Q&A: you asked us - May 2024
Q: When are the new Topical Requirements going to become available and what are the expectations around what guidance auditors need to follow when completing our audit projects? A timetable of all topics being considered, consultation processes and when requirements may become live would be helpful.
A: The first draft Topical Requirement on Cybersecurity has been issued and is open for consultation with a deadline of 3 July. The final version will be published after this on a date yet to be confirmed.
This has been eagerly awaited by many as the first indication of the format and level of detail for future Topical Requirements. It follows a simple structure:
• An explanation as to why Topical Requirements are needed.
• The mandatory requirements, based around governance, risk management and internal controls. Each of these has a set of internal audit objectives to be used in the scope of the audit engagement.
• A list of all the relevant standards from the new Global Internal Audit Standards and other existing guidance, in this instance eight GTAGs.
• The first appendix, covering considerations for the requirements and providing lists of evidence that could be used to support the assessment of each audit objective in the mandatory section.
• The last appendix, providing a tool to be used to evidence conformance with the Topical Requirement, which should be completed for each audit engagement. This allows the internal audit team space to explain why a particular audit objective was not covered.
The introduction explains the application of the Topical Requirement for internal audit activity at organisation/entity level engagement, but also where an engagement has the topical requirement as a focus for the scope.
It also states that: “Engagements that include any aspect of the topic must assess the requirements relevant to the engagement or document where specific requirements are not applicable.” This indicates that the full topical requirement is not expected to be met in a single audit engagement.
It must be stressed at this stage that this is a draft and a final version will not be available until summer 2024 at the earliest.
Other Topical Requirements have been listed, but as yet there is no list of priorities or timescale for the others. The list comprises:
• Sustainability: ESG
• Third Party Management
• Information Technology Governance
• Assessing Organisational Governance
• Fraud Risk Management
• Privacy Risk Management
• Public Sector: Performance Audits
Q: How detailed should minutes for the audit committee be?
A: There isn’t a straightforward answer to this because a lot depends on the surrounding governance practices in your organisation and any other requirements, such as the UK Corporate Governance Code. My personal guiding principle is that if someone who reads the minutes does not understand the discussion that took place in the meeting that led to that decision, then the minutes are not sufficient. Minutes are evidence of a control of good governance, so they need to be transparent, evidence the challenge and the discussion and the final decisions made. That said, they do not need to be a word-for-word transcript.
While there is no specific guidance on audit committee minute-taking, you may want to look at our Audit Committee Effectiveness guidance. These are good tests of your minutes, and you should be able to use them to support the effectiveness review.
The key question concerns the purpose of taking minutes – in essence, they are to evidence the governance controls and make sure things are transparent.
There is no one size fits all. When I was secretary to various governance committees, including audit, I would reflect in them the full discussion and debate, not transcribing what each member said, but summarising the salient points they made. It makes them longer, but it felt right for that organisation.
Q: What is your view of internal audit being considered “as part of the control framework”? I am engaged in an interesting debate and would welcome an expert view.
A: Controls are processes to manage risk. The Three Lines Model is clear that controls are not to be performed by internal audit for any service or product delivery and we should not own any policies or procedures and implement them. This is echoed over multiple pieces of guidance and in the new Global Standards.
The new Global Standards recognise that a chief audit executive (CAE) may sometimes have other “non-audit responsibilities”, but these need to be clearly understood and documented and alternative assurance arrangements over those activities must be in place and agreed with the audit committee to preserve independence. Examples can be whistleblowing, fraud, etc. In those circumstances, internal audit could be the control, but the assurance should come from elsewhere.
Controls are defined as processes and are therefore performed on an ongoing, continuous basis. Internal audit’s contact with processes is traditionally for a short period of time. An internal audit engagement is performed and reported and then internal audit has no further involvement other than following up on the agreed actions/recommendations. Again, in the Standards, guides around performance of an audit engagement make this clear.
If risk-based planning is practised, there is no guarantee when the area will be audited again, as opposed to the situation when cyclical planning was the norm.
However, lines get blurred when internal audit performs other activities, such as consultant/adviser to a project. As advisers, we may be involved throughout the full project, often in detail on phases including designing controls and testing routines. Again, guidance makes it clear that internal audit should not make decisions.
This gets even more tricky around continuous assurance, which can be seen as continuous monitoring (and monitoring is a control process). With some internal audit functions moving to a more regular audit planning cycle, monitoring key risk indicators, flagging issues and instigating a responsive piece of assurance could be perceived to be a control. This becomes dangerous if management reduces its own controls because “internal audit will flag any concerns and do some work to address the issue”, so seeing us both as detective and corrective control.
Q: What support and guidance is the Chartered IIA providing/working on to help internal audit functions move to the new Global Internal Audit Standards?
A: IIA Global has produced, and will continue to produce, guidance to support the transition to the new Global Standards. In April they produced a new Model Internal Audit Charter (with guidance), an Executive Summary for Domain III and Three lines Model, and the first draft Topical Requirements on Cybersecurity. More are planned, with a Quality Manual as Recommended Guidance scheduled to be published in July. The Chartered IIA will therefore focus our work on additional and complimentary resources.
One of our major tasks is to review all the existing guidance on our website. We have drawn up a plan and our team of Technical Content Volunteers is working on it. If you would like to be involved, please get in touch – there is plenty to do.
Another task is to provide new resources. So far, we have provided a first version of a Self-Assessment Checklist for the new Global Standards. I anticipate that there will be further versions/updates as we incorporate feedback from a wider group of practitioners, look to include the final version of the Code of Practice and also the final version of the Quality Manual Recommended Guidance.
Other items we are working on include an Audit Committee To Do List, and an Internal Audit Strategy Template with supporting guidance. To help you find these, we have created a new section on the Resources Page for Global Standards Support and will provide regular updates through our Technical Blog.
If you have any ideas about what else might be needed, then let us know.
Got a question? Contact the Chartered IIA technical helpline on 0845 883 4739 or email technical@iia.org.uk
This article was published in May 2024.