AUI4861 Advanced Internal Audit Practice ASSIGNMENT 02 Due date: 5 August 2013 Unique number: 716653 Student number:

: 46433597 Name and last name: Byron Jason

Question 1 1.1 List the characteristics of sound governance and describe the nature thereof. The King Report on Corporate Governance for South Africa identified seven primary characteristics of good governance: Discipline this is the commitment by the organisations senior management to widely accepted standards of correct and proper behaviour that is universally accepted. Transparency is the measure of ease with which an outsider can meaningfully analyse the organisations actions and performance Companies should make this information available in timely and accurate press releases to give outsiders a true picture of what is happening within the company. Independence - the extent to which conflicts of interest are avoided, such that the organisations best interests prevail at all times. For good corporate governance, it is important that all decisions are made objectively with the best interest of the organisation in mind and without any undue influence from large shareholders or an overbearing chief executive officer. This requires putting in place mechanisms such as having a diversified board of directors and external auditors to avoid any potential conflict of interest. Accountability - addressing shareholders rights to receive, and if necessary query, information relating to the stewardship of the organisations assets and its performance. Those people who make decisions in the organisation should be held accountable for their decisions, and mechanisms must exist to allow effective accountability. Responsibility this is the acceptance of all consequences of the organisations behaviour and actions, including a commitment to improvement where required Management must be responsible for their behaviour and must have means for penalising mismanagement. It also means putting in place a system that puts the company on the right path when things go wrong. Fairness This is the acknowledgement of, respect for and balances between the rights and interests of the organisations various stakeholders The organisation should be fair and balanced and take into account the interests of all the companys stakeholders. The rights of each of the organisations stakeh olders must be recognised and respected.

Social responsibility this is the organisations demonstrable commitment to ethical standards and its appreciation of the social, environmental, and economic impact of its activities on the communities in which it operates A well-managed organisation must also be ethical and responsible with regard to environmental and human rights issues. A socially responsible organisation would be non-exploitative and non-discriminatory. 1.2 Discuss whether Biggest Trucks Ltd should strive to comply with the recommendations of the King 3 report, with particular reference to the regulatory requirements and also indicate which principles will then be achieved. Yes, Biggest Trusts should strive to comply with King 3. All companies that are listed on the Johannesburg Securities Exchange must comply with King 3 or explain why they have not. Because Biggest Trucks is listed on the JSE there are mandatory requirements that it needs to comply with. There must be a policy detailing the procedures for the appointment of board members The appointments must be formal and transparent and a matter for the board as a whole, assisted where appropriate by a nomination committee If a nomination committee is appointed the committee must only consist of independent non-executive directors There must be a policy evidencing a clear balance of power and authority at board level to ensure that no one director has unfettered powers. The company must have a CEO and a Chairman, and must not be held by the same person. The chairman must be an independent non-executive The board must appoint an audit committee The board must appoint a remuneration committee The composition of the committee must be disclosed with a description of the mandate A CV of each director standing election or re-election must be accompany relevant notice of meeting Capacity of non-executive and executive directors must be categorised and disclosed in the relevant documentation There must be a full time executive financial director The audit committee must on an annual basis consider and satisfy itself of the appropriateness of experience of the financial director and it should be reported in the annual report.

By striving to comply with the governance principle of King 3, the board will create a strong culture in which investors like and would invest in Biggest Trucks Ltd, it will also satisfy the shareholders. The key principles that should be met is Leadership, Corporate Citizenship and Sustainability. 1.3 With reference to the King 3 report, make recommendations for the establishment of an appropriate governance structure for Biggest Trucks Ltd. King 3 states: 1. Ethical Leadership and corporate citizenship The board should provide effective leadership based on an ethical foundation The board should ensure that the company is and is seen to be a responsible corporate citizen The board should ensure that the companys ethics are managed effectively

2. Board and Directors The board should act as the focal point for and custodian of corporate governance The board should appreciate that strategy, risk, performance and sustainability are inseparable The board should provide effective leadership based on an ethical foundation The board should ensure that the company is and is seen to be a responsible corporate citizen The board should ensure that the companys ethics are managed effectively The board should ensure that the company has an effective and independent audit committee The board should be responsible for the governance of risk The board should be responsible for information technology (IT) governance The board should ensure that the company complies with applicable laws and considers adherence to non-binding rules, codes and standards The board should ensure that there is an effective risk-based internal audit The board should appreciate that stakeholders perceptions affect the companys reputation The board should ensure the integrity of the companys integrated report The board should report on the effectiveness of the companys system of internal controls The board and its directors should act in the best interests of the company The board should consider business rescue proceedings or other turnaround mechanisms as soon as the company is financially distressed as defined in the Act

The board should elect a chairman of the board who is an independent nonexecutive director. The CEO of the company should not also fulfil the role of chairman of the board. The board should appoint the chief executive officer and establish a framework for the delegation of authority The board should comprise a balance of power, with a majority of nonexecutive directors. The majority of non-executive directors should be independent Directors should be appointed through a formal process The induction of and on-going training and development of directors should be conducted through formal processes The board should be assisted by a competent, suitably qualified and experienced company secretary The evaluation of the board, its committees and the individual directors should be performed every year The board should delegate certain functions to well-structured committees but without abdicating its own responsibilities A governance framework should be agreed between the group and its subsidiary boards Companies should remunerate directors and executives fairly and responsibly Companies should disclose the remuneration of each individual director and certain senior executives Shareholders should approve the companys remuneration policy

3. Audit Committee With regards to the Audit Committee, King 3 states that all members of the audit committee must be independent non-executive directors. Biggest truck Ltd has the former CEO, the Managing director and the financial director on the audit committee therefore the Audit Committee is not independent. The audit committee must consist of at least 3 member s no more than six, and all members must be independent non-executive directors. Each member should be independent and financially literate and one member of the board should be designated a financial expert. Biggest Trucks Ltd will have to appoint non-executive directors. Mr Lightning Macqueen should not be a member of the audit committee, even though he is no longer the CEO of Biggest Trucks, He would not be considered independent as he was the CEO in the prior financial year. As the Audit committee stands at present, the audit committee can serve no useful purpose and therefore does not contribute to corporate governance because of its lack of independence. The audit committee should be chaired by an independent non-executive director

The audit committee should oversee integrated reporting The audit committee should ensure that a combined assurance model is applied to provide a coordinated approach to all assurance activities The audit committee should satisfy itself of the expertise, resources and experience of the companys finance function The audit committee should be responsible for overseeing of internal audit The audit committee should be an integral component of the risk management process The audit committee is responsible for recommending the appointment of the external auditor and overseeing the external audit process The audit committee should report to the board and shareholders on how it has discharged its duties

4. The Governance of Risk The board should be responsible for the governance of risk The board should determine the levels of risk tolerance. The risk committee or audit committee should assist the board in carrying out its risk responsibilities The board should delegate to management the responsibility to design, implement and monitor the risk management plan The board should ensure that risk assessments are performed on a continual basis The board should ensure that frameworks and methodologies are implemented to increase the probability of anticipating unpredictable risks The board should ensure that management considers and implements appropriate risk responses The board should ensure continual risk monitoring by management The board should receive assurance regarding the effectiveness of the risk management process The board should ensure that there are processes in place enabling complete, timely, relevant, accurate and accessible risk disclosure to stakeholders

5. The Governance of Information Technology The board should be responsible for information technology (IT) governance IT should be aligned with the performance and sustainability objectives of the company The board should delegate to management the responsibility for the implementation of an IT governance framework The board should monitor and evaluate significant IT investments and expenditure IT should form an integral part of the companys risk management The board should ensure that information assets are managed effectively

A risk committee and audit committee should assist the board in carrying out its IT responsibilities

6. Compliance with laws, codes, rules, and standards The board should ensure that the company complies with applicable laws and considers adherence to nonbinding rules codes and standards The board and each individual director should have a working understanding of the effect of the applicable laws, rules, codes and standards on the company and its business Compliance risk should form an integral part of the companys risk management process The board should delegate to management the implementation of an effective compliance framework and processes

7. Internal Audit The board should ensure that there is an effective risk based internal audit Internal audit should follow a risk based approach to its plan Internal audit should provide a written assessment of the effectiveness of the companys system of internal controls and risk management The audit committee should be responsible for overseeing internal audit Internal audit should be strategically positioned to achieve its objectives

8. Governing Stakeholder Relationships The board should appreciate that stakeholders perceptions affect a companys reputation The board should delegate to management to proactively deal with stakeholder relationships The board should strive to achieve the appropriate balance between its various stakeholder groupings, in the best interests of the company Companies should ensure the equitable treatment of shareholders Transparent and effective communication with stakeholders is essential for building and maintaining their trust and confidence The board should ensure that disputes are resolved as effectively, efficiently and expeditiously as possible

9. Integrated Reporting and disclosure The board should ensure the integrity of the companys integrated report Sustainability reporting and disclosure should be integrated with the companys financial reporting Sustainability reporting and disclosure should be independently assured

1.4 With reference to the International Professional Practice Framework (IPPF), indicate what the CAEs responsibilities are with regards to the planning of the internal audit activity. Standard 2010 Planning states that the chief audit executive must establish risk based plans to determine the priorities of the internal audit activity, consistent with the organisations goals. The CAE is responsible for developing a risk based plan. The CAE must take into account the organisations risk management framework, including using risk appetite levels set by management for different activities or parts of the organisation. If a framework does not exist the CAE should use their own judgement of risks after consultation with senior management and the board. The chief audit executive must identify and consider the expectations of senior management, the board, and other stakeholders for internal audit opinions and other conclusions. The CAE must communicate the internal audit activities plans and resource requirements to senior management and the board. CAEs are appointed in organisations are charged with the overall management responsibility for the IAA. The appointment of the CAE is the responsibility of the audit committee and board of directors. The CAE should have dual reporting responsibility, reporting administratively to the CEO and functionally to the audit committee. The purpose and authority of the IAA should be defined in the internal audit charter Aligning IAA objectives with the organisation objectives The CAE is expected to ensure that the objectives of the IIA are fully consistent with those of the organisation. In this way the CAE, will be ensuring that the IAA is relevant to the organisation and working towards the achievement of the overall organisational objectives. The IAA cannot afford to find itself having conflicting objectives with the overall objectives of the organisation, IF the IAA is to be taken seriously by management, it should be viewed to be contributing to the overall achievement of the organisations objectives. Developing the Internal Audit Charter The CAE should prepare an internal audit charter which sets out the scope, reporting lines and status of the IAA. This charter should be approved by the audit committee and the board of directors and it should be communicated to management in order to manage the different expectations from management as to what the IAA is expected to do.

Developing the internal audit manual The CAE should develop the internal audit manual which sets out the required standards of performance and the audit processes. This manual can also be used as a means of monitoring quality of performance. Continuous responsibilities of the CAE involve the following: Planning: The CAE has to plan the activities of the IAA and also he individual internal audit engagements. Audit Risk Assessment: The prime responsibility for assessing and managing risks lies with top management of the organisation and is delivered through the actions of executive managers, The risk assessment here refers to the internal audit planning, but if internal audit has been involved with risk assessment on behalf of the board there can be one risk assessment for all purposes. It is equally important for the CAE to understand the risk management processes. The CAE may assist management to identify and assess risks. Staff and management resource: The CAE should ensure that internal audit staff are being taken care of and are well managed. Effective management of the internal audit staff can result in an effective IAA, which is highly regarded within a organisation. The success of an IAA is based on the quality and motivation of its staff. It is for the CAE to establish an organisation which recognises and deals with these important aspects. Training and Development: The CAE should ensure that the IAA is equipped with skilled and sufficiently trained internal auditors. The CAE should ensure that his staff component has sufficient understanding of management principles, business risks and business processes, and that they understand the essentials of accounting, law , taxation and finance and that all auditors are computer literate. Performance Management: For the IAA to be effective there should be systems and processes in place to identify poor performance and manage and improve performance. The CAE is responsible for he IAAs performance management. Co-ordination with external audit and other assurance providers: The CAE should ensure , jointly with the external auditor or other assurance providers such as quality auditors, that the internal audit and other assurance providers work is properly coordinated to achieve the best coverage and avoid duplication. 1.5 Discuss the requirements of the International Professional Practice Framework (IPPF) with regard to resource management that should be kept in mind when appointing three new internal audit members.

2030 (Resource Management) The chief audit executive must ensure that internal audit resources are appropriate, sufficient and effectively deployed to achieve the approved plan. The chief audit executive (CAE) is primarily responsible for the sufficiency and management of internal audit resources in a manner that ensures the fulfilment of internal audits responsibilities, as detailed in the internal audit charter. This includes effective communication of resource needs and reporting of status to senior management and the board. Internal audit resources may include employees, external service providers, financial support, and technology-based audit techniques. Ensuring the adequacy of internal audit resources is ultimately a responsibility of the organizations senior management and board; the CAE should assist them in discharging this responsibility Standard 2030 Resources in the IPPF states that the chief audit executive must ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan. This means that there should be an appropriate mix of knowledge and skills needed to perform the plan and sufficient quantity of resources needed to accomplish the plan. Resources are effectively deployed when they are used in a way that optimizes the achievement of the approved plan. The skills, capabilities, and technical knowledge of the internal audit staff are to be appropriate for the planned activities. The CAE must conduct a periodic skills assessment to determine the specific skills required to perform the internal audit activities. The skills assessment should be based on and consider various needs identified in the risk assessment and audit plan. The CAE needs to assign internal auditors who are competent and qualified for specific assignments. The CAE should ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan. The internal audit staff should possess all the different skills, knowledge and competencies. Internal auditors should be selected on qualifications and competencies regarding the areas audited and cannot be placed in a position without considering the evaluation of the nature and complexity of the engagement assignment, time constraints, and available resources. Training needs of internal auditors should be considered since each engagement serves as a basis for meeting developmental needs of the IIA.

Consideration should be given to the use of external resources in instances where additional knowledge, skills, and other competencies are needed. 1.6 With reference to the supervisory responsibilities addressed in Standard 2340: Engagement Supervision, discuss whether or not the CAE can delegate this supervisory responsibility to the new internal audit staff members. Standards 2340 Engagement Supervision states that: Engagements must be properly supervises to ensure objectives are achieved, quality is assured, and staff is developed. The extent of supervision will depend on the proficiency and experience of internal auditors and the complexity of the engagement. The chief audit executive has overall responsibility for supervising the engagement, whether performed by or for the internal audit activity, but may be designate appropriately experienced members of the internal audit activity to perform the review. Appropriate evidence of supervision must be documented and retained. When the CAE delegates his duties he/she is still held responsible. Question 2 Part A 2.1 Discuss arguments favouring outsourcing the internal audit activity as well as arguments favouring an in-house internal audit activity. Outsourcing Internal Audit 1. The organisation will have immediate service to internal audit. 2. The organisation will have more resources to spend on its core business function, instead of hiring full time internal audit staff. 3. Outsourced internal auditors may be more independent and unaffected by office politics and therefore, may be discharging their responsibility more effectively. 4. By outsourcing the IAA, the organisation will pay only for the services they utilise; therefore costs become a variable instead of a constant. (i.e. if company pays for what it needs and uses) 5. Using outsourced contractors (especially multinational service providers) can provide greater flexibility, especially for a company that is geographically dispersed. 6. Outsourcing is often performed by reputable professionals who can provide a reasonable degree of quality. 7. Specialist consultancy firms can give you the range of skills that you wont find in one person. For example, you may not only need an accountant but also an information technology or human resources expert 8. Easy replacement of internal auditor in case of results not being achieved

In-House Internal Audit 1. By having an in house IAA, the company accountability is enhanced as issues are attended to on a regular basis. 2. To ensure independence the in house IAA is separated from operational departments. 3. In house internal auditors immediately notify management if and when serious findings and observations are made. 4. In case of an in house IAA, the audit documentation is on site. This minimises the risk of losing valuable company information. 5. In house IAA also allows for the flexibility to change audit focus with a changing risk environment. 6. Employees earn a salary instead of paid hourly; therefore, staff costs can be predicted in advance. 2.2 Explain to Mr Sebola why you regard the outsourcing of the internal audit activity to be the best option. It would be best to outsource the internal audit activity, because the stakeholders are requesting that organisation establishes one, and since the organisation has never had an internal audit function, it will take a while to set up the function and get the required skill that the internal audit activity needs. With an outsourced internal audit activity it is easy to establish authority and independence. By outsourcing the internal audit activity, Kgosi Limited, will be able to get immediate service from a specialist consulting firm. Outsourcing will expose the organisation to a greater degree of quality and best practices that the service provider would have attained elsewhere. Then internal audit expenditure will be a variable and not a fixed cost and the service provider will be more independent and objective. By outsourcing the internal audit activity, the internal audit projects may actually improve the quality of the audit because companies can employ external individuals/ firms that have advanced degrees and technological specialisation to provide the required service. By outsourcing the internal audit activity Kgosi Ltd can get internal auditors with specific knowledge of departments and functions from the outsourced firm based on the function being audited. Also the replacement of internal auditor in case of results not being achieved is easier than having to fire permanent staff. The fact that Mr Sebolas company is still at its early days of operation. It would be the best option to outsource the internal audit activity. Mr Sebola is probably still learning the dynamics of the business and industry that he is in

 The company is relatively new and can benefit significantly from established outsourced internal audit providers, as they can bring in the best practice experiences learnt elsewhere. Owing to the size of the company, it will be compelled to establish a one-person or two-person internal audit activity, and it will therefore be difficult to build internal audit expertise. The company can save money, as it will not incur the cost of training internal auditors. The cost of outsourced internal audit service is variable and not constant. The external service providers will be able to cover a broader scope of work, such as operational audits, information system audits and forensic audits, whereas a small in-house activity may not. Top management will be released to focus on key business activities while they are growing the business. Management will not have to deal with internal audit staff issues such as payroll administration. The independence and administration of the internal audit activity may be compromised in a small organisation, as there are no proper governance structures in place. Outsourced internal audit providers may be more independent and not be affected by office politics.

Part B Violated Standard or Component of the Code of Ethics 1. Confidentiality

Explanation of the violation Peter informs family and friends about confidential information.

Professional practice requirement

Internal auditors should respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so. The Code of ethics states: Internal auditors Shall be prudent in the use and protection of information acquired in the course of their duties. Shall not use information for any personal gain in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organisation.

2. Objectivity and Integrity

George does not report fraudulent activities and he is willing to accept a bribe.

Internal auditors shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review. Internal Auditors: Exhibit the highest level of professional objectivity in gathering, evaluating and communicating information about the activity or process being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgement. Shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment. This participation includes those activities or relationships that may be in conflict with the interests of the organisation. Shall not accept anything that may impair or be presumed to impair their professional judgement. Internal Auditors Shall observe the law and make

3. Performance Standard 2000 and Competence

The Chief Audit Executive was appointed because of nepotism and the Chief Audit Executive does not have the necessary competencies to perform the role.

disclosures expected by the law and the profession. Shall not knowingly be a party to any illegal activity, or engage in any acts that are discreditable to the profession of internal auditing Shall respect and contribute to the legitimate and ethical objectives of the organisation Shall perform their work with honesty, diligence and responsibility The Chief Audit Executive must effectively manage the Internal Audit Activity to ensure it adds value to the organisation. The internal audit activity is effectively managed when. The results of the internal audit activities work achieve the purpose and responsibility included in the internal audit charter The internal audit activity conforms to the definition of internal auditing and the standards; The individuals who are part of the internal audit activity demonstrate conformance with the code of ethics and the standards: o Code of ethics Integrity, Objectivity, Confidentiality and Competency. The code of ethics requires all internal auditors to be competent in their duties. Internal auditors: Shall engage only in those services for which they have the necessary knowledge, skills and experience Shall perform internal audit services in accordance with the international standards for the professional practice of internal auditing Shall continually improve their proficiency, and the effectiveness and quality of their services. Internal Auditors: Shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased

4. Objectivity

Frans Khumalos, wife is the head of the department in which he is overseeing as the

internal audit manager. His wife could have unduly influence on him, therefore compromising his objectivity.

assessment. This participation includes those activities or relationships that may be in conflict with the interests of the organisation. Exhibit the highest level of professional objectivity in gathering, evaluating and communicating information about the activity or process being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgement. Shall not accept anything that may impair or be presumed to impair their professional judgement. The Chief Audit Executive may state that the internal audit activity conforms with the International Standards for the Professional Practice of Internal Auditing ONLY if the results of the quality assurance and improvement support this statement.

5. Standard 2430 Use of Conducted in conformance with the international standards for the professional practice of internal auditors And Standard 1321 Use of Conducted in conformance with the international standards for the professional practice of internal auditors 6. Standard 1000 Purpose, Authority and Responsibility

The Chief Audit Executive used Conducted in conformance with the international standards for the professional practice of internal auditors even though the internal audit activity has never been subject to a quality assurance assessment

The Internal Audit Activity is performing Internal Auditing without a charter. The Chief Audit Executive does not see the need for a charter,

The purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the definition of internal auditing, the code of ethics, and the standards. The Chief Audit Executive must periodically review the internal audit charter and present It to senior

therefore the purpose, authority, and responsibility of the internal audit activity is not formally defined. The board has not raised any concerns/question about not ever approving an internal audit charter, 7. Standard 1110 Organisational Independence The Chief Audit Executive reports to the Chief Financial Officer and not the Board of Directors

management and the board for approval. The internal audit charter establishes the internal audit activitys position in the organisation =, including nature of the chief audit executives functional reporting relationship with the board. Authorizes access to record, personnel and physical properties relevant to the performance of engagements

8. Standard 2120 Risk Management

The Chief Audit Executive sees no need to know about the companys risk assessment They only audit the finance department.

The Chief Audit Executive must report to a level within the organisation that allows the internal audit activity to fulfil its responsibilities. The Chief Audit Executive must confirm to the board, at least annually, the organisational independence of the internal audit activity Organisational independence is achieved when the Chief Audit Executive reports functionally to the board. The internal audit activity must evaluate the effectiveness and contribute to the improvement of the risk management processes.

Part C Authority 1. The current charted states that the internal auditors shall only have access to the chairman of the board, and the audit committee upon receiving authorisation from the chief executive officer. The internal auditors should have free and unrestricted access to the entire board and should not have to get authorisation. Recommendation: The internal audit activity should have free and unrestricted access to the entire board. Organisation The current charter states that the Chief Audit Executive shall report administratively to the Managing Director and functionally to the Chief Executive Officer. The internal audit activity must be free from interference in determining the scope of internal audit, performing work, and communicating results. The Chief Audit Executive shall report administratively to the managing director and functionally to the CEO of the company. Recommendation: The Chief Audit Executive should report administratively to the CEO and functionally to the board of directors. Independence Internal Auditors should refrain from assessing specific operations for which they were previously responsible. Objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for which the internal auditor has responsibility for in the prior/current year. Recommendation: Internal Auditors will have no direct operational responsibility or authority over any of the activities audited. Accordingly, they will not implement internal controls, develop procedures, install systems, prepare records, or engage in any other activity that may impair the internal auditors judgement. Audit Scope The internal audit activity adds value to the organisation and its stakeholders when it provides objective and relevant assurance, and contributes to the effectiveness and efficiency of governance, risk management, and control processes. The internal auditor must evaluate the effectiveness and contribute to the improvement of risk management processes

The scope of the engagement must include consideration of relevant system, records, personnel, and physical properties, including those under the control of 3rd parties. The internal audit activity must be free from interference in determining the scope of internal audit, performing work, and communicating results. Recommendation: The scope of internal auditing encompasses, but is not limited to the examination of the adequacy and effectiveness of the organisations governance, risk management, and internal process as well as the quality of performance in carrying out its assigned responsibilities to achieve the organisations stated goals and objectives. This includes: Evaluating the reliability and integrity of information and the means used to identify measure, classify, and report such information.

Audit Plan The Chief audit executive must communicate the audit activitys plans and resource requirements, including significant changes, to senior management and the board for review and approval. The chief audit executive must also communicate the impact of resources. Recommendation: At least annually, the Chief Audit Executive must submit to senior management and the board an internal audit plan for review and approval. The internal audit plan will consist of a work schedule as well as a budget and resource requirements for the next calendar year. The Chief Audit Executive will communicate the impact of resource limitations and significant interim changes to senior management and the board.