Q&A: You asked us - July/August 2021

Q My organisation, in the public sector, currently reports on streamlined energy and carbon reporting (SECR) based on scopes 1 and 2. With enforced remote working over the past year and a probable shift to hybrid working in future, should we recommend that organisations now look at understanding and recognising the energy and emissions from employees working remotely?

A You raise an interesting point. According to SECR, “Emissions from homeworking are classed as scope 3 emissions, ie, they occur as a consequence of an organisation’s actions, but are not owned or controlled by that organisation. Reporting on scope 3 emissions is voluntary for quoted companies. Large unquoted companies, LLPs, are required to report on some scope 3 emissions related to business travel, but home working is not included in this. The government guidance says that, although it is voluntary, reporting on scope 3 emissions is strongly encouraged.

The dramatic shift in working patterns presents a challenge for reporting organisations, as this year will be atypical of their consumption profile. Many companies in scope of SECR may wish to acknowledge the unusual nature of this reporting year in their Energy and Carbon report.”

Organisations are starting to address this - here is a link to an example. Please note: this is informational and not an endorsement. 

 

Q Is there a detailed template that the institute provides for an audit scope? Ideally including a grading structure/scoring mechanism for the audit.

A The IPPF Standards are principles-based rather than prescriptive, so the institute does not provide templates for engagement scope and reports as these should be tailored to the needs of the organisation – its culture, risk maturity, etc. We do have guidance on how to plan an audit engagement.

Implementation and supplementary guidance form a key part of the IPPF and provide further detail on each element of the Standards. Two relevant guidance documents are Engagement planning – establishing objectives and scope and Formulating and expressing internal audit opinions. 

 

Q I am planning an audit of our cyber security risk management. Is there any information you can share on how cyber risk might have changed over the past year or so?

A Earlier this year, the institute published Mind the Gap: Cyber security risk in the new normal, which specifically focuses on cyber security culture. The chance of a cyber security risk materialising has increased for many organisations as a consequence of adapted operations and remote working. IIA Global also produced an insightful document, which includes questions to ask to assess cyber security vulnerability. This and other guidance on a range of topics related to the pandemic response are freely available on our technical resources page. Additionally, our guidance on cyber security auditing and the specialist series of technology guidance known as GTAGs are available exclusively for our members. 

 

Q My chief audit executive has asked me to carry out a self-assessment of the department before our next external quality assessment, which is due next year. Do you have anything to help me get started and is it OK to be doing this on my own?

A The institute provides a range of external quality assessment (EQA) services, including a free self-assessment checklist to help with the basic element of conformance with the IPPF Standards. The IPPF implementation guidance for Standard 1311 Internal Assessments is also useful, as it gives details about conducting a self-assessment.

It is reasonable for one person to facilitate the self-assessment exercise. The guidance notes that the individual or team conducting the self-assessment should assesses each standard to determine whether the internal audit activity is operating in conformance. The use of the phrase “individual or team” confirms that one person can make a judgment. However, it is ultimately the CAE’s decision and, where possible, we would encourage consideration of different viewpoints – as in the case of any assessment.

Q I would like advice about how to deal with an issue caused by a one-off human error, such as a mistyped formula in Excel. Aside from recommending an automated process or control, what else can be done in this instance?

A All manual controls are subject to human error. As you recognise in your question, automation is ideal, but it not always possible, so introducing additional controls can help to check, detect and correct errors. Checks should be completed by a different person (segregation of duties), ideally before the process moves to the next step, so they form a preventative control. If this is not possible, then checks or testing after the event would create detective controls to enable issues to be addressed. The number of additional checks, and whether they are ad-hoc, 100 per cent or somewhere in between, should depend on the potential materiality and impact of the error.

It may help to look at our guidance on controls, which includes a link to the Implementation Guidance for Standard 2130: Control (Control - Information guidance | Technical guidance | IIA).

A spreadsheet formula could be checked by a colleague who has not been involved in its design, and the formula can be tested by analysing the results for anomalies using data where the result is known. Have a look at our guidance on auditing spreadsheets and algorithms

This article was published in July 2021.