Q&A: You asked us - November 2020

 

Q If the internal audit charter sets out that the chief audit executive (CAE) reports to the audit committee, must the audit committee approve the redundancy of the CAE and what is the legal standing of the charter?

A The internal audit charter is a formal document that defines the internal audit activity’s purpose, authority and responsibility. The internal audit charter establishes the internal audit activity’s position within the organisation, including the nature of the CAE’s functional reporting relationship with the board/audit committee; authorises access to records, personnel and physical properties relevant to the performance of engagements; and defines the scope of internal audit activities. Final approval of the internal audit charter resides with the board/audit committee.

Supplemental guidanceon chief audit executives – appointment, performance, evaluation and termination, page 4, “Termination of the CAE by the employer” says:

“Generally, the board (audit committee) would oversee the termination of a CAE. Boards (audit committees) will want to determine if termination is justified and appropriate.”

The Internal Audit Code of Practice section E, “Independence and authority of internal audit” says:

22 The primary reporting line for the chief internal auditor should be to the chair of the audit committee.

23 The audit committee should be responsible for appointing the chief internal auditor and removing him/her from post.

24  The chair of the audit committee should be accountable for setting the objectives of the chief internal auditor and appraising his/her performance at least annually. It would be expected that the objectives and appraisal would take into account the views of the chief executive. This appraisal should consider the independence, objectivity and tenure of the chief internal auditor. Where the tenure of the chief internal auditor exceeds seven years, the audit committee should explicitly discuss annually the chair’s assessment of the chief internal auditor’s independence and objectivity. 


Q Should the head of internal audit’s annual opinion be based just upon the work completed by internal audit during the year. Our organisation has had an important regulatory review, should I refer to this in my opinion?

A Standard 2450Overall Opinions states that: “When an overall opinion is issued, it must take into account the strategies, objectives and risks of the organisation; and the expectations of senior management, the board and other stakeholders. The overall opinion must be supported by sufficient, reliable, relevant and useful information.”

The interpretation goes on to say that the communication will include:

 The scope, including the time period to which the opinion pertains.

 Scope limitations.

 Consideration of all related projects, including the reliance on other assurance providers.

 A summary of the information that supports the opinion.

 The risk and control framework or other criteria used as a basis for the overall opinion.

 The overall opinion, judgment or conclusion reached.

The reasons for an unfavourable overall opinion must be stated.

Within theassociated implementation guide, it also states that: “All related engagements or projects are considered, including those completed by other internal and external assurance providers. Internal assurance providers may include other functions that comprise the second line of defence for the organisation. External service providers may include the work of external auditors or regulators. For each project considered from an internal or external assurance provider the head of internal audit will need to assess the project to determine the level of reliance that can be placed on the project work. If the head of internal audit relies on the work of another assurance provider, the head of internal audit still retains responsibility for the overall opinion that was reached as a result of that reliance.”

The following guidance is also available on annual audit opinions: “Things to consider when preparing for your annual internal audit opinion”.  

Q Our organisation has grown and is likely to continue growing. To accommodate this, we are looking to reorganise the structure, including the governance area. One key issue is the number of individuals currently reporting into the chief executive (CEO). I have noted that the financial services (FS) code makes some very specific comments about reporting lines under "Independence and authority of internal audit”. In light of the FS code guidance, would it be acceptable to introduce a structure in which the head of internal audit reports administratively to a governance director (who reports to the CEO), who also has compliance and risk reporting into them, if safeguards are put in place? These could include:
• the head of internal audit having access to, and the right to, attend the executive committee meetings;
• the reporting line to the governance director being a solely administrative role, with no direction being given in relation to the scope of work;
• the head of internal audit having monthly meetings with the CEO to ensure visibility
and access.

A Point 20 within Section E of the FS Codeon independence and authority of internal audit clearly states: “If internal audit has a secondary executive reporting line, this should be to the CEO in order to preserve independence from any particular business area or function and to establish the standing of internal audit alongside the executive committee members.”

Therefore, if the CAE’s secondary reporting line is to the governance director, you should give some thought to:

 Challenges with regard to internal audit work in the governance area and independence –
ie, could it ever put the governance director in a conflict-of-interest position and, equally important, could internal audit end up reporting the findings of an audit engagement to a director to whom they report administratively?

 Other departments’ perceptions of internal audit’s independence and objectivity.

 Any requirements by regulators or governing bodies.

Share the FS code with the governance director so they have a deep understanding of the role of internal audit. In addition, share your thoughts with your direct functional reporting line, ie, the chair of the audit committee, in accordance with paragraph 15 of the FS code which, as you say, states: “The primary reporting line for the chief internal auditor should be to the chair of the audit committee. In exceptional circumstances, the board may wish for internal audit to report directly to the chair of the board, or delegate responsibility for the reporting line to the chair of the board risk committee, provided the chair of the board risk committee and all the other committee members are independent non-executive directors. The reporting line must avoid any impairment to internal audit’s independence and objectivity.”

Also explore what further safeguards you need to ensure that you meet the requirements of regulators/governing bodies and that there is no impairment to independence and objectivity. 


Q Does the internal audit code of practice change anything in the IPPF?

A The primary purpose of the Internal Audit Code of Practice is to provide a basis for conversations aimed at enhancing the overall effectiveness of internal audit and its impact in organisations operating in the UK and Ireland. The recommendations are intended to increase the impact of internal audit in these organisations. They can be seen as a benchmark of good practice against which organisations can assess their audit function.

The code should be applied in conjunction with the IPPF, which includes the International Standards for the Professional Practice of Internal Auditing. The code builds on the Standards and seeks to increase the effectiveness and the impact of internal audit within organisations by clarifying expectations and requirements.

The code is principles-based and the procedural requirements of the code should be applied proportionately. Therefore, we expect smaller organisations to apply the principles on which the code is based and its procedural requirements in relation to their size, risk profile and internal organisation and to the nature, scope and complexity of their operations. 


Q Our organisation relies heavily on physical sign-offs and authorisations – from overtime claim forms, to flexible working applications and contracts. We had to move quickly at the start of the Covid-19 pandemic to introduce email sign-offs. Internal audit provided advice on that, namely that the authorising email must come directly from the email account of the authorising officer to reduce the risk of alterations.
Like most organisations, when we upgrade our IT systems, we increase automation, eg, our new time and attendance system will have an in-built authorisation matrix that will allow online authorisations. However, IT systems upgrades happen periodically, so I’m looking for other options for online authorisations that are inexpensive and easy to use. Do you know whether this is an issue that other organisations are facing and what solutions are out there?

A At our heads of internal audit forum on 20th May one of the participants shared with us their experiences bringing in digital/electronic signatures within a short timeframe to meet their needs in the current crisis across a number of centres.

If you plan to use electronic signatures, the approval of the signatory should always be sought before it is used. One suggestion, if the process is likely to involve only small numbers of documents, is that they could be emailed to the signatory, who can print and sign them before scanning and emailing them back.

A number of more high-tech solutions are available on the internet. There is also a “Guide to Electronic Signatures” that provides some information on what to look for when sourcing providers, eg, price, security, etc. 

This article was first published in November 2020.