Q&A: You asked us - January/February 2022

Q I am about to start an audit of an area I haven’t audited before. I’ve looked for an audit programme to use, but none are available. What should I do?

A Each organisation and internal audit activity is unique with its own set of priorities, risks, risk appetite and controls. It is for this reason that the Chartered IIA has decided not to offer generic audit programmes within its resources.

Internal auditors have a professional duty of care to ensure that they are competent to undertake the work being asked of them. It is part of the Code of Ethics. It is therefore appropriate to pause and ask: Should I be doing this work?

Members can access guidance on how to audit unfamiliar areas of work. This builds on a series of questions including:

  1. What is the overall engagement objective?
  2. Is there a need for subject-matter expertise?
  3. How does the area under review contribute to the organisation’s strategy?
  4. Which critical risks are relevant?
  5. What is the organisation’s risk appetite and response to the risks?

The guidance builds on McKinsey’s 7S model. Creating the audit programme is the internal auditor’s opportunity to research and understand the area being audited. It encourages internal auditors to ask questions, tailor the engagement and ensure that their assurance is relevant. 


 

Q Why should climate change risk matter to boards/audit committees and therefore to internal audit?

A It is now accepted that we are seeing the impact of climate change today, and that this impact will continue to increase. Extreme weather events of ever greater severity are becoming the norm, including in the UK and Ireland. The World Economic Forum’s Global Risk Report 2021 is striking and clear in its recognition of climate change risk.

Internal audit’s ideal position within the structure of an organisation is outlined in the Three Lines Model, where it appears as the third line. The model also highlights internal audit’s role in communicating, collaborating and aligning with the first and second lines, and reiterates that its position should allow assurance to be given directly and independently to the board.

One of the key strengths of internal audit is its wide remit, allowing a “helicopter view” of the organisation in which it operates and a direct link to the board. Modern internal audit activities are required to understand the overarching strategy and direction of an organisation, as well as its composite parts.

Our Code of Ethics makes it clear that internal audit should engage “only in those services for which they have the necessary knowledge, skills and experience”. It is helpful for internal auditors to have a level of knowledge and expertise in the subject area that they’re auditing, but an audit of climate change risk may need to be largely science-led. It is likely that internal audit will need to look into co-sourcing arrangements to cover gaps in expertise.

Other possibilities include collaborating with different internal audit activities in the same sector, or working with an in-house guest auditor. Collaborating with specialists and consultants who have scientific expertise on climate change will help internal auditors to understand the raw data and will guide them in practical areas of their work, such as understanding how to define their priorities and what those priorities should be.

We call on internal audit teams to show leadership here. Internal auditors have the skills they need to grapple with these issues. Take advantage of your direct link to the board, ask questions and challenge. Opening a dialogue on climate change is the first step that needs to be taken if organisations wish to keep up now and excel in the future.

Read our new thought leadership report Harnessing internal audit against climate change risk: A guide for audit committees and directors for more advice in this area. 


Q I am a Chief Audit Executive (CAE) and I am currently drafting the budget. According to the Chartered IIA’s financial services code, the budget should be approved by the audit committee. However, the CEO is responsible for the budget for the whole bank. Does that mean that they should approve the internal audit budget before it is consolidated in the bank-wide budget? If yes, then ultimately they are responsible for ensuring that resources for internal audit are adequate. If no, then they must submit a budget to the board that contains some items beyond their control.

A  To ensure internal audit independence, the financial services code states that the audit committee should be responsible for approving the internal audit budget. The code also advises that the CAE should provide the audit committee with a regular assessment of whether the internal audit budget is sufficient.

Approval of the proposed internal audit budget should therefore be sought from the audit committee, and the CAE should be free to advise them of its sufficiency. This does not preclude the CAE from liaising with the CEO and the CFO on the parameters of the internal audit budget in advance of audit committee approval, as long as the CAE remains comfortable that it will be sufficient.

In this way, the CEO is not assuming responsibility for ensuring that the resources for internal audit are adequate, and once the internal audit budget has been approved by the audit committee, it can be taken as part of the overall budget by the CEO for consideration by the board.


Q Does the institute have any annual internal audit report templates for 2021?

A The institute does not offer a template for reporting the CAE’s overall annual opinion. CAEs are free to decide a format that works for their organisation, as the IPPF states what should be included in an overall opinion (Standard 2450), but not how it is presented.

Members can access our guidance on Things to consider when preparing for your annual internal audit opinion.

An indicative structure includes:

  • Executive summary (opinion, basis and limitations)
  • Summary of internal audit activity
  • Themes, trends and issues (governance, risk management and internal control)
  • Quality assurance and improvement plan (including adherence to standards)

Q Is a co-sourcing internal audit arrangement allowed in a public sector council? The CIPFA head of internal audit statement suggests the head of internal audit (HIA) has to be a senior manager?

A Co-sourcing or outsourcing the internal audit activity is allowed within the public sector. While principle 3 of CIPFA’s statement on the role of the head of internal audit does state that “the HIA must be a senior manager with regular and open engagement across the organisation, particularly with the leadership team and with the audit committee”, in this context it refers to the nominated HIA being of sufficient seniority to ensure that the internal audit activity can be appropriately positioned to maintain organisational independence.

Under principle 3, the statement goes on to say: “The individual [HIA] could be someone from another organisation where internal audit is contracted out or shared. Where this is the case then the roles of the HIA and the client manager must be clearly set out in the contract or agreement.”

Standard 2070 (External Service Provider and Organisational Responsibility for Internal Auditing) of the Public Sector Internal Audit Standards requires that: “When an external service provider serves as the internal audit activity, the provider must make the organisation aware that the organisation has the responsibility for maintaining an effective internal audit activity.”

The interpretation tells us that: “This responsibility is demonstrated through the quality assurance and improvement programme which assesses conformance with the Code of Ethics and the Standards.” 

This article was first published in January 2022.