan.
Step 4 Align resources, budget, and staff
skills.
Step 5 Rearticulate the internal audit
charter.
Step 6 Measure results.