Q&A: You asked us - March 2023

Q:I have been asked to ensure our internal audit manual is up to date. Is this still a relevant thing to have and, if so, is there any guidance that could help me?

A:Yes, this is a perennial member query so we have listed the things that are typically included in an audit manual. You raise a good point about its relevance. An internal audit manual should be easy to use and should help internal auditors do their job; for example, it should cover policies, ways of working, the charter and performance measures. It is very useful for training. Every function is different so each manual will be unique. If a manual is gathering dust on a shelf then it is not effective – find out why and rectify it.  Perhaps it needs digitalising? Maybe no one new has joined the function for a while? A manual should contain a summary of information that is quick to read and will keep experienced internal auditors on track while providing more details for those new to the role. 


Q: During a recent audit, the director of the function told me that I should be thinking about risks that are emerging, not just ones that are already on our risk register. We don’t have a risk function. Should internal audit be doing this?

A: Absolutely! Your director is quite right. Whether or not your organisation has a risk function, internal auditors should be aware of emerging risks. Horizon-scanning involves thinking about what the future might look like. It uses our key skills of systematically investigating evidence to look for future trends. It tries to unravel some of the uncertainty and ambiguity, but without making predictions.

Gathering insights into what the future may bring helps us to build scenarios that can be used to build resilience, prepare for threats and take advantage of opportunities.

Our guidance is part of your toolkit for horizon-scanning and providing foresight. Internal audit should provide assurance over the risks of today and the challenges of tomorrow. Horizon-scanning is about keeping abreast of the broad environment in which an organisation operates. Think PESTLE (the political, economic, sociological, technological, legal and environmental factors that influence this). It is about being curious – for example, read widely and listen to podcasts.

Our annual Risk in Focus report is a useful guide together with the Global Risks Report produced by the World Economic Forum. Read these and think about what might be relevant in your sector, in your organisation, in the future. 

Q:We operate a rolling audit plan and I am looking at priorities for the next six months. Our audit committee is keen for us to provide cyber risk assurance, but we did this last year. I know it was ranked as the number one risk on your Risk in Focus research, but is it not business as usual? There are other risks I’d prefer to focus on that don’t have as high a profile in our discussions. Am I missing something?

A:In our digital age, cyber risk will always be a top risk. It is debatable whether it is the number one priority, given the existential threat of climate change, but it is certainly not diminishing.

According to Shanil Williams, board member at Allianz Global Corporate & Specialty: “The threat in cyberspace is still higher than ever, and cyber claims remain at a high level. Large companies have become accustomed to being targeted and those with adequate cyber security are able to repel most attacks more effectively. Increasingly, more small and mid-size businesses are also being impacted. These tend to underestimate their exposure and need to continuously invest in strengthening their cyber control framework.” The Allianz Risk Barometer lists cyber incidents, including ransomware attacks, data breaches and IT outages, as the number one risk.

Your question is perhaps more about how to audit all the important risks than whether cyber should still be a priority. Prioritising the audit plan is increasingly challenging with multiple crises compounding enduring risks such as cybercrime. An assurance map is a useful way to help internal audit and the audit committee to understand all the various sources of assurance. Ongoing compliance monitoring can be provided by the first and second lines, freeing up internal audit to look at broader risks. It is a useful way to avoid duplication and to plug gaps. That isn’t to say an audit of cyber risk isn’t valuable, but the scope may be focused more towards strategic and emerging risks and to audits to provide assurance over the quality of reporting.

Check out our guidance on assurance mapping and the coordination of assurance providers

Q:I recently joined a small internal audit team. I know costs are tight and my boss has explained that the audit committee has again deferred funding for an external quality assessment. My problem is that we’re not conducting any internal review of how we work either. The Standards say we should. What should I do?

A:Chief audit executives (CAEs) are under multiple pressures. Rather than waiting, you could take the initiative and propose and facilitate a team meeting to undertake a self-assessment. Your CAE may welcome the opportunity to participate and direct if they are not having to find time to prepare and write it all up.

Standard 1300 tasks the CAE with developing and maintaining a comprehensive quality assurance and improvement programme (QAIP). The QAIP should encompass all aspects of operating and managing the internal audit activity to enable an evaluation of the function’s conformance with the International Professional Practices Framework (IPPF) including the Standards and Code of Ethics. It must include ongoing and periodic internal assessments as well as external assessments by a qualified independent assessor or assessment team.

An annual self-assessment (part of Standard 1311) is an opportunity for a holistic, comprehensive review of the function and Standards, whereas ongoing monitoring is generally focused on reviews conducted at the engagement level. Check out the Implementation Guidance for 1311 for more detail.

The Chartered IIA recognises that CAEs need support with self-assessments and provides members with an easy-to-use checklist.
This has four elements:


• Details of the IPPF.

• Suggestions on how you can conform to the IPPF.

• Assessment of how you conform to the IPPF.

• Actions needed to fill any conformance gaps. 

 

This article was published in March 2023.