Q&A: You asked us - March/April 2022

Q Can you help with guidance on how to rate the maturity of a control – its “embeddedness”?

A While your question is about individual controls, there is often greater value in considering the control environment, possibly alongside the risk maturity framework.

A control environment encompasses the attitudes and actions of the board and management regarding the significance of control within the organisation (or a function). It provides the discipline and structure to achieve the objectives of the system of internal control.

A control environment includes the following:

  • Management’s philosophy and operating style
  • Organisational structure
  • Human Resource policies and practices
  • Integrity and ethical values
  • Competence of personnel
  • Assignment of authority and responsibility
  • Non-executive directors. With reference to the audit committee and its role in approving the internal audit plans (both the strategic
    plan and the risk-based operational plan)

The authoritative guidance on control is produced by the Committee of Sponsoring Organisations of the Treadway Commission (COSO). Its 2013 Internal Control-Integrated Framework provides a useful maturity matrix that can be applied to the overall control environment or to individual controls.

Maturity level 1: Informal or ad-hoc

  • Control activities are fragmented
  • Control activities may be managed in ”silo” situations
  • Control activities depend on individual heroics
  • Inadequate documentation and reporting methods
  • Inadequate monitoring methods

Maturity level 2: Standard

  • Control awareness exists
  • Control activities designed
  • Control activities in place
  • Some documentation and reporting methodology exists
  • Automated tools and other control measures may exist, but are not necessarily integrated within all functions
  • Accountability and performance monitoring requires improvement

Maturity level 3: Managed and monitored

  • Key performance indicators (KPIs) are defined for monitoring effectiveness
  • Well-understood chains of accountability exist
  • A formal controls framework exists
  • Automated tools and other control measures are used to generate more standardised assessments

Maturity level 4: Optimised

  • Highly-automated control infrastructure
  • Benchmarking, best practices and continuous improvement elements are incorporated into monitoring efforts
  • Real-time monitoring

Q I work for a local authority which has several separate trading companies, each with its own audit committee. In addition to our audit plan for the authority, we are also contracted to provide audit services to some of the trading companies. I am concerned that this blurs boundaries and threatens our objectivity. Am I worrying unnecessarily?

A It is efficient and effective for the authority’s internal audit function to undertake engagements in these companies/subsidiaries and provide assurance to the audit committee. Your concern, and that of stakeholders, usually arises when governance is unclear – if there is a lack of clarity about internal audit’s role and the requirements of stakeholders, including the audit committee, chief executive, S151 officer and senior management.

Internal audit should have a formal charter agreed with each audit committee, which is also approved by the authority’s audit committee. It should include reporting protocols so that everyone is clear about where reports are received and who is privy to the audit opinion.

It is important that your audit plan reflects engagements across all entities to ensure that the authority understands your priorities and use of resources.

It is helpful to produce an assurance map and to look for assurance providers across the first and second lines, as they may be able to support you in some activities or will help to provide more rounded assurance. 


Q I’m looking to refresh the skills matrix for my internal audit team. Do you have any advice on how I can ensure I am identifying the skills that we need to develop?

A Great question. It takes time to develop skills, so internal auditors need to look ahead as well as thinking about the here and now.

IIA Global recently published Assessing Internal Audit Competency: Minding the Gap to Maximise Insights which addresses your question.

Another insightful read is The Future of Jobs report 2020 produced by the World Economic Forum, which identifies the top skills for 2025 (see below). These are highly relevant to internal audit, so perhaps could be included in your skills matrix. The report looks at emerging skills and changing employment trends, including analysing these by country and industry sector – it is also important for internal audit to keep up with skill changes within the organisation. 


Q Does the institute provide guidance on how the audit committee should handle a disagreement between management and internal audit? My experience is that the audit committee typically sides with management and therefore misses some of the cultural issues behind identified weaknesses.

A This can be a difficult issue for internal auditors. Our opinions, although grounded in evidence, are still opinions and therefore can differ from those of management. Standard 2600 Communicating the Acceptance of Risks specifically deals with this.

“When the chief audit executive concludes that management has accepted a level of risk that may be unacceptable to the organisation, the chief audit executive must discuss the matter with senior management. If the chief audit executive determines that the matter has not been resolved, the chief audit executive must communicate the matter to the board.”

The Standard is clear that it is not the responsibility of internal audit to resolve the risk. Internal audit must agree to disagree and move on if the audit committee supports management. Lessons from this situation can help you to enhance ways of working to improve communication and relationships.

You imply that there are cultural issues that the audit committee should be more aware of. You could use root-cause analysis to help the audit committee understand the detail of your work. This can be a powerful way to consolidate different findings that demonstrate the cultural issues that internal audit has identified. Our guidance is a good starting point
to learn about this fundamental tool. 

GOT A QUESTION? Contact the Chartered IIA technical helpline on 0845 883 4739 or email technical@iia.org.uk

This article was published in March 2022.