Q&A: You asked us - January 2020

Q Our business is looking into instructing a consultancy firm to carry out a risk management audit, but this also happens to be the same firm that will provide consultancy work to improve our risk management framework and processes.

I feel there is a potential lack of independence as, in effect, they would be marking their own work. I believe internal audit should carry out the audit, however it has been put to me that the consultancy will appoint a different person to carry out the audit from the person doing the consultancy work, so there is an independent arrangement. From a best practice point of view is this acceptable?

A Internal audit's responsibilities in the organisation's risk management process should be codified in the internal audit charter.

By using different staff, the consultancy could be seen to be putting safeguards in place to protect independence (re Standard 1112). However, the Standards clearly state internal audit's responsibilities in relation to risk management. One solution could be for the in-house team to undertake the internal audit first, which would highlight weaknesses, gaps and areas of poor practice. Once the recommendations have been accepted by management, the consultancy firm could come in and support the business as it implements agreed actions and improves the risk management processes and procedures.

The Standards relating to risk management are:

• Standard 2110 Governance, which states that: "The internal audit activity must assess and make appropriate recommendations to improve the organisation’s governance processes for overseeing risk management and control."

iia.org.uk/media/1688825/ig2110-governance.pdf

• Standard 2120 on risk management, which states that: "The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes."

iia.org.uk/media/1688857/ig2120-risk-management.pdf

• Standard 1112 chief audit executive (CAE) roles beyond internal auditing, which states that when the CAE has, or is expected to have, roles and/or responsibilities that fall outside of internal auditing, safeguards must be in place to limit impairments to independence and objectivity.

iia.org.uk/resources/ippf/implementation-guidance

• In addition, the Chartered IIA’s position paper on the role of internal auditing in ERM says: "Internal auditing is an independent, objective assurance and consulting activity. Its core role with regard to ERM is to provide objective assurance to the board on the effectiveness of risk management. The diagram in the document shows the core internal audit roles in regard to ERM."

iia.org.uk/media/78513/the_role_of_internal_audit_in_enterprise_risk_management.pdf

Q Are the "control universe" and "audit universe" the same?

A We normally talk about a control environment rather than a control universe. The Standards define the control environment as follows: "The attitude and actions of the board and management regarding the importance of control within the organisation. The control environment provides the discipline and structure for the achievement of the primary objectives of the system of internal control."

The control environment includes the following elements:

• Integrity and ethical values.

• Management's philosophy and operating style.

• Organisational structure.

• Assignment of authority and responsibility.

• Human resource policies and practices.

• Competence of personnel.

More information on control can be found at iia.org.uk/resources/control

An internal audit universe comprises a number of auditable areas. These may be constructed according to business unit, product line, processes or systems etc, or according to a key risk or key control. There is no one-size-fits-all approach to this. For guidance on the audit universe visit iia.org.uk/resources/managing-internal-audit/audit-universe/

Q Can the Chartered IIA provide some guidance about how we manage the performance of an outsourced provider?

We have recently changed our provider and we want to ensure our current quality assurance performance reviews are effective, and that they cover all relevant aspects. An area we’d like to get assurance on is whether the provider meets their internal quality assurance assessment standards for each audit. Is there anything else that we ought to bear in mind in relation to this topic?

We have agreed KPIs for the provider to report against, so our question is more about getting assurance about their internal process, which we don’t see.

A I suggest you focus on evidence from the external provider around their Quality Assurance and Improvement Programme (QA&IP). Standard 1300 – Quality Assurance and Improvement Program says: "The chief audit executive must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity."

The in-house client manager should require evidence from the outsourced provider that they have a QA&IP programme in place.

Standard 1311 refers to the requirement to demonstrate that: ongoing monitoring is an integral part of the day-to-day supervision, review and measurement of the internal audit activity; ongoing monitoring is incorporated into the routine policies and practices used to manage the internal audit activity, and uses processes, tools and information considered necessary to evaluate conformance with the Code of Ethics and the Standards; and that periodic assessments are conducted to evaluate conformance with the Code of Ethics and the Standards. Sufficient knowledge of internal audit practices requires at least an understanding of all elements of the International Professional Practices Framework.

The key is the quality of the evidence that provides the assurance the in-house client management is looking for. I suggest this is an agenda item for an audit committee or similar to discuss and evaluate. If there is any push back from the external provider, reference can and should be made to Standard 1320, which requires the chief audit executive, or in this case the outsourced provider partner, to communicate the results of the QA&IP to senior management and the board.

Disclosure should include:

• The scope and frequency of both the internal and external assessments.

•The qualifications and independence of the assessor(s) or assessment team, including potential conflicts of interest.

• Conclusions of assessors.

• Corrective action plans.

I also suggest that the outsourced provider should be asked when they last had an external quality assessment – ie, within the past five years – and you should request sight of the report.

For more details, refer to the 1300 series of Standards Implementation Guides at iia.org.uk/resources/ippf/implementation-guidance

You  should also refer to the IPPF Core Principles, Core Principle 2: "Demonstrates competence and due professional care", as this requires the outsourced provider to produce evidence demonstrating the competence of the team. Practice guide "Demonstrating the Core Principles for the Professional Practice of Internal Auditing" (figure 2 on page 7) lists examples of enablers that the CAE and internal auditors may apply to demonstrate Core Principle 2.The second column gives examples of key indicators, which may help to gauge how well the internal audit activity has demonstrated the core principle . See iia.org.uk/resources/ippf/supplemental-guidance

If you use these you should elicit responses from the outsourced provider that may provide the assurance you seek.

Got a question?
Contact the Chartered IIA technical helpline on 0845 883 4739 or email technical@iia.org.uk

This article was first published in January 2020.