Q&A: You asked us - January 2021
Q Is it appropriate for a head of internal audit (HIA) to conduct audits while setting up a team? Given that I would be reviewing my own work, is this appropriate?
A It is not uncommon for heads of internal audit to also perform audit engagements, either because of the size of the function or the sensitivity of the assurance being provided. There is no specific guidance on this, although I would suggest you discuss it with your audit committee chair if you are concerned.
Standard 1310 requires HIAs to monitor the internal audit activity’s conformance with the mandatory elements of the IPPF and to ensure the quality and supervision of audit work performed. As it is impossible to review one’s own work, it may help to consider whether temporary controls could provide additional reassurance, for example, asking a third party to sense-check the report, taking an agile approach to findings so there are no surprises, or discussing preliminary findings in a workshop environment to validate information with multiple stakeholders. We always endorse applying the Standards as they will provide a solid foundation for all engagements.
The Internal Audit Code of Practice and the IPPF Principles and Standards are designed to be flexible so that different types of audit functions can conform, including those where heads take an active delivery role.
Q Has the Chartered IIA adopted the new three lines model and, if so, what guidance is available to members?
A The three lines model was refreshed and published by IIA Global in July 2020.
The changes are not radical, but the new language is intended to enhance clarity and purpose. Indeed, the fact that the model is principles-based makes it easier to communicate the purpose and requirements of the model to stakeholders. It supports the language and content of the Supplemental guidance – Core Principles of Internal Audit. The Chartered IIA has produced guidance on the application of the new model.
Key changes were also highlighted in Audit & Risk – in the September/October issue IIA Global president Richard Chambers shared his thoughts about the model and the main elements were laid out in more detail in the November/December issue.
Q Reflecting on a recent technical blog about non-financial reporting, does the Chartered IIA have any guidance to support assurance in this space?
A Yes, this is an area where the institute would like to see internal audit take a more proactive role (obviously, avoiding duplicating the work of external audit).
In 2015, the institute produced a research report that is a useful starting point for all auditors wishing to explore the topic, but is particularly aimed at managers and heads of internal audit.
Further guidance is also available on the subject of integrated reporting and auditing viability statements.
Q We are approaching the time of year when I need to present our audit plan to the audit committee. Is there an example of best practice you could share so I can compare it with what we are currently doing?
A The audit plan should be appropriate to the needs of the organisation so there is no generic best practice example. I suggest that the published guidance is useful for both established and new heads of internal audit, as it can be used as a validation point rather than as a "how to" guide.
One good piece of guidance to begin with looks in detail at audit coverage and factors to consider within the audit plan. It also includes links to other guidance and references the Standards.
Standard 2010 clearly states that “the chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organisation’s goals”.
The Implementation Guidance outlines the requirements that are then expanded in the Supplemental Guidance on Developing a Risk-based Internal Audit Plan. For members in Financial Services. There is also specific guidance for creating a risk-based plan.
I hope you have seen the latest Chartered IIA training courses information, but, if you haven't, then consider the training course on developing the audit plan and audit strategy, which you may find helpful.
Q Can the institute share guidance documents, articles or best practice information about the relationship and governance arrangements for group auditors and their subsidiary company auditors?
A There is no formal standard, it is very much a case of what is proportionate and appropriate for each organisation. From an internal audit perspective, it is vital to ensure clear and unambiguous accountabilities for reporting purposes.
Subsidiary arrangements are covered in Section E of the Internal Audit Code of Practice 2020, which states:
19. The chief internal auditor should be at a senior enough level within the organisation to give him or her the appropriate standing, access and authority to challenge the executive. Subsidiary, branch and divisional heads of internal audit should also be of a seniority comparable to the senior management whose activities they are responsible for auditing.
26. Subsidiary, branch and divisional heads of internal audit should report primarily to the group chief internal auditor, while recognising local legislation or regulation as appropriate. This includes the responsibility for setting budgets and remuneration, conducting appraisals and reviewing the audit plan. The group chief internal auditor should consider the independence, objectivity and tenure of the subsidiary, branch or divisional heads of internal audit when performing their appraisals. The FRC Board Effectiveness Guidance document is an insightful read.
At a practical level, two members shared their personal experiences:
• Global company – "We had internal audit teams in the US, Spain and Australia and in both Spain and Australia there was an MD, board and audit committee (AC), but the group AC in London took the lead. It approved the IA Charter that was then shared with the other ACs to be 'ratified' but not amended. All the internal auditors were considered to be members of group internal audit, although they were based in different countries."
• UK holding company – "Each operating company had its own board structure reporting into a group board. The AC and the risk committee (RC) were at group level, the RC was separate from the AC and included representatives from each of the operating companies. There was one risk framework and one IA charter. All auditors were part of the group IA team. There was an HIA for each operating company, and primary reporting lines were to operational HIAs, although in practice auditors operated in a matrix to maximise resources. Risks were owned and reported at opco level with information collated and reported to the group RC and AC."
This article was first published in January 2021.