Q&A: You asked us - July/August 2022

Q What is the prompt payment code and how do I audit it?

A The Prompt Payment Code (PPC) was initially established in late 2008 as a voluntary code of practice for businesses and was followed by the UK Prompt Payment Policy in 2015 (updated in 2018). The PPC sets standards for signatories to ensure good payment practices, such as providing clear guidance to suppliers and, most significantly, paying them on time.

By adopting the PPC, an organisation can demonstrate its commitment to treating suppliers fairly. Ensuring they are paid promptly boosts their cash flow and reliability, ensuring resilience in the supply chain. This is of particular importance at the moment, given the high inflation rate, the rising cost of living and disruption in the supply chain. Prompt payment, particularly for small- and medium-sized businesses, is essential to their survival.

We have produced some technical guidance on the Prompt Payment Code, which includes details of risks associated with the PPC, including those associated with non-compliance with the code after adoption. Within the guidance, there are ideas about how internal audit can approach an audit engagement covering the PPC and an outline of key risk areas along with the controls you should consider. 

Q With inflation rising at such a rapid rate, what are the key things internal audit should be aware of?

A The Bank of England aims to keep the consumer prices index (CPI) rate of inflation between one and three per cent using monetary policy tools, such as interest rates. However, inflation recently rose to nine per cent and further increases are forecast – the Bank has warned of “apocalyptic” food price increases. 

Inflation is driven by external factors, so organisations can only prepare for, and react to, rises. Its impacts are largely financial and compound the financial stability issues that many experienced during the pandemic. You may find the Chartered IIA’s publication Avoiding the Blind Spot useful.

One key area of concern for internal auditors at times of high inflation is the increased risk of fraud, theft and financial misstatement. In addition, people who feel stressed by financial pressures may work additional hours or take on more jobs to make ends meet. This could have an impact on their health, wellbeing and productivity at work.

Areas affected by inflation that you may wish to have on your radar include:

1. Cost pressures. Rising energy prices coupled with higher production costs, supply chain volatility and raw material prices will affect an organisation’s margins and profitability.
2. Wages. Employees will expect and demand wage rises to offset the rising cost of living.
3. Recruitment. Wage deflation may cause more employees to move jobs and staff may seek “location-neutral” roles if their organisation has not retained remote working after the pandemic.
4. Reduced consumer spending. As costs rise, people have less disposable income.
5. Individual welfare. According to the FCA, one in four people has low financial resilience and soaring inflation will put pressure on charities and increase the use of food banks and welfare agencies.

It is vital that internal audit focuses on the highest risks to the organisation. Chief audit executives (CAEs) should speak to the senior leadership team, audit committee and other stakeholders to understand the risks they face. Stakeholders look to the third line to provide assurance. Moving away from annual planning to a more fluid rolling plan will help to ensure that audits are risk-focused – common examples include a 3+9 or a 6+6 planning model, or a fully rolling plan. Continuous assurance activity and data analytics can help to provide real-time assurance. 

Q I work in an organisation that audits compliance aspects against management standards (9001, 14001 and 45001) plus some UKAS accredited standards. Although we are applying IIA levels of auditing, do you have any guidance for auditing these standards?

A The BSI website contains useful information that may help to explain what the standards cover and give you an idea of controls to consider when building your work programme.

The QMS International website provides guidance for ISO 9001, 14001 and 45001. They offer this service to organisations, but an in-house internal audit team could take the same approach. It includes a section entitled “5 tips to get the most out of an internal audit” and provides the same format for all three ISO referenced, which may be helpful if you haven’t undertaken any ISO internal audits before.

AuditBoard has a blog on this subject that you may find useful and there are other checklists online that may also help. 

Q In light of the war in Ukraine, what would be a good area of focus for an audit engagement of cyber security?

A  There are signs that the war in Ukraine is leading to an increase in cyber security incidents globally. It is important that organisations focus on preparing for a cyber security attack and view their people as their protective arsenal – read our Mind the Gap report on the value of cultivating a cyber security culture within organisations.

IIA Belgium, in conjunction with ISACA Belgium and the Institut Français de l’Audit et du Contrôle Internes (IFACI), recently produced an Impact Briefing about cyber security in the wake of the crisis in Ukraine, which highlights the threat of retaliation to the sanctions placed on Russian organisations. It says that government institutions, financial organisations and energy companies may be at particular risk of attack.

The briefing states that internal audit should:

• Ensure that the audit plan remains relevant – the situation is a good opportunity to (re)assess the cyber security risk level.

• Ensure that the audit plan adequately covers the risk and is regularly updated to reflect the changing risk landscape.

• Consider an outsourced or co-sourcing model to obtain expertise in this area if it doesn’t exist within the internal audit team.

• Keep abreast of the nature of cyber security threats relevant to their organisation, ensuring they understand the risks and consequences so they can provide the level of assurance sought by stakeholders.

The briefing contains information on things to consider around detection and response capabilities and outlines how internal audit can respond. 

One of the most important things an organisation can do is to increase communications and awareness of cyber security among employees. This involves repeated cyber security training, including phishing simulations. Do employees know what to do if they receive a phishing or suspicious email? Do they maximise the use of two-factor authentication? Have all your employees and board members completed training and is content regularly refreshed? Does your organisation have an up-to-date business continuity plan that has been tested with lessons learned incorporated? Is software regularly updated and does the IT team run updates and patches as required?

Ensuring your organisation remains up to date with sanctions lists, regulations and legislation, as well as understanding disruption to its supply chains, will increase awareness of vulnerabilities that could be exploited.

These are just some areas where internal audit can provide assurance on cyber security. More guidance is available in the cyber section of our How to Audit page. 

GOT A QUESTION? Contact the Chartered IIA technical helpline on 0845 883 4739 or email webtechnical@iia.org.uk

This article was first published in July 2022.