Q&A: You asked us - September/October 2021

Q Does the Chartered IIA still recommend a set annual audit plan? There seem to be many different approaches now, such as a rolling three-month plan, a three- to nine-month plan and other variations.

A The IPPF is principles-based, rather than prescriptive, and the annual audit plan requires judgment by the chief audit executive (CAE) in consultation with the audit committee and other stakeholders. Standard 2010 Planning states that: “The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organisation’s goals.” The supporting Implementation Guide 2010 IG 2010 Planning states that: “Although audit plans typically are prepared annually, they may be developed according to another cycle. For example, the internal audit activity may maintain a rolling 12-month audit plan and re-evaluate projects on a quarterly basis. Or, the internal audit activity may develop a multi-year audit plan and assess the plan annually.”

Internal audit, like many other functions, often works in an agile manner to keep up with rapidly changing environments and manage the associated uncertainty and complexity. Agile internal audit plans can take many forms, such as a rolling plan or an annual plan with a firm approach for the first quarter and then varying degrees of flexibility for subsequent quarters. A recent blogpost on this topic may be useful: “All change – adapting the plan in turbulent times.”

Q I have been asked by my manager to develop a risk register for internal audit. This isn’t something I’ve come across before. Is it common practice?

A It is hard to say whether it is common practice, but it is certainly good practice. A risk register is a practical tool that an organisation or department uses to manage its risk by going through the five steps of risk management; identify, analyse, evaluate, respond and monitor.

Internal audit, like any other function, is exposed to risk – which produces threats and opportunities. The guidance for Standard 2120 notes that internal audit is responsible for actively managing its own risks, including those relating to the audit opinion and those associated with running the function.

A risk register is complementary to the quality assurance and improvement programme. Guidance for developing a risk register is available to members. 

Q Does the institute provide guidance on the amount of resource that should be invested in the internal audit function?

A The institute’s position on this is very much principles-based, as there is no one-size-fits-all approach. Resourcing is addressed in the Internal Audit Code of Practice guidance on effective internal audit in the private and third sectors (there is a separate Code for Financial Services).

Paragraphs 28-30 state that the CAE should provide the audit committee with an assessment of what is required to provide assurance and that the audit committee is responsible for approving the internal audit budget and, as part of the board’s overall governance responsibility, disclosing in the annual report whether it is satisfied that internal audit has the appropriate resources.

Standard 2030 Resource Management specifies that the CAE must ensure that internal audit resources are appropriate, sufficient and effectively deployed to achieve the approved plan. “Sufficient” refers to the quantity of resource needed to accomplish the plan and “appropriate” refers to the competency of the resources available.

The codes recognise that every organisation is unique, so the board and/or audit committee must make an informed decision, ideally in partnership with the CAE. 

Q In our organisation, we are aware of the strain that the past 18 months has put on staff. We are thinking about what we can do from an internal audit perspective for the staff we are auditing. What signs/red flags should we look out for and does
the Chartered IIA have any tools to help?

A. Mental health was the topic of a recent Talk to Internal Audit with guest speaker Aileen Evans, CEO at Grand Union Housing Group. Our Facebook/YouTube series is open for all to view and, being short, they make great discussion introductions for team meetings.

In addition, the institute has developed a new course on Auditing Staff Welfare and Wellbeing Risk to help internal auditors audit this area – the next sessions are in November and January – and we are currently developing technical guidance.

According to the Aspire Wellbeing website these are some red flags to look out for:

  • Sighing: This can be a physical reaction to regulate breathing during times of stress and anxiety. It is often a non-verbal sign of feelings of upset and distress. If a colleague is regularly sighing, then it could be a subconscious message expressing negative feelings without them having to verbally discuss it.
  • “I'm alright”: If a colleague responds to questions about their wellbeing with phrases such as “I’m alright” or “I’m fine”, then this could be a sign that they are struggling. They could be hiding how they are really feeling because they feel uncomfortable sharing these thoughts in the workplace.
  • Exhaustion: For many of us, living in lockdown was exhausting and it’s extremely easy to suffer burnout, which shouldn’t be ignored. Exhaustion can also be a sign that someone is struggling with their mental health and it is affecting their ability to sleep.
  • Irritability: Irritability or curtness can be seen in an unintended outburst during times of stress and may be a true reflection of how someone feels. Try to understand colleagues who show signs of irritability. If they don’t want to discuss it at the time, give them space and offer your support at a calmer time.
  • Feeling overwhelmed: If a colleague is feeling overwhelmed, then they may look concerned or anxious when they are given new tasks. This could be because they are running low on energy, time or capacity. If you notice someone appearing to struggle with their workload, try to offer help or support to minimise any overwhelming feelings.
  • Withdrawing: If you notice that a person is withdrawing from any work tasks or activities, then it could be a sign that they are struggling. In the workplace, this could include avoiding meetings or keeping their camera and microphone off. Although they could just be busy, it’s always good to check in with people to make sure things are OK.
  • Forgetfulness: Poor memory and an inability to concentrate can be a sign someone is struggling with their mental health. Mood changes, anxiety and restless sleep are all causes of poor memory. It could also be a sign a person is feeling overwhelmed at work.
  • Apologising: If a colleague apologises a lot, or for unnecessary reasons, this could be a red flag that they are struggling. It may be because poor mental health can cause low self-esteem, or it could be a response to anxiety they are feeling. 

Got a question? Contact the Chartered IIA technical helpline on 0845 883 4739 or email technical@iia.org.uk

This article was first published in September 2021.