Diligent One Platform World tour ad April 2024 TeamMate ESG advertising banner 2023

Local Authority Internal Audit Virtual Forum

14 December 2022

Please note:

  • All Institute responses are boxed and highlighted blue
  • Where the chair comments in that capacity this box is highlighted in yellow
  • For confidentiality, the identities of all delegates/attendees are anonymised

Institute's welcome |John Wood CEO, Chartered IIA

Effective risk management is an essential part of an organisation’s corporate governance structure. Risk committees and separate risk functions are required by regulation in some sectors, such as financial services and increasingly common as good practice. Internal audit should be independent of this function and be neither responsible for, nor part of, risk management. While the Chartered Institute advocates the three lines model, for a variety of reasons risk management can sometimes fall within the duties of internal audit.

Safeguards are essential which our speaker today will talk about, David Hill, CEO, SWAP.

Chair opening comments | Piyush Fatania, Head of Audit, Risk, Assurance and Insurance at Gloucestershire County Council and Chartered IIA Council member

Today’s presentation links to Standard 1112 - Chief Audit Executive Roles Beyond Internal Auditing. Where the chief audit executive (CAE) has or is expected to have roles and/or responsibilities that fall outside of internal auditing, safeguards must be in place to limit impairments to independence or objectivity.  Examples include, periodically evaluating reporting lines and responsibilities and developing alternative processes to obtain assurance related to the areas of additional responsibility.

From a PSIAS perspective there is specific guidance:

When asked to undertake any additional roles/responsibilities outside of internal auditing, the chief audit executive must highlight to the board any potential or perceived impairment to independence and objectivity having regard to the principles contained within the Code of Ethics as well as any relevant requirements set out by other professional bodies to which the CAE may belong. The board must approve and periodically review any safeguards put in place to limit impairments to independence and objectivity (see also Standard 1000 Purpose, Authority and Responsibility).

Where a joint audit and risk function reports to a joint Audit and Risk committee, CAEs should strive to ensure that the committee also understands its dual role in relation to both functions and that the committee’s Terms of Reference, membership and meetings are structured to enhance the likelihood that both parts are given the requisite focus and attention.

It is also important for boards/audit committee to understand that internal audit needs to form its own view of risk, both to enable it to focus its audit plan on the higher risk areas of the organisation’s activities and to alert the board if it considers that the risk appetite and risk culture are not in line with the organisation’s strategic risk universe. This however is very different to internal audit being directly involved in the management of risk.

Key takeaways

Slides from the session are attached. Notes below are supplementary.

David Hill, CEO, SWAP

  • Internal audit standards (IPPF and CIPFA) both allow for internal audit to have operational responsibilities with safeguards. In practice though this can be a challenge. 
  • A recent job advert for a HIA included the word accountable in relation to risk management. As professionals we are all responsible for pushing back on this as it is inappropriate. 
  • Recommend using a well-established framework as to what are and are not acceptable risk activities for internal audit to undertake - IIA Position Paper: The role of internal audit in enterprise-wide risk management. Members can click here to access.

 

  • Look carefully at the wording of the ‘fan’ and you will see the language change between the red, amber and green segments. Norman Marks, a regular commentator on internal audit and risk, recently suggested that maintaining and developing the framework and developing strategy should move into the red to drive management accountability.
  • One of the main disadvantages to a dual function is that as CAE, you cannot provide assurance on a process you own. Counter to this, an advantage of direct involvement means that internal audit can support and improve risk frameworks which are often quite poor.
  • Safeguards are critical in the absence of being able to say no to taking on risk management responsibilities. Key ones include ensuring that management maintain responsibility and internal audit does not make any decisions about the management of risks themselves.

4 top tips

  1. Set clear expectations from the outset
  2. Establish safeguards
  3. Use the position paper to set boundaries
  4. Maintain separation of staff between risk and audit activities

Chair closing comments

Independence can be compared to the ‘greenbelt’ – we all need to be careful on the permissions allowed to infringe on it. As costs are likely to be constrained further in 2023 there will be pressure for internal audit to take on greater operational roles. Operating without safeguards is dangerous. It increases the risk that where internal audit adds value to risk management, which we do, we are then perceived to be accountable.

Institute's closing comments | Liz Sandwith, Chief Professional Practices Advisor, Chartered IIA

Our next session is 25th January 2023 when the topic is HIA Annual Opinion - Join us to consider the content of the annual HIA opinion. What should we be including in an annual opinion, particularly in these turbulent times? How does the perfect storm impact our annual opinions and what about those risks that aren't captured in a risk register? 

Useful reference for members that was included in the chat

Thank you everyone, have a wonderful festive break.

Q&A and chatbox comments

The breadth of operational responsibilities that internal audit has was notable from delegates, including not only risk but counter fraud, insurance, business continuity, health and safety, freedom of information requests too.

Comment (précised) | Support the view that internal audit and risk management staff should be separated. It requires discipline to maintain the boundaries in practice; not easy.

Comment (précised) | Maintain separation between staff, frequently have to push back to stay in the amber/green of the fan’s acceptable activities.

Comment (précised) | It is virtually impossible to get staff with proper risk management experience! So internal audit do it all.  We have no real second line and because I have to provide an opinion on it I paid an external provider to do a risk management maturity (extra cost which basically validated my views).

Comment (précised) | As HIA, I am the only risk resource to maintain the risk register, keep my internal audit team separate but it’s challenging. It’s a routine exercise twice a year for strategic risk but with limited input from the leadership team. Poor risk awareness and no appetite or resource to improve.

Comment (précised) | Uncomfortable situation having dual responsibility as management see it as internal audit’s job. Considerable independence challenges, including the annual assurance statement.

Comment (précised) | Advise and collate information on risk management. Limited engagement at an operational level, absence of funding and no second line monitoring.

Comment (précised) | In the main, risk management is too mechanistic, the term ‘list register’ fits well for many authorities; too many are very long, almost like procedure manuals with every control in place.