Q I am a head of internal audit for a multinational organisation. I have a small team and management has proposed that I use locally based compliance teams to do my testing. Can I adopt this cost-effective approach and still comply with the IPPF?
A With appropriate safeguards in place, it is acceptable for internal audit to rely on the work of other assurance providers. The IPPF recognises that internal audit is one of a number of assurance providers with different remits. Both the IPPF and the revised Three Lines Model, as outlined in A&R magazine (issue 56), make the case for coordination to avoid duplication, overlap or gaps in assurance.
Standard 2050 Coordination and Reliance addresses this point. “The chief audit executive should share information, coordinate activities and consider relying upon the work of other internal and external assurance and consulting service providers to ensure proper coverage and minimise duplication
Interpretation of the Standard states: “In coordinating activities, the chief audit executive may rely on the work of other assurance and consulting service providers. A consistent process for the basis of reliance should be established, and the chief audit executive should consider the competency, objectivity and due professional care of the assurance and consulting service providers. The chief audit executive should also have a clear understanding of the scope, objectives and results of the work performed by other providers of assurance and consulting services. Where reliance is placed on the work of others, the chief audit executive is still accountable and responsible for ensuring adequate support for conclusions and opinions reached by the internal audit activity.”
Members may also find the supplementary guidance for this Standard useful as it goes into detail on the topic.
Q I work for a medium-sized company that has started to make commitments relating to climate change. My chief audit executive is reluctant to include anything related to environmental, social or governance (ESG) on our audit plan, preferring to focus on traditional compliance and financial risks. How can I get this on to our audit plan for 2022?
A The Chartered IIA recognises the challenge for chief audit executives (CAEs) to balance the audit plan and provide assurance over risks that are new or high profile, such as climate change, culture, inclusion and diversity, etc.
Your CAE, in common with those in many organisations, is on a journey and some are embracing the need to change more quickly than others. Our research published in November 2020, “Organisations’ preparedness for climate change: an internal audit perspective”, includes examples of good practice as well as highlighting the pressing need for internal audit to be more engaged with climate assurance.
A compliance approach can be a good way to start. Take a look at one of our recent technical blog posts, it explains net zero commitments and the role of internal audit. While environmental disclosure is voluntary at the moment, it is good practice and is often encouraged by shareholders – and particularly by investors.
We suggest you talk to your CAE. Our latest thought-leadership report, “Harnessing internal audit against climate change risk: a guide for audit committees and directors”, makes a great discussion aid because it is aimed at audit committees. It sets out clear expectations of the role of internal audit, which should give your CAE the confidence to start the journey and to have a conversation with your audit committee chair.
Q I am writing a paper for our CEO on the pros and cons of different models of resourcing internal audit.
What key points should I include?
A The main models are outsourced, co-sourced and in-house; within this, there are also options for partial outsourcing and subcontracting.
It is important to emphasise to management that the oversight and responsibility for an internal audit function cannot be outsourced. The board, through the audit committee, is ultimately responsible for oversight of internal audit. Consequently, there is a need for more formal documentation and channels of reporting and approval when all, or a material part of, the function is outsourced.
The Chartered IIA Codes of Practice address this point:
21. Internal audit should have sufficient and timely access to key management information and a right of access to all of the organisation’s records necessary to discharge its responsibilities. In organisations in which the internal audit function is outsourced this Code still applies, and the chief internal auditor should always be employed directly by the organisation to ensure they have sufficient and timely access to key management information and decisions.
Members can also access Models of Effective Internal Audit, which includes case studies of six different models. There is no definitive structure as the assurance needs, size and complexity of an organisation should all be considered when deciding which model to adopt.
Q My head of audit has asked me to draft a new board Audit and Assurance Policy. I know this is a potential new corporate governance requirement, but I feel uncomfortable. Is it ok for internal audit to do this?
A First, it is commendable that your board is being proactive. The Audit and Assurance Policy is one of the proposals in the BEIS white paper Restoring Trust in Audit and Corporate Governance.
The remit of internal audit covers both assurance and advisory engagements. Given the scope of the new policy, the Chartered IIA believes that the Audit and Assurance Policy should be owned and signed off by the audit committee, which must be accountable for it. However, internal auditors are in a strong position to act as facilitators and coordinators of the drafting of the policy in collaboration with other key internal business stakeholders, such as finance and risk management. The function’s unique position as the third line in the business means it has an independent “helicopter” view of the entire audit, risk and assurance landscape, which will help it to weave the policy together, in partnership with the other assurance functions.
The proposal for an Audit and Assurance Policy should help to strengthen internal audit functions and is a golden thread that will help to tie the strands of a company’s assurance together.
In many organisations, internal audit will be the only function with the appropriate knowledge and skills, such as assurance mapping, to support the board in understanding and developing the Audit and Assurance Policy. It is also an opportunity to showcase the value of internal audit and, where necessary, to enhance assurance through informed discussion with the board and audit committee.
This article was published in November 2021.