Q&A: you asked us - March 2024

Q: I am a new CAE and I have inherited an audit plan that has reasonable coverage, although I am concerned that the finance audits are very broad. I would like advice to help me understand how to break these down and also what the gaps
might be.

A: Two tools that are useful for breaking down auditable areas are an audit universe and an assurance map.

An audit universe is a list of all the auditable areas (process, function, etc) within an organisation. Each area can be risk-rated (automation, staff turnover, change, risk maturity, complexity, regulated, etc) to aid cyclical assurance plans. A universe can be intensive to create and maintain, so opinions on its usefulness vary.

Another approach is to create a risk-based finance assurance map, which focuses on the key risks and identifies assurance provided by all three lines, not just internal audit. This not only identifies gaps and duplications, but also enables internal audit to coordinate assurance. In addition, it makes it possible for internal audit to provide targeted assurance over risks where there are multiple potential sources of assurance.

Sometimes a broad scope is appropriate. In these situations, an agile approach can help to break the deliverables into sprints to enable timely findings.

 


 

Q: I am struggling to understand the difference between the audit mandate and the audit charter in the new Global Internal Audit Standards. Can you help?

A: The new Standards introduce the concept of a mandate. Peter Elam, former President of the Chartered IIA and member of the International Internal Audit Standards Board (IIASB), talked about this in a discussion with chief audit executives (CAEs).

The mandate is designed to encapsulate the expectations of the audit committee. In French it translates as “mission”. It is something that evolves over time and can be more flexible and loose in language than the “purpose” of internal audit. It might also be aspirational.

The charter is much more explicit. It is a published document that sets out what is required at an operational level to deliver the mandate, for example the rights and authorities of internal audit.

You may find it useful to watch IIA Global’s webinar, in which members of the IIASB explain the rationale and concepts, including the difference between a mandate and a charter.

 


 

Q: Does the Chartered IIA have a view about whether we should disclose the use of artificial intelligence (AI) as part of our audit work in the documents to the client, such as the brief or reports?

A: You raise an interesting point. The use of AI is accelerating beyond the reach of many standards, laws and other mechanisms designed to protect and serve a higher purpose.

AI can increase internal audit functions’ efficiency and may enable greater richness in terms of insight and foresight. We would expect internal audit to consider the ethical, legal, regulatory and moral considerations of the use of AI – ie, that effective governance is in place – before using it to provide assurance. Although this is not yet explicit in any guidance, it would be reasonable for an internal audit function to ask itself these questions.

“Domain II: Ethics and Professionalism” in the new Global Internal Audit Standards (particularly where this concerns issues of transparency, integrity and independence) suggests that it would be sensible to declare that AI is utilised where appropriate for efficiency and effectiveness within the audit methodology. This would be in keeping with declarations regarding the use of data analytics and reference to conflicts of interest.

AI is an evolving topic and there are ongoing discussions about how it is used within the internal audit process and how it should be audited in different areas across organisations. It will be on the agenda for the Data Analytics Working Group this year.

 


 

Q: Many internal audit teams are struggling to fill vacancies because of a shortage of available people with the necessary skills. Having talked through this with many people, we all agree that a primary contributing factor is the lack of a pathway from school into internal audit. Is the institute working on this?

A: It is true that many school leavers are not aware of the internal audit profession. However, there is now the Internal Audit Practitioner Apprenticeship, which school leavers will see advertised on the Universities and Colleges Admissions Service (UCAS). The Apprenticeship currently includes the Certificate in Internal Audit and Business Risk and also the Internal Audit Practitioner designations. Therefore, organisations wishing to attract school leavers could create an Apprenticeship role and advertise this through UCAS, as well as via the usual channels.

The Apprenticeship was instigated by the institute in 2017, but the Trailblazer Group (which is made up of internal audit employers) drives its development and drafting for approval by the Institute for Apprenticeships and Technical Education (IfATE). This group has recently reformed to review the Apprenticeship and will be discussing challenges such as this. Chartered IIA representatives attend these meetings to provide advice.

Recruitment, development and retention of internal auditors is a key challenge and the institute is looking at ways to support the profession further in these areas.

This article was published in March 2024.