Q&A: You asked us - May 2020

Q If an internal audit investigation leads to an initial audit report being produced and an evidence pack prepared for an HR disciplinary meeting, does an internal auditor have any professional obligations to report concerns or findings to external bodies?

A Initially, if possible, speak to the chair of the audit committee.

Responsibility for notifying external bodies about fraud incidents, after consultation with internal personnel, lies with the management/board, but internal auditors also have some obligations under our Code of Ethics (Integrity). This states that the internal auditor:

1.3. Shall not knowingly be a party to any illegal activity or engage in acts that are discreditable to the profession of internal auditing or to the organisation.

1.4. Shall respect and contribute to the legitimate and ethical objectives of the organisation.

So, ultimately, and this should be the last resort only, if the organisation fails to take action then your obligations under the Code of Ethics 1.3 and 1.4 may require you to report the matter to the appropriate external body. This is not a step to undertake lightly and we would hope that the chief executive or HR manager could be persuaded to report the matter on behalf of the organisation.

Your organisation should also have a whistleblowing policy in place. If this is so, and if management decides not to report an incident, then internal audit could use the whistleblowing policy to raise concerns. 

The following documents may offer some further assistance:

Managing the Business of Fraud Risk – page 43, "Reporting the Results/Corrective Action"

Internal Auditing & Fraud Practice Guide – the section on page 26 (F) "Communications of fraud incidents" says: "Management or the board determines whether to inform entities outside the organisation after consultation with individuals such as legal counsel, human resources personnel and the chief audit executive. The organisation may have the responsibility to notify government agencies of certain types of fraudulent acts. These agencies include law enforcement, regulatory agencies, or oversight bodies."

Q The internal audit activity is defined as a department, division team or practitioner that provides objective assurance and consulting services designed to add value and improve the organisation's operation. Would you consider the audit committee to be part of the internal audit activity?

A The audit committee is not part of the internal audit activity. The chief audit executive should report functionally to the audit committee. The audit committee is a sub-committee of the main board. 

The audit committee reviews the work of internal audit as follows:

• It ensures that the chief audit executive (CAE) has direct access to the board chairman and to the audit committee, and is accountable to the audit committee.

• It receives the annual internal audit opinion where is it required to be provided.

• It ensures that internal audit is appropriately tasked and resourced, and has sufficient authority and standing to carry out its tasks effectively.

• It reviews and approves the annual internal audit programme of work.

• It receives a periodic report on the results of the internal auditors’ work.

• It reviews and monitors management’s responsiveness to the internal auditor’s findings and recommendations.

• It meets with the CAE at least once a year without the presence of management.

• It monitors and assesses the quality and effectiveness of internal audit and its role in the overall context of the company’s risk management, governance and internal controls frameworks.

The audit committee is also responsible for hiring (and terminating the employment of) the CAE and for undertaking their annual performance assessment and setting their objectives. This demonstrates the independence and objectivity of the CAE and the internal audit activity.

Q What is the best composition of an audit committee in the public sector?

A The key to an audit committee’s effectiveness is having members with an appropriate mix of skills and experience relevant to the organisation’s responsibilities.

The ideal composition of the audit committee and the best combination of attributes of its members depend on a variety of factors, including the organisation’s size, complexity and responsibilities.

Generally, audit committees consist of between three and eight members. The typical audit committee has four or five. It is usually accepted that the minimum number of members for an effective audit committee is three. This ensures that a sufficient range of skills and experience is available.

It's a good idea to seek to ensure that the audit committee is diverse in terms of gender, age, skills, experience and background to enable it to have wide-ranging and dynamic discussions.

Further information is available in:

• Supplemental guidance: "Assessing organisational governance in the public sector".

• IA Global Public Sector Insights:  "Independent audit committees in public sector organisations" (page 10 has a section on audit committee composition).

• CIPFA’s Position Statement: "Audit Committees in Local Authorities and Police" .

Q Is there a difference between the audit committee charter and the internal audit charter? If so, what are these differences?

A Both charters cover purpose, authority and responsibilities, but these sections are specific to their duties.

The audit committee charter will cover composition of the audit committee, terms of office, meetings and attendance and oversight responsibilities of the internal audit activity and other assurance providers.

The internal audit activity charter covers Standards for the Professional Practice of Internal Auditing, independence and objectivity, scope of activities and the quality assurance and improvement programme.

You can review and compare the content of these at:

Model audit committee charter

• Model internal audit charter


Top Covid-19 questions from internal auditors 

The answers to these questions, plus a range of other information, can be found in our Covid-19 hub.

1. How can we protect our independence and objectivity if we are redeploying internal audit resources to the first or second lines of defence?

2. What happens when the internal audit resource is furloughed – and should internal audit be involved if other staff are being furloughed?

3. What are the key concerns and challenges for internal audit when we start to come out of the lockdown and return to a “new normal” way of working?

4. In the short term, should audit committee meetings be cancelled or should they take place virtually?

5. As part of the focus on key risks and controls, to what extent should internal audit focus on IT/cyber risk?   

6. How can we keep abreast of, and respond to, regulator guidance relevant to our organisation, for example, from the Financial Reporting Council (FRC).


Got a question?

Contact our technical helpline on 0845 883 4739 or email at technical@iia.org.uk

This article was first published in May 2020.