![](/media/wi5o1h04/you-asked-us-september-2020.jpg?width=160&height=160&format=webp,webp&quality=70&v=1db2b7d9a8140f0 160w,/media/wi5o1h04/you-asked-us-september-2020.jpg?width=320&height=320&format=webp,webp&quality=70&v=1db2b7d9a8140f0 320w,/media/wi5o1h04/you-asked-us-september-2020.jpg?width=480&height=480&format=webp,webp&quality=70&v=1db2b7d9a8140f0 480w,/media/wi5o1h04/you-asked-us-september-2020.jpg?width=640&height=640&format=webp,webp&quality=70&v=1db2b7d9a8140f0 640w)
Q&A: You asked us - September 2020
Q If the internal audit team is appointed to do some off-plan consultancy, do they still have to report the outcome to the audit committee?
A All consultancy work should be reported to the audit committee. Under the “interpretation” section of Standard 1110 Organisational Independence it states that: “Organisational independence is effectively achieved when the chief audit executive (CAE) reports functionally to the board.”
Examples of functional reporting to the board include the board receiving communications from the CAE about the internal audit function’s performance relating to its plan and other matters.
In the Model internal audit charter within the “Scope of internal audit activities” it suggests, among other things, that: “The CAE will report periodically to senior management and the [board/audit committee/supervisory committee] regarding results of audit engagements or other activities.”
In addition, Consultancy engagements guidance also covers this. In particular, the section on “Professional conduct, consultancy assignments and issues of independence/objectivity” says: “It should be made clear to management that all consultancy work will be reported to the audit committee and be included in the overall opinion with progress on results monitored to the extent agreed upon with the client (Standard 2500.C1).”
Q I work in internal audit in a small team in the UK, but the company is headquartered in the US. I’d like to know if our company internal audit function would be expected to comply with the new code?
A The new Internal Audit Code of Practice is intended to be applied by all organisations in the private and third sectors with an internal audit function and an audit committee of independent non-executive directors or their equivalent.
The code should be applied in conjunction with the existing International Professional Practices Framework (IPPF) published by the Global Institute of Internal Auditors, which includes the International Standards for the Professional Practice of Internal Auditing (the IIA Standards). The code builds on those Standards and seeks to increase the effectiveness and impact of internal audit within organisations by clarifying expectations and requirements.
The code is principles-based and it is expected that the procedural requirements should be applied proportionately. Therefore, smaller organisations should apply the principles on which the code is based and its procedural requirements in a manner that is proportionate to their size, risk profile and internal organisation, and the nature, scope and complexity of their operations.
Q We are currently making all our staff available for deployment in other service areas. When they return, it would be good to have some kind of “understanding” that, although they may have been working/assisting a service area, it is still appropriate for them to audit that area in the same year.
A This is a great opportunity for internal audit teams to show how they can support and add value to organisations. We need to be flexible about supporting the organisation in whatever way possible. This is key for all of us as we tackle the challenges we are facing.
There should always be appropriate supervision and review of any work undertaken. In the current scenario, it might be necessary to adjust (perhaps increase) the level of supervision required, while recognising that in the near future we may have to audit areas we have worked in.
Talk to the audit committee and agree what this means for internal audit in the next months. Remember also that most of us are employees of the business and we should all focus on its future sustainability and success.
Standard 1130.A1 – Individual Objectivity says that individuals must refrain from assessing specific operations for which they were previously responsible for at least one year after leaving the operation. However, in these exceptional circumstances, it may be appropriate to look at each individual circumstance, eg, the length of time they worked/assisted in that area, the work undertaken and whether there may be a conflict that would impair the internal auditor’s objectivity.
If necessary, ask whether another member of the internal audit team could undertake some aspects of the audit, or whether you could allocate another member of the internal audit team to it. Remember to discuss your approach with your audit committee chair.
Q My organisation is due to have an external quality assessment (EQA) this year. However, because of the Covid-19 situation, I expect that we will experience delays getting agreement and with the procurement process. I also expect that organisations with EQAs booked may have had to push them back, as buildings are not open, so we may struggle to book. As a result, when our compliance with the five-year timescale for an EQA is assessed, will we be assessed as non-compliant because of these delays or will this be a reasonable exception?
A We are in exceptional circumstances at the moment and we would expect this to be reflected in the assessment. The Standards require you to have an EQA at least every five years. Some internal audit functions have them more frequently for a variety of reasons, such as a new CAE or a new chair of the audit committee. However, in the current circumstances it would be realistic to expect that whoever conducts your EQA would take into account the effect of the pandemic.
For many internal audit functions, this may not be the right moment for an EQA. In the meantime:
• Make sure that the decision to delay is agreed with all stakeholders and that there are records of all these decisions.
• Set a clear timeline for undertaking the review and/or re-considering when the EQA should take place.
• Use any under-utilised staff time to ensure that you will be in good shape for the EQA when it does happen. For example, update documents such as the audit manual or charter and complete your own assessment of your compliance with the IPPF (you can use the institute’s checklist) and develop a plan to address any gaps you identify.
However, it is extremely important that you keep talking to your audit committee chair, and that you highlight to them what is happening and the challenge regarding undertaking an EQA.
If you have recently undertaken an internal quality assessment, then you should also feed back the results of that to your audit committee, along with any actions you have identified to address weaknesses or gaps in conformance.
Q In some cases, internal audit is now performing the role of compliance, risk or other assurance provider. This will inevitably provide deep insight on the effectiveness of the policies and processes in these areas, albeit while operating in exceptional circumstances. Should identified weaknesses be reported and, if so, how? Would this potentially include reporting them to the audit committee?
A Internal audit is there to support the organisation in the current situation. However, internal auditors should call out any weaknesses they identify in processes, policies, etc. But this could also, if not handled carefully or sensitively, cause reputational damage to internal audit.
Managers in the business might say, for example: “You were supporting us, helping us by working in the first line and now, just because you’ve found something that you wouldn’t normally have found, you’re reporting weaknesses in processes, controls, etc.”
It could be seen that internal audit is again becoming a policeman, which is not at all what we want. I think it is about how we deal with this, the significance of the risk or the weakness identified and how we address anything that we find appropriately and sensitively. Raise it with the business, raise it with the area in which internal audit is working currently and agree a way forward to resolve the weaknesses.
Ensuring that we get the timing and the communication right is important – but so is maintaining relationships that have been built up over time.
Got a question? Contact the Chartered IIA technical helpline on 0845 883 4739 or email technical@iia.org.uk
This article was first published in September 2020.