Q&A: You asked us - May/June 2021

Q Our organisation is setting up a business continuity task force and would like internal audit to be involved. Would this be a consulting engagement? What safeguards should the chief audit executive (CAE) consider and should the audit committee approve it?

A It very much depends on the role that internal audit undertakes.

The implementation guidance for Standard 1100 “Independence and Objectivity” states: “It is also recommended that the CAE not have operational responsibilities beyond internal audit, as these other responsibilities may, themselves, be subject to audit. In some organisations, the CAE is asked to assume operational responsibilities, such as for risk management or compliance. In such situations, the CAE typically discusses the independence concerns and the potential objectivity impairment with the board and senior management, who will implement safeguards to limit the impairment. Safeguards are oversight activities, generally undertaken by the board, to monitor and address independence conflicts. Examples include periodically evaluating CAE responsibilities, developing alternate processes to obtain assurance related to the additional areas of responsibility, and being aware of the potential objectivity impairment when considering internal audit risk assessments.”

Being involved in a project such as this is a good way for internal audit to remain close to the business, observe their approach to risk management and demonstrate internal audit value through effective contribution. Maintaining independence is essential.

A legitimate consultancy role could involve facilitation, advising but not taking part in decision-making, and being a catalyst for change.

We would always advise CAEs to discuss material matters such as this with their audit committee chair. 

Q I am doing an audit of expenses and wondering how best to select a sample. I am the only person on the audit.

A Our guidance on sampling should be useful. It looks at different methods and factors to consider.

The level of sampling risk that internal audit is willing to accept will impact the sample size that is approved.  The lower the risk, the greater the sample size. As the internal auditor, you may want to look at different scenarios and estimate the resource involved so that you can discuss a range of options with your manager before progressing. Generally, sample sizes may be determined using a statistically based formula or through judgment and the resources available.

We would always encourage using data analytics wherever possible to audit 100 per cent of a population rather than a sample. It can seem a daunting resource commitment for a small team, although much can be achieved with Excel and other free/low-cost tools. We support a member-led Data Analytics Working Group to help teams of all sizes on the journey. Click here for details.

Q How should the performance appraisal of a chief audit executive (CAE) be conducted and by whom – considering the definitions of administrative and functional reporting?

A The Internal Audit Codes of Practice, that apply to private, third sector and financial services are clear about the reporting line of the CAE. The primary reporting line for the CAE should be to the chair of the audit committee. If internal audit has a secondary reporting line, this should be to someone who promotes, supports and protects internal audit’s independent and objective voice. Ordinarily, this should be the CEO in order to preserve independence from any particular business area or function and to establish the standing of internal audit alongside the executive committee members. However, with the agreement of the chair of the audit committee, the secondary reporting line could be to another member of executive management.

The primary reporting line should conduct the CAE’s appraisal. This is addressed in a number of important documents.

Overarching is the International Professional Practices Framework. Standard 1110 (Organisational Independence) and its accompanying Implementation Guidance clearly states that the board (often the audit committee chair) is accountable for the evaluation and compensation of the CAE.

The Internal Audit Codes of Practice are also clear about the accountability for appraising the CAE.

  The chair of the audit committee should be accountable for setting the objectives of the CAE and appraising his/her performance at least annually. It is expected that the objectives and appraisal take into account the views of the chief executive. This appraisal should consider the independence, objectivity and tenure of the CAE. Where their tenure exceeds seven years, the audit committee should explicitly discuss annually the chair’s assessment of the chief internal auditor’s independence and objectivity.

The Public Sector Internal Audit Standards (PSIAS) make the following compensation within the structure of the sector:

• Governance requirements in the UK public sector would not generally involve the board approving the CAE’s remuneration specifically. The underlying principle is that the independence of the CAE is safeguarded by ensuring that his or her remuneration or performance assessment is not inappropriately influenced by those subject to audit. In the UK public sector this can be achieved by ensuring that the CEO (or equivalent) undertakes, countersigns, contributes feedback to, or reviews, the performance appraisal of the CAE and that feedback is sought from the audit committee chair.  

Q Our audit plan was agreed with the audit committee in March ready for our new financial year. I’m a junior auditor and am already getting push back from management that our plan is out of date because of the volatility caused by COVID-19 and the economy. Our CAE is reluctant to go back to the audit committee. I think she should adapt the plan. What should I do?

A These are challenging times to be an internal auditor and a CAE. Volatility is one aspect of the VUCA acronym which sums up the environment: Volatility, Uncertainty, Complexity and Ambiguity.

Accepting that the environment is not going to change can help. It enables us to change our frame of reference and work differently; that includes you, the CAE and the audit committee. There may be reasons why the plan cannot be adapted, perhaps your CAE is breaking down barriers that you are unaware of, or maybe the issue is not on her radar. Talk to colleagues; internal auditors should be open to listen and learn. Our blog post on adapting the plan in turbulent times features a case study that may be useful to share with your CAE.

The CAE must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organisation’s goals (Standard 2010 – Planning). Although audit plans are  typically prepared annually, they may be developed according to another cycle. For example, the internal audit activity may maintain a rolling 12-month audit plan and re-evaluate projects on a quarterly basis. Or, the internal audit activity may develop a multi-year audit plan and assess the plan annually.

Creating an audit plan is a collaborative process to ensure priorities align across stakeholders.The Standards are designed to allow the CAE flexibility to review and adjust the audit plan in response to changes in business, risks, operations, programmes, systems and controls. Significant changes must be communicated to the board and senior management for review and approval in accordance with Standard 2020 (Communication and Approval). 

Got a question? Contact our technical helpline on 0845 883 4739 or email technical@iia.org.uk

This article was published in May 2021.