Q&A: You asked us - March/April 2021

Q I have started to prepare a testing schedule for a new audit entitled “coronavirus response and recovery” to assess my organisation’s response to the pandemic. Does the institute have any guidance that I can refer to, to assist with the scope of this audit? Which are the key areas that need to be included?

A During the first lockdown, the institute set up its Covid-19 hub to help members navigate the issues that organisations continue to encounter in this exceptional year.

In addition to the guidance, the minutes and highlights from the Heads of Internal Audit Forum and Local Authority Forum are open access and provide a range of insights specific to the crisis, particularly in the early weeks. While the pandemic is unique in our lifetime, many aspects of the response and recovery will also be part of an organisation’s existing resilience and continuity plans.

Additional links that may be of interest include:

Business resilience and crisis planning technical blog

Auditing the NHS in the pandemic – behind the front line

Business continuity planning

The effect of the pandemic on local authority governance (localgovernmentlawyer.co.uk)

It may help to think about the audit in terms of four stages:

React – assurance over the quality of the initial crisis plans and its usefulness, including, for example, crisis governance, communications and the initial response to the issue.

Resilience – assurance that key services were adapted to continue throughout the crisis, including examples such as remote working
and management of additional funding.

Reactivate – assurance over “getting back to a sense of normal” and moving beyond essentials and survival in resilience mode.

Reimagine – assurance that opportunities are being taken to improve and learn from
the crisis rather than returning to old “normal” ways of working. 

 

Q We are keen to ensure that we comply with the DPA 2018 with our internal audit files. We are considering changing how we work. We would like to delete all personal data from our testing worksheets and source documents within three months of finalising the audit report. The logic is that the auditee has agreed with the audit findings in the audit report (and could have requested to see any exceptions in our testing before this) and therefore there is no legitimate reason to retain such personal data on the internal audit file. However, I am concerned about whether an external assessment would require this information.

A The Institute recently published guidance that may be useful in determining your data retention policy. See Handling personal data – factors to consider.

In 2020, for International Data Privacy day, IIA Global collated its guidance into a handy document. See IIA Bulletin – International.
Data Privacy Day
.

In terms of re-performance testing, this is most likely to be undertaken as part of an internal quality review before the internal audit report is published, rather than in an external quality assessment (EQA). An EQA, such as that offered by the Chartered IIA, focuses on the processes and practices within the internal audit function, rather than on examining details of specific work performed by individual auditors. You may be interested to read the institute’s guidance on developing a quality assurance and improvement programme (QAIP). See Ensuring quality in the smallest internal audit activities

 

Q Does the Chartered IIA have any useful information or guidance on year-end opinions?

A HIAs are encouraged to provide an overall opinion in line with IPPF Standard 2450 which states: “When an overall opinion is issued, it must take into account the strategies, objectives, and risks of the organisation; and the expectations of senior management, the board, and other stakeholders. The overall opinion must be supported by sufficient, reliable, relevant and useful information.”

More details can be found in the following piece of guidance on Things to consider when preparing for your annual internal audit opinion.

Producing an opinion at the moment presents particular challenges. This is especially true where internal audit resources are limited (for example, because of furloughed or redeployed staff) and lack capacity to audit organisations normally.

HIAs need to consider all possible sources of assurance when formulating their opinion.

In addition, they should expect to be challenged by audit committees to demonstrate the credibility of an unqualified opinion. HIAs should engage regularly and pragmatically with their audit committee chairs to establish what will be required to meet this challenge.

The following webpages and guidance might be useful when you are considering the annual opinion process during the Covid-19 pandemic.

HIA Forum 1 April 2020

• Local Authority Forum 20 January 2021

CAE and the AC – No surprises in surprising circumstances

 

Q Could you let me have a definition of management oversight? What are the key aspects of management supervision that make up effective management oversight of a process?

A Management oversight is part of the overall system of internal control which includes:

• Integrity and ethical values;

• Management’s philosophy and operating style;

• Organisational structure;

• Assignment of authority and responsibility;

• Human resource policies and practices; and

• Competence of personnel.

The three lines model (recently updated from the three lines of defence) outlines the responsibilities of the three lines.

• First-line roles: provision of products/services to clients; managing risk.

• Second-line roles: expertise, support, monitoring and challenge on risk-related matters.

• Third-line roles: independent and objective assurance and advice on all matters related to the achievement of objectives.

Management actions (including managing risk) to achieve organisational objectives:

First-line management role:

• Leads and directs actions (including managing risk) and application of resources to achieve the objectives of the organisation.

• Maintains a continuous dialogue with the governing body, and reports on planned, actual, and expected outcomes linked to the objectives of the organisation, and risk.

• Establishes and maintains appropriate structures and processes for the management of operations and risk (including internal control).

• Ensures compliance with legal, regulatory and ethical expectations.

Second-line management role:

Provides complementary expertise, support, monitoring and challenge related to the management of risk, including:

• The development, implementation, and continuous improvement of risk management practices (including internal control) at a process, systems and entity level.

• The achievement of risk-management objectives, such as compliance with laws, regulations and acceptable ethical behaviour, internal control, information and technology security, sustainability and quality assurance.

• Provides analysis and reports on the adequacy and effectiveness of risk management (including internal control).

Management’s oversight is highly influential in ensuring a strong control culture, and it is their attitudes, actions and words on a day-to-day basis that often denotes the integrity and ethics of the organisation.

This guidance on controls may be a useful reminder to help consider a vast array of things in addition to the specifics of operational/process controls such as strategic planning, quality, performance metrics/reporting and continuous improvement. 

Got a question? Contact the Chartered IIA technical helpline on 0845 883 4739 or email technical@iia.org.uk

This article was first published in March 2021.