Q&A: You asked us - January 2023
Q: I would like guidance about a request that I take the lead on an investigation. The terms of reference (TOR) outlines the detail in relation to my potential role as investigator. Will acting as an investigator compromise my independence as an internal auditor?
A: It is not uncommon for internal auditors to be involved in investigations, particularly relating to potential fraud(s). It would be a good idea to ensure that the investigation doesn’t relate to a recent audit area or audit findings to avoid potential compromise (or implied compromise) of independence.
You should ensure that the TOR is aligned with the roles and responsibilities of an internal auditor and respects the independence of this role. The request to undertake this investigation should be shared with, or approved by, the audit committee and, if not already outlined in your internal audit charter, it should detail the agreement about undertaking investigations and who can approve these requests.
The investigation may take time to complete, so you should explain to the audit committee any impact that it will have on the delivery of the audit plan or the audit plan schedule.
If this investigation relates to fraud, then the internal auditor should have the necessary skills and experience to undertake it and discharge their professional responsibility without jeopardising the investigation and associated evidence. Investigation is not typically an internal audit task, so internal auditors should exercise professional care (Standard 1220) by considering the amount of work needed to achieve the engagement’s objectives and the related complexity, materiality or significance.
They should also decide whether they are best placed to undertake the investigation or whether it would be better to engage
other experts.
Q: I am auditing the compliance monitoring function. Do you have any guidance that might be useful?
A: Every organisation in every sector must comply with directives and regulations set by external bodies and/or legislation.
In addition to these external requirements, they will also set their own ways of working which employees must follow.
Have a look at our guidance on compliance, which outlines what compliance is and why it is important, and touches on the role of internal auditors. This includes a specific section on Auditing Compliance Functions, which outlines the role of internal audit and refers to the new Three Lines Model. It contains information about internal audit’s role in communicating, collaborating and coordinating its work with the first and second lines.
IIA Global’s “Global perspectives and insights guide on internal audit and compliance” provides further food for thought. You may also
find a white paper from IIA Australia on “Auditing your entity’s compliance framework” helpful.
Q: I'm looking for good examples of post-audit auditee feedback forms or surveys. Can you point me in the direction of these?
A: We don’t publish examples on our website because it’s important that feedback surveys/forms are carried out with your specific stakeholders in mind. We wouldn’t want people to approach this in a formulaic way.
IIA Global has produced some guidance on Standards 1310 and 1311 regarding “Requirements of the Quality Assurance and Improvement Program” and “Internal Assessments”, which could provide useful background information.
IIA Global’s Measuring Internal Audit Effectiveness and Efficiency Practice Guide dates from 2010, but although it is old, the principles remain relevant. We have also published a technical blog on KPIs.
Q: I was recently promoted to lead the internal audit function in my organisation. One of my key responsibilities is to produce an internal audit opinion. Do you have guidance on this?
A: An overall opinion is the professional judgment of the chief audit executive (CAE) based primarily on the results of individual internal audit engagements, supported in some instances by other reliable assurance information. It covers a specific period determined by an organisation – most commonly a year, although there may be a more appropriate period for your organisation. This should be agreed with the board and/or audit committee.
You have choices about how assurance is provided and reported. CAEs, in partnership with their governance leaders, should discuss the level of overall assurance required to provide an opinion and how different resourcing options enable it (in-house, co-sourced or outsourced). CAEs are encouraged to provide an overall opinion in line with Standard 2450.
In the public sector, an overall opinion is mandatory to inform and be part of the organisation’s annual governance statement, as detailed in the public sector internal audit standards (PSIAS). It is also mandatory in financial services, as explained in our Guidance on Effective Internal Audit in the Financial Services Sector.
The overall opinion constitutes macro-assurance over a defined period. This requires CAEs to bring together disparate assurance threads using themes, trends, evidence and professional judgment to provide holistic, strategic insight into an organisation.
Read our technical guidance on Things to Consider when Preparing your Annual Internal Audit Opinion, which outlines further principles, how you might form an opinion and the assessment criteria you might use.
This article was first published in January 2023.