A The IPPF is principles-based, rather than prescriptive, and the annual audit plan requires judgment by the chief audit executive (CAE) in consultation with the audit committee and other stakeholders. Standard 2010 Planning states that: “The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organisation’s goals.” The supporting Implementation Guide 2010 IG 2010 Planning states that: “Although audit plans typically are prepared annually, they may be developed according to another cycle. For example, the internal audit activity may maintain a rolling 12-month audit plan and re-evaluate projects on a quarterly basis. Or, the internal audit activity may develop a multi-year audit plan and assess the plan annually.”
Internal audit, like many other functions, often works in an agile manner to keep up with rapidly changing environments and manage the associated uncertainty and complexity. Agile internal audit plans can take many forms, such as a rolling plan or an annual plan with a firm approach for the first quarter and then varying degrees of flexibility for subsequent quarters. A recent blogpost on this topic may be useful: “All change – adapting the plan in turbulent times.”
A It is hard to say whether it is common practice, but it is certainly good practice. A risk register is a practical tool that an organisation or department uses to manage its risk by going through the five steps of risk management; identify, analyse, evaluate, respond and monitor.
Internal audit, like any other function, is exposed to risk – which produces threats and opportunities. The guidance for Standard 2120 notes that internal audit is responsible for actively managing its own risks, including those relating to the audit opinion and those associated with running the function.
A risk register is complementary to the quality assurance and improvement programme. Guidance for developing a risk register is available to members.
A The institute’s position on this is very much principles-based, as there is no one-size-fits-all approach. Resourcing is addressed in the Internal Audit Code of Practice guidance on effective internal audit in the private and third sectors (there is a separate Code for Financial Services).
Paragraphs 28-30 state that the CAE should provide the audit committee with an assessment of what is required to provide assurance and that the audit committee is responsible for approving the internal audit budget and, as part of the board’s overall governance responsibility, disclosing in the annual report whether it is satisfied that internal audit has the appropriate resources.
Standard 2030 Resource Management specifies that the CAE must ensure that internal audit resources are appropriate, sufficient and effectively deployed to achieve the approved plan. “Sufficient” refers to the quantity of resource needed to accomplish the plan and “appropriate” refers to the competency of the resources available.
The codes recognise that every organisation is unique, so the board and/or audit committee must make an informed decision, ideally in partnership with the CAE.
A. Mental health was the topic of a recent Talk to Internal Audit with guest speaker Aileen Evans, CEO at Grand Union Housing Group. Our Facebook/YouTube series is open for all to view and, being short, they make great discussion introductions for team meetings.
In addition, the institute has developed a new course on Auditing Staff Welfare and Wellbeing Risk to help internal auditors audit this area – the next sessions are in November and January – and we are currently developing technical guidance.
According to the Aspire Wellbeing website these are some red flags to look out for:
Got a question? Contact the Chartered IIA technical helpline on 0845 883 4739 or email technical@iia.org.uk
This article was first published in September 2021.