TeamMate ESG advertising banner 2023

Q&A – You asked us September 24 A&R magazine Sep Oct 2024

 

Q: The objective of an internal audit engagement was originally to provide assurance that the organisation has established effective governance and assurance processes regarding a particular service to our organisation’s customers. However, it was clear from early discussions and document review that the governance work around this was at the early stages, and therefore most observations and recommendations would be based on what needed to be done in the future, rather than what they have already established. Therefore, we discussed with the audit client to undertake this as a piece of advisory work (ie, write a short report and revisit it in quarter four to form an opinion-based audit). Would it be appropriate for the same auditor to undertake the assurance piece, given that they are only advising the client for this earlier piece of work?

A: The purist in me says that it would not be appropriate for the same person to be involved in both. This is because they are less than a year apart (which is not best practice) and the client could push back against anything found in the assurance piece saying “this is what you told us to do”, etc. The Standards refer not only to actual conflicts of interest, but also to perceived conflicts, so could others outside the audit client area perceive this as creating a conflict?

From a practical perspective, I can see that using the same person for both provides continuity in the relationship, good knowledge and understanding. The relationship may be healthy with no undue influence or any suggestion that if something is found in the assurance piece that contradicts earlier advice this will cause an issue. So, if the benefits here are high, then six months would be an appropriate time – but I would add in some additional controls to make sure there are no issues.

- Talk to the client and explain the nature of the work and scope and the working relationship, and how this will differ for each piece of work.

- Explain to the client that, as things emerge and move, advice given now might not be appropriate in six months when the assurance piece is done. Therefore, the advice must be seen as just that and not as “approval” by the internal auditor.

- When the assurance piece comes around, reiterate these points and make sure the client understands that this is a different style of work and will be more independent and, therefore, objective.

- I also suggest you put in place more robust supervision within the internal audit team, as well over the assurance piece, to give the internal auditor the backing they need if something does contradict earlier advice.

- Consider having a second internal auditor do some of the work for the assurance piece, so there is a knowledge transfer and another pair of eyes on the work conducted.

You will also need to ensure that you clearly document this in the internal audit file and for the advice piece, as it might be picked up for file review in your external quality assessment (EQA) or annual self-assessment.


 

Q: My auditee department has told me that security restrictions mean I cannot see audit evidence (including billing documents, service contracts and agreements, any SAP data which include customer name, invoice number, or descriptions of services provided by our company). How can I audit this department?

A: Internal audit authority to access all records and personnel should be documented in your internal audit charter. This authority should be approved by your audit committee, and therefore this is the first thing you need to use to challenge the response of your audit client.

If your internal audit charter does include this authority, then the client has no right to refuse you access and you need to escalate this. Such restrictions go against our independence and objectivity and, as you rightly imply, they prevent you from delivering the assurance required in your internal audit plan, which, again, I assume is approved by the audit committee.

If, however, you do not have this right of access in the internal audit charter, then you have no rights to obtain this data. You will therefore struggle to complete the testing you want to do in this engagement.

Got a question? Contact the Chartered IIA technical helpline on 0845 883 4739 or email technical@iia.org.uk

This article was published in September 2024.