Peter Millar (of ACL Services) is leading a small team (Brad Ames of HP and myself) in a project to update the Global Technology Audit Guide (GTAG) on Continuous Auditing. This is a routine update, such as we go through for all IIA guidance, but it provides the opportunity to upgrade the current guidance.

How about these as attributes of an ideal internal audit department?

I want to take two views in answering this question — the first is from day-to-day living, and the second is from The IIA's International Standards for the Professional Practice of Internal Auditing (Standards).

Last year, the Institute of Directors in South Africa published the King Code of Governance for South Africa 2009 (King III). It is effective July 1, 2010. In my opinion, it was one of the most important advances in corporate governance in years. I am pleased that one of the contributors was IIA–South Africa.

A reader asked me for a source of guidance on best governance practices, which she wanted for her U.S. company. Before I discuss how I answered, it is worth considering the plethora of frameworks and guidance.

A friend of mine, Richard Anderson, has released a new paper on the topic of risk appetite. Richard is an expert on risk management, especially compared to me. True, I have implemented risk management at one company, run it at another, and assessed risks for management for many years as chief audit executive. But Richard not only has greater experience and insight but has been involved in major risk thought leadership for a long time. For example, he quotes from the BS31100 standard, which he developed, as defining risk appetite as the “amount and type of risk that an organization is prepared to seek, accept, or tolerate.”

I appreciate the number of people who have taken the time to visit and read my comments on governance. Quite a few have gone to the next level and shared their insights and perspectives with the community, enriching the discussion.

The traditional approach to building the audit plan, consistent with what is described in PwC’s new paper Maximizing Internal Audit is to identify the higher risks to the organization (including strategic, operational, as well as financial and reporting risks). The CAE then develops a plan to audit as many of those as he can given scarcity of resources and technical skills, etc.

 In my last blog, I promised a look at the elements of governance - a logical next step. Back in December 2007, in the "Governance Perspectives" column of Internal Auditor magazine, I wrote about auditing governance. The article included a sidebar that showed where I see the primary governance activities occurring. Today, I want to review that and go a little deeper. I will use a definition of governance as including the activities of the board and its committees, plus those of the internal audit function and an ethics/compliance officer.