Q&A: You asked us - March 2020

Q Where is it stated how often units or projects should be audited (eg, in the Standards or other practice guides)?

A The Standards do not specify how often units or projects should be audited. Standard 2010, Planning states that: "The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organisation’s goals."

The internal audit plan is intended to ensure that internal coverage adequately examines areas with the greatest exposure to the key risks that could affect the organisation’s ability to achieve its objectives – iia.org.uk/performance-standards

Further information can be found in Implementation Guide 2010 (iia.org.uk/resources/ippf/implementation-guidance) and also in our guidance on "How to prepare annual internal audit coverage plans" – iia.org.uk/auditcoverage

Our Internal Audit in Practice guide also provides a series of case studies that draw on interviews with public and private sector heads of internal audit and includes auditing projects and risk-based internal auditing – charterediia.uk/iapractice

Q Is it recommended practice for the same auditor to audit the same project on a repeated basis? Or, if repeat audits are made, should different auditors be used?

A One of the key concerns is that the same auditor repeatedly undertaking the same audit becomes over-familiar with the area or function and stops asking the challenging questions because they think they know the answers. This is why it is good practice to build the knowledge and expertise across the whole team, rather than encourage one team or individual to develop all the knowledge themselves. 

From a succession planning perspective, there is also the risk that the individual or team fails to share their knowledge with their colleagues, so if they leave there is a knowledge gap that may take some time to regain. This can affect the assurance that internal audit is able to provide for the particular area or topic. 

However, there are also advantages when an auditor undertakes an audit on a repeated basis. It enables them to build up a more in-depth understanding of the area and develop familiarity with the processes, procedures and risks, and possibly reduce the length of time it takes to complete the audit. This is particularly relevant if the area is complex or requires specific subject-matter expertise.

Generally, however, it isn’t best practice for an auditor to undertake the same audit year after year. Using a different auditor will enable them to develop and to benefit from the supervision and knowledge of staff who undertook the audit previously. It may also provide a different perspective on the audit. 

The Code of Ethics and the Standards have the following to say about competency and resources.

The Code of Ethics, Competency Principle states: Internal auditors apply the knowledge, skills and experience needed in the performance of internal auditing services. Internal auditors:

4.1 shall engage only in those services for which they have the necessary knowledge, skills and experience.

4.2 Shall perform internal auditing services in accordance with the International Standards for the Professional Practice of Internal Auditing.

4.3 Shall continually improve their proficiency and effectiveness and quality of their services.

Standard 2230 Engagement Resource Allocation says: Internal auditors must determine appropriate and sufficient resources to achieve engagement objectives based on an evaluation of the nature and complexity of each engagement, time constraints and available resources.

Interpretation: "Appropriate" refers to the mix of knowledge, skills and other competencies needed to perform the engagement. "Sufficient" refers to the quantity of resources needed to accomplish the engagement with due professional care.

Standard 2340 Engagement Supervision says: Engagements must be properly supervised to ensure objectives are achieved, quality is assured and staff are developed.

Q When collecting supporting hard evidence regarding fieldwork carried out, should one keep a hard copy of the exceptions identified or of files and transactions where no exceptions were noted?

A It is helpful to sum up all evidence viewed and the outcome of testing in a table, along with attachments containing any evidence to support the exceptions, as long as this supports the engagement results and conclusions and provides sufficient, reliable, relevant and useful information.

You should also consider confidentiality, legal requirements relating to the protection of personal data, such as the Data Protection Act, and requirements for investigation work. It is best practice within the internal audit activity to have a document retention policy that clearly states what documentation needs to be retained by internal audit and for how long.

In some of the more sensitive areas of an organisation it may not be possible to obtain copies of documents either for commercially sensitive reasons or to comply with GDPR legislation. In such circumstances, internal audit may have to read documents and make notes rather than  taking copies.

The Standards (iia.org.uk/performance-standards) applicable to this area are:

• 2310 – Identifying information: internal auditors must identify sufficient reliable, relevant and useful information to achieve the engagement's objectives.

• 2320 – Analysis and evaluation: internal auditors must base conclusions and engagement results on appropriate analyses and evaluations.

• 2330 – Documenting information: internal auditors must document sufficient, reliable, relevant and useful information to support the engagement results and conclusions.

The supporting Implementation Guides are available at iia.org.uk/resources/ippf/implementation-guidance

Q There are many occasions, particularly in the US, where internal auditors are refused access to data with the statement: “It’s under client attorney privilege and therefore you cannot have the information.” Is this actually true and, if so, how does it affect compliance with the IPPF Standards and the audit committee's understanding of full access to information?

A There are potentially two elements to this. The first is that a document, or a number of documents, have been designated "covered by legal privilege", so they should not be shared with anyone outside the designated group of people without permission from the legal function. This includes internal audit. There may be instances where the chief audit executive is a member of the designated group, but they won’t be able to share the information with their team. 

There is also the excuse that someone "cannot share this with internal audit because of legal privilege". If that statement is offered when internal audit seeks access to a document(s), then they need to seek an explanation or justification for the legal privilege designation.

The audit committee should be made aware of any restrictions on access to information and the reasons for this.

The rules around legal privilege are very strict. There are two types of legal privilege. 

1. Legal advice privilege covers confidential communications between a client and its lawyers, whereby legal advice is given or sought. Privilege attaches to all material forming the lawyer-client communications, even if those documents do not expressly seek or convey legal advice. It also applies to in-house legal advice, provided the in-house lawyer is legally qualified.

2. Litigation privilege protects communications between clients or their lawyers and third parties for the purpose of obtaining information or advice in connection with existing or contemplated litigation. Litigation must be in progress or reasonably in contemplation; the communications must be with the sole or dominant purpose of conducting that litigation; and the litigation must be adversarial, not investigative or inquisitorial. Litigation includes criminal and civil court proceedings, employment tribunals and arbitration. The principles are underpinned by the need for a client to speak candidly to their lawyer to receive the most appropriate advice.

Legal advice privilege can come only from someone who is legally qualified, so internal auditors are unlikely to be able to establish that their work benefits from protection. However, they may need to ensure they preserve any privilege that exists in documents they receive.

It is more likely that internal audit work is protected by litigation privilege. An awareness of when an investigation moves beyond a preliminary fact-find into potential regulatory sanction, prosecution and/or third-party claims is vital, although this watershed is not necessarily easy to spot.

Further information along with case studies can be found in the May/June 2018 issue of Audit and Risk, where the article "Are you privileged?" (page 34) explains what auditors need to know –  iia.org.uk/auditandrisk2018

With regards to the IPPF, the Code of Ethics Integrity Principle states that internal auditors:

1.1 shall perform their work with honesty, diligence and responsibility;

1.2 shall observe the law and make disclosures expected by the law and the profession.

Got a question?
Contact the Chartered IIA technical helpline on 0845 883 4739 or email technical@iia.org.uk

This article was first published in March 2020.