Q&A: You asked us - September 2022

Q: We’ve had significant push back from the business after including a finding/recommendation in our draft report for something that was technically out of scope. I have stood my ground and kept it in the final version of the audit report, but am wondering whether I should include it in my report to the audit committee?

A: Yes. A chief audit executive (CAE) decides what to include in individual engagement reports and also in reports to the audit committee. This is a critical factor in the independence of the function. There are three general issues that your question raises.

Out-of-scope audit work

During an audit engagement, if an internal auditor identifies any opportunity to improve the management of a risk, the Core Principles require them to raise the issue because it demonstrates: competence and due professional care (principle number two); quality and continuous improvement (principle number six); that they are being proactive (principle number nine); and are promoting organisational improvement (principle number ten).

However, good practice requires an auditor (outsourced or in-house) to agree scope amendments with their CAE or supervisor before undertaking additional work. There are many factors involved in agreeing or refusing amendments but, fundamentally, any change must be authorised, so the client should be informed.

It is understandable that your client was unhappy that the scope had grown. Maintaining a “no surprises” approach often sits at the heart of good relationships between internal auditors and their clients.

Was the client given an opportunity to discuss the out-of-scope recommendations before the report was issued? Is there anything they might wish to share now that they know the scope has changed? Engaging with the client and giving them the opportunity to respond and agree factual accuracy is important as they clearly feel that they were broadsided by the unexpected addition.

Communicating results

Standard 2400 recommends developing internal audit policies that inform stakeholders whether results will be communicated verbally, in a written report or via a combination of these. Such policies should specify the treatment of issues such as sensitive information, external parties or any disagreement over the management of risk.

A good question to ask yourself is what the consequences might be if internal audit opted not to share the information with the audit committee and the client did not address the weakness.

Internal audit’s authority

The opportunity to remedy any weakness should be welcomed – perhaps it would be useful to have a conversation with management to understand why they are concerned. You can then explain the value of internal audit’s independence and objectivity.

Q: I’ve taken on a project to benchmark our internal audit function. My chief audit executive isn’t sure where I should start. Can you help?

A: Benchmarking is a challenge because internal audit functions deliver their services differently. A useful starting point is to contact similar organisations through networking groups and existing associates.

Global IIA has published an Ambition Model to help CAEs challenge themselves and their teams to improve working practices beyond compliance with the Standards.

The model is supported by an online portal where you can find reports based on your data drawn from a wide geographical and sector base. This enables some benchmarking, depending on the population you want to compare against. 

Q: I’ve been asked by a member of my team why they need to record their time. I know it provides valuable information for managing the department, but is it required by the Standards

A: Within the implementation guidance for Standard 2230 Engagement Resource Allocation it states that:

“By reviewing the engagement work programme, internal auditors may gain a thorough understanding of how much time each step is expected to take. They should be aware of the number of hours budgeted for the engagement, as well as any time, language, logistical, or other constraints for any relevant party (eg, members of the internal audit activity, management in the area under review, senior management, the board, and/or external parties).

“Internal auditors should discuss with the CAE any concerns related to the resources allocated to the engagement. Internal auditors may consider tracking the actual time spent performing the engagement against the budgeted time. The causes for, and effects of, significant overrun may be documented as a lesson learned for future
planning purposes. The level of detail required for time recording is subjective and may also depend on how shared services are costed within an organisation.

Standard 1220 Due Professional Care also requires internal auditors to be aware of the cost of assurance in relation to potential benefits. This is particularly relevant in respect of unauthorised scope creep or delays caused by inefficient working practices.

CAEs need meaningful data on the time it takes to complete engagements to have transparent conversations about resourcing needs with the audit committee. Data analysis is key to effective decision-making. It is also useful for performance management
and for continuous improvement for individuals and the function
as a whole. 

Q: I recently started a new role and none of my colleagues uses the COSO model when thinking about controls. Am I out of date? I thought it was still relevant.

A: COSO is a best-practice internal control framework. It is a structured approach to designing control procedures to build resilience and success by minimising threats as part of effective risk management. However, if your new function is risk-based and does not do routine control audits, this may explain why it is not at the front of their minds.

In addition to COSO, which provides a general model, there is also COBIT, which is popular with IT professionals, and the ISO suite of frameworks covering variety of specialist topics.

When performing a control audit, an internal control framework is part of the methodology:

a) Confirm the appropriate framework to use.

b) Map existing internal controls to the expected controls.

c) Undertake gap analysis to identify what is missing or poorly designed.

d) Discuss and address design issues.

e) Test control effectiveness.

f) Discuss and address effectiveness issues.

g) Monitor progress on corrective actions. 

Got a question? Contact the Chartered IIA technical helpline on  0845 883 4739 or email technical@iia.org.uk

This article was published in May 2023.