Q&A: You asked us - July 2020

Q If internal audit is lending a hand to the first line during the Covid-19 pandemic, what is the best strategy for dealing with the question of assumed impairment to independence?

A The issue here is less about independence and more about our objectivity. We have to recognise that our Standards and IPPF are principles-based. We are living through a period of exceptional circumstances and our reputations could suffer seriously if we use independence as an excuse to avoid helping out, or are seen to refuse to get "stuck in" with others in the business.

Talk to the audit committee and agree what this means for internal audit. Remember, most internal auditors are employees of the business, so we should focus on the future sustainability and success of the organisation, as well as on providing assurance around risk, control and governance. Independence is the least significant aspect, but objectivity is paramount. Talk to your audit committee about how to proceed.

Q Does the Chartered IIA provide guidance to its members about, or require its members to hold, professional indemnity insurance when practising as an internal auditor employed by an organisation?

A While those working as an internal auditor on a self-employed basis need consultancy/professional indemnity insurance, we would normally expect employees to be covered by their employer.

For clarification, I suggest you speak to your human resources and/or legal or finance departments. The finance team may deal with all the organisation's insurance policies, so should be able to tell you more.

Q If we are delivering a reduced plan, can we provide a full or a qualified opinion?

A It doesn’t have to be a qualified opinion unless you have concerns arising from the work that you have done.

In order to provide an annual head of internal audit (HIA) opinion, you need to have undertaken assurance work that enables you to provide assurance in relation to governance, risk management and internal control. If you have spent some of the year in an advisory type of role then, while that can be included in the HIA opinion, you also need to complete the work detailed in the internal audit plan and approved by the audit committee.

If there are changes to the plan (ie, if you do not have time to complete it, or first line of defence priorities shift) then it is reasonable that the opinion will be based on a limited amount of work rather than on the full programme. This will need to be included in the opinion document provided to the senior management team and the audit committee so there is openness and transparency about the work done, the reliance on first or second line assurance and the advisory work undertaken by internal audit.

You could reasonably say that internal audit can provide an opinion based on only 80 per cent of the work completed because of Covid-19. That opinion will either be "satisfactory", or "needs improvement", depending on the language you normally use.

It's important to flag up the fact that you have done a limited amount of work and that, therefore, the opinion is based on that limited amount of work. You can say that this limited work did not cover certain risks and so you can give no opinion on them.

Don’t go into qualified territory unless your evidence says you should give a qualified opinion. Look at this guidance on independence and objectivity and "Things to consider when preparing for your annual internal audit opinion".

Q One of our stakeholders has asked me why they have to fill in a customer satisfaction survey after every audit. This is quite a long form and I think a lot of our stakeholders find it onerous. I said I thought it was a requirement of the auditing Standards that we have to seek feedback, but I can't find any reference to this.
Do the Standards require this and, if so, is there any guidance about how detailed the feedback forms
should be?

A This falls within Standard 1311 – Internal Assessments that says that internal assessments must include ongoing monitoring of the performance of the internal audit activity. The interpretation goes on to say:

"Ongoing monitoring is an integral part of the day-to-day supervision, review and measurement of the internal audit activity. Ongoing monitoring is incorporated into the routine policies and practices used to manage the internal audit activity and uses processes, tools and information considered necessary to evaluate conformance with the Code of Ethics and the Standards."

Additional mechanisms commonly used for ongoing monitoring include feedback from internal audit clients and other stakeholders regarding the efficiency and effectiveness of the internal audit team. Feedback may be solicited immediately following the engagement or on a periodic basis (eg, semi-annually or annually) via survey tools or conversations between the chief audit executive and management.

The Practice Guide on Measuring IA Effectiveness and Efficiency (page 3) states: "The internal audit activity should identify all relevant stakeholders and their respective interests in the work of, or support from, the internal audit activity and should solicit feedback from each of these stakeholders as appropriate." Appendix E provides an example of a Customer Survey.

Q I am trying to find out the requirements for the internal audit team following up on actions from a consulting engagement, as opposed to an assurance engagement. Is there any difference?

A This is covered under Standard 2500 Monitoring Progress – in particular 2500.C1, which states that: "The internal audit activity must monitor the disposition of results of consulting engagements to the extent agreed upon with the client."

The associated implementation guide goes on to say:

"To fulfil this standard, the chief audit executive (CAE) starts by attaining a clear understanding of the type of information and level of detail the board and senior management expect with regard to the internal audit activity’s monitoring of the results of engagements. Results typically refer to the observations developed in assurance and consulting engagements that have been communicated to management for corrective action."

Further associated guidance is also available on consultancy engagements and on following up recommendations.

Got a question? Contact the Chartered IIA technical helpline on 0845 883 4739 or email technical@iia.org.uk

This article was first published in July 2020.