Diligent One Platform World tour ad April 2024 TeamMate ESG advertising banner 2023

Local Authority Internal Audit Virtual Forum

25 October 2023

Please note:

  • All Institute responses are boxed and highlighted blue
  • Where the chair comments in that capacity this box is highlighted in yellow
  • For confidentiality, the identities of all delegates/attendees are anonymised

Institute welcome | Anne Kiem, CEO, Chartered IIA UK and Ireland

For more than a generation, the IPPF from The Institute of Internal Auditors (IIA) have guided practitioners in providing internal audit assurance and advice that is independent, objective, effective, efficient, ethical, and of the highest quality.

During that time the fundamentals of risk management – identifying relevant risks to organizational goals and strategies, assessing likelihood and impact, establishing a risk appetite, and creating internal controls to manage risks — have remained consistent.

However, the speed at which risks emerge, factors that add volatility and complexity to risk, and evolving attitudes about the purpose and nature of organizations have created new challenges and demands for today’s internal auditors.

The future demands internal audit services that are timely, relevant, and impactful. This requires standards that are insightful, prescient, clear and direct. To meet that demand, The IIA will soon release a public comment draft that dramatically changes how the Standards and other elements of the IPPF are presented and explained. The new Global Internal Audit Standards™ more clearly articulate the keys to effective internal auditing by grouping the Standards into five domains.

Today Liz Sandwith, Special Advisor, International Internal Audit Standards Board (IIASB) and Chief Professional Practices Advisor, Chartered Institute will share this journey and what you as internal auditors should be preparing for. 

 

Chair opening comments | Piyush Fatania, Head of Audit, Risk, Assurance and Insurance at Gloucestershire County Council and Chartered IIA Council member

The IIA’s new draft Global Internal Audit Standards™ update the International Standards for the Professional Practice of Internal Auditing and for the first time highlight the public sector’s unique characteristics, such as its purpose and governance structure, which distinguish it from the private sector and affects how the internal audit function does its work.

The new draft Standards include the definition of public sector as well as 19 public sector references in the Considerations for Implementation sections to assist internal auditors in the public sector in performing assurance and advisory services.

The consultation feedback showed only low levels of disagreement with the new standards. The most frequently recurring comments of concern included:

  • An increased usage of the word “must,” making the Standards seem too prescriptive.
  • Unclear requirements for external quality assessments.
  • The applicability of the Standards to public sector and small internal audit functions.
  • Missing or vague terminology in the Purpose of Internal Auditing.
  • Requirements for 20 hours of continuing professional education and specific competencies for all internal auditors.
  • Requirements for board actions stated too directly and missing responsibilities for senior management.
  • Unclear distinction between internal audit mandate and the internal audit charter.
  • Confusion about appropriate measures of internal audit performance.
  • The applicability of requirements to both assurance engagements and advisory engagements.
  • Requirement for internal auditors to make recommendations related to findings.
  • Perceived requirement of “ratings” and “rankings” for findings and conclusions.
  • Requirement for a statement of conformance or nonconformance in final engagement communications.

As new risk challenges ratchet up the pressure to create, maintain, and assure effective governance, internal audit standards that place a premium on effective, high-quality risk assurance and advisory services will be critical.

CAEs and boards should be asking, “Is our organization equipped for the future from a risk management and internal control perspective?”

The Global Internal Audit Standards are designed to help organizations answer, “Yes.”

As well as providing individual input to the consultation survey LACAN also sent a letter to Global IIA highlighting some of their concerns.

 

The attached slides detail the change process

  • The process the IIASB have been through to deliver the new Standards
  • Noteworthy changes to the glossary
  • Timeline for topical requirements (which will be mandatory, if the topic is included in your internal audit plan)
  • Options for EQAs
  • Student impact timelines re CIA and IAP 

- Click here for presentation slides.
- Bookmark this blogpost - regularly updated on the new Global Internal Audit Standards.
- Specific documents that you may find useful:
Draft new Standards mapped to existing IPPF
Details of Topical Requirements
Details specific to Public Sector
Suggestions for conversation starters with your audit committee

Chair closing comments

The numbers in attendance today (over 90 members) reflects the importance of this topic. Listening to the session raises many questions that we will have to work through in the coming months. The topical requirements have the potential to be very useful with the caveat that they don’t prevent some engagements being undertaken due to the risk of nonconformance. I look forward to seeing the published Standards.

  

Institute close | Liz Sandwith, Chief Professional Practices Advisor, Chartered IIA

There is some substantial change with the new Standards, a need for engagement with your Audit Committee and senior management and consideration of working practices/methodologies. With any change programme you start to position things and engage as early as possible. Don’t delay preparing for this change.

Our next session is 29 November looking at Digital Services with Capita.

Dates for your diary 

2-3 November: Scotland Conference – Edinburgh book here

13 December: LA Forum, Review of 2023

A spin-off Data Analytics for Local Authorities forum has been set up to address the specific needs of your sector. If you are interested in joining, please email mandy.coleman@iia.org.uk

 Chat Questions and Comments

Answers from speaker, anonymised comments from attendees

Question | How early should audit committee’s know about these changes?

Response LS | I would like to assume they’ve already been told. The more notice we can give them the better – tell them about the new domain. Checkout this article to help you open the conversation with your audit committee. 

Question | Have the standards retained the requirement for the EQA assessment to be carried out by an IIA qualified member?

Response LS | It is now going to be similar to today, requiring an experienced individual – the qualification expectation has moved to the ‘how’ rather than being mandatory. 

Question | Will the Topical Requirements be mandated as are the standards or will they be strongly recommended? eg will the EQA Assessment look for compliance?

Question | Do we expect the topical requirements to be broad enough to be applicable in all sectors?

Response LS | Current intention is that these are mandatory. An EQA reviewer would therefore expect conformance with topical requirements. They are in the process of being written, and it will be interesting to see how they consider the differences of a wide range of organisations/sectors and maturities across geographies in order to be applicable.  

Question | What is the line on the latest version on having an annual opinion?- early version said "periodically"

Response LS | Periodically is being defined. It may shift to ‘as appropriate in your organisation/country/sector’ to allow some wriggle room. It has to work within the framework for your organisation.  

Question | I don't think it is the responsibility of the Head of Audit to professionalise the Audit Committee - in the Local Government sector I would expect CIPFA to take a lead role here.

Response LS | It’s important that HIAs need to build strong relationships with their Audit Committee and this is part of that relationship. Absolutely they will get information from CIPFA and Local Government Association – they may be overwhelmed and look to internal audit to help them understand it. I don’t see it as a conflict of interest, rather a collaboration, in the best interests of the organisation.  

Question | Will the new Standards be issued in Welsh?

Response LS | Not on the plan as far as I am aware but I will ask. 

Question | What are the likely timescales for the update to the Public Sector Internal Audit Standards (PSIAS)?

Response LS | The Chartered Institute is collaborating with CIPFA/Internal Audit Standards Advisory Board (IASAB), although there needs to be sight of the final version of the new Standards before decisions are made. We have also raised the question whether an Internal Audit Code of Practice for the Public Sector might be helpful, as we have for other sectors.

Comment | This was discussed at Internal Audit Standards Advisory Board last week. Much will depend on how the final standards look (and we'll see that in Jan/Feb '24), but the current thinking is to produce a revised PSIAS which will come into force either concurrently with the global standards or within or short period following (with guidance on navigating the gap between the two coming into force if such guidance is required). IASAB will determine what is needed to amend/replace PSIAS and LGAN after the standards have been produced.