Heads of Internal Audit Virtual Forum | Key takeaways

1 April


Please note:

  • All Institute responses are boxed and highlighted in blue.
  • All delegate/attendee comments/statements/replies are un-highlighted and un-boxed.
  • For confidentiality, the identities of all delegates/attendees are anonymised.

Chat box and attendee comments, questions and actions

1. If we are delivering reduced plan, can we provide full or qualified opinion?

There were a number of comments from attendees highlighting the different challenges being faced – examples are detailed below.  One point was very clear there is no one set of challenges or solutions that will work for all.

I am meeting with my audit committee in two weeks’ time. I expect to reduce some of our work over the coming months, so we will be focusing on those areas where they want the assurance from us, and where they will try to get it from the other lines of defence. I am not concerned about a limited opinion as we will hopefully have agreed a revised plan of work.

We are looking at alternative sources of assurance next year. We do not expect to take forward a “normal” plan. At the minute we are providing a range of different types of support, we will refer to this as part of our assurance opinion next year.

We provide outsourced and co-sourced internal audit resource to our clients. Firstly, we revisited the internal audit plan to ensure that we are focusing on the key risks with the clients to achieve the level of assurance required in this environment.

In the current year, our financial year end is 31 March, so COVID-19 hit while we were trying to finalise the 2019/20 plan, so we are only going to be able to deliver a proportion of the plan, approximately 80%. For some key risks I will not be able to provide sufficient assurance coverage, so I won’t be able to provide a full opinion and therefore will provide a qualified opinion in relation to those key risk areas.  For next year’s 2020/21 plan if we are producing say 50% plan using 50% of internal audit resources and I can’t fully cover the organisations significant risks is that another qualified opinion for next year? Some thoughts and insights would be appreciated.

We have a March year end and have a couple of reflections; one audit we had to postpone a visit to one of our offices so will refer to limitation of scope, but we can complete 98% of the work remotely. I also have my annual opinion to provide but again 98% of the work is complete so it is only this last piece of audit work to complete and will refer to the limitation of scope rather than not having an opinion and as long as we’re clear about this, it should work.

In some ways some of it will come down to when our year ends but sooner or later it will affect us all. At the same time when audit functions are being asked to do other things as well that’s going to get very interesting.

We service a number of organisations. About three weeks ago it was evident that we couldn’t complete work. At the start of last year, we separated plans out, so we were clear what we had to do to deliver the annual internal audit opinion. From the beginning of last year, we knew what we had to do to make sure that we did enough assurance work to give an opinion, the rest of the work was supplementary/advisory and not critical to the opinion. Therefore, when our stakeholders said about three weeks ago that they didn’t want to see us until September we had enough work complete or nearly complete that gave us enough to give an annual opinion. We are in the process of closing that work down and giving an annual opinion.

One of the Directors of Finance said that in the current circumstances they wanted to get to a position where it is good enough to get over the line to give a view. We’ve been working with our organisations for a long time and year on year we have provided brought forward assurance. We also have recommendation tracking systems in place so there’s all sorts of things to bring to the table to give the level of assurance needed. The fact that we haven’t completed everything in terms of individual audits and other audit work in the level of depth we have liked to I don’t feel that we’ve compromised our position to be able to give a robust annual opinion.

We’re not pushing auditees for responses; we’re trying to finish off the plan for 2019/20 as best we can. We have been asking if there’s any key risk areas or any areas where we can be deployed. We have been working with the audit committee on high risk areas going forward. The 2020/21 plan is not going to happen in its current format, but we will be looking at the high risks revising the plan to address these risks.

Our year end is July 2020 – we have 70% of the plan complete and sufficient to give an overall opinion – we are a risk-based function and therefore we can change our plan to accommodate this COVID-19 risk. We have currently eased right back on our work.

There are discussions being had all over the place. A lot of it comes down to having certainty in terms of our stakeholders as to how they see what we are putting in front of them – where there are limitations its being clear about those limitations that’s where we should be. We need to be open about any compromises we are making where we are making them.

Institute’s response

It doesn’t have to be a qualified opinion unless you have concerns based on the work that you have done.

You could reasonably say that internal audit is prepared to provide an opinion based on 80% of the work completed due to COVID-19. That opinion is either satisfactory, needs improvement whatever language you use.

It’s about flagging up that you have done a limited amount of work and therefore the opinion is based on that limited amount of work and saying within that 80% we did not cover these risks and therefore can give no opinion on those risks.

I wouldn’t go into qualified territory unless your evidence says that you are going to give a qualified opinion.

This extends a little bit into another question with regards to the future and doing 50% of the audit plan over the next year. In a sense we’re putting this back to governing bodies to say this is what we have done, the discussion then has to go on to what we do in future. If our role is about providing assurance across the whole organisation, although we have never audited all risks in a year and it’s never been complete in that sense. It’s about saying this is what we have done this year, what do you want from us next year?

2. Internal audit in supporting the first line of defence

The challenge faced by a number of internal audit teams is around continue with the internal audit plan or support the organisation in terms of success and sustainability. That might be sharing key skills across the organisation, it might be auditing real time as the organisations puts in place new controls to mitigate risks from new processes.

This is a great opportunity for internal audit to show how they can support and add value to organisations. Our internal audit team is actually helping design processes in response to the organisation’s guidance/announcements.

We are very conscious that our organisation needs to ensure they keep a good audit trail to support some of the very significant decisions that are being made at pace  - we are providing support into several teams to help ensure that the audit trail is retained.

I understand the personal desire to help our businesses on a real time basis, and the importance to provide flexibility with the business, but there is a risk to the profession whereby it would only take one or two examples whereby internal audit were directly involved in poor decision making.

We are putting messages out about the need to ensure that governance, internal controls and risk management remain strong at the moment and offering advice and support to the organisation when they are considering revised governance structures etc.

Agree on supporting the organisation and parking what was the plan to engage the business on robust control and risk management during these times of change.

There is a balance to be struck and we need to maintain objectivity both within the business, and for the profession.

We took the view at this time of crisis that we should not be stepping back but step forward to help support our organisations. We are doing a lot of rapid work and making some significant decisions at rapid pace and have a strong view that we should be up there supporting our organisation. We’ve stopped doing our audit plan and normal work and supporting the organisation looking at resilience and governance structures they are putting in place and helping them to do additional risk assessments, working alongside the organisation so that they understand the key controls in place that they need to keep an eye on to ensure external vectors do not take advantage during this crisis.

We have been involved in a lot of short sharp advisory work where new processes, frameworks and guidelines etc. are being put together where our opinion has been sought before going out to the wider sector. All of this will help for next year’s assurance opinion. We don’t expect to be doing a normal plan next year, we’ll be watching the risk environment as it unfolds. Evolving out of this scenario we will be continually assessing what support we give to our organisation. This is an opportunity to move away from people thinking that internal audit just does a number of routine reviews every year to form an opinion and that we are much more dynamic than that.

Definitely an opportunity for us to add value to the organisation.

Effectively we are doing no Q1 work at all. We, as employees, part of the organisation and emergency response plan, are effectively releasing our internal audit teams to support colleagues in any way they want – some are moving boxes around stores and others helping to prepare meals, one place has trained its finance team in portering and catering.

I have had my first meeting today with a team that I am going to support and I’ve been asked to support the senior procurement team - when the conversation unfolded it was remarkably like what we do as an internal audit team anyway. The Assistant Director was concerned about the new emergency procedures she had put in place, whether they were right, the controls in place and the governance and data quality as there were so few people in her team to double check and sense check the decisions - pretty much what internal audit do.

The work that internal audit would do normally is not real time, so it feels that in these circumstances working with the senior team that we will get internal audit embedded into certain areas of the organisation and provide advice on the good stuff we already do e.g. governance, control, data quality in a real time situation, it’s not in an audit report necessarily that goes to the audit committee. But it is going to be real day to day management and delivery of critical stuff. If we can provide real time help and support to people at the sharp end it will make a difference as a profession and we will do ourselves a world of good. I have used the phrase before we are internal audit the ‘critical friend’ – we are here to help you and, in this instance, can be seen to be the people that really do help.

3. Furloughing internal audit staff, how do we respond and what’s the impact going forward?

As internal audit we are currently running a risk that either all or part of the internal audit team may be furloughed. We need to ask ourselves was our voice heard before the decision was made, does the organisation know or understand the impact of ‘no’ internal audit even in the short term.

The Financial Conduct Authority have specified that risk management, compliance and audit are key critical staff. I cannot see how a firm could say that we would be made redundant or laid off (the two reasons for furlough). However, I do work for a bank.

Institute response

All organisations in all sectors will explore opportunities in relation to furloughing staff as a financial opportunity.

Furloughing staff is one thing, but we must stress to our organisations that furloughing staff does not mean that you don’t need internal audit in your organisation. We need to make sure we stress to the audit committee that for now it may be appropriate to take this action, but it must not be seen as the message that we do not need internal audit in future. Internal audit provides risk based assurance and we will need to come back in the future when we get through this and highlight the areas i.e. new and emerging risks, changes in the organisations structure, so we need to focus on and the value of tools such as the FS Code and IA Code of Practice – so please refer to these.

4. What changes can we do to make remote audit more effective?

Attendees discussed the options of working remotely, for some it was standard operating procedures for other a new way of working. Challenges around technology and the lack of personal contact when talking to people was evident.

For an audit we are undertaking we are working remotely via video linking and sharing screens to perform walkthroughs and see evidence in systems etc.

All of our staff are working remotely, finishing off internal audits from the 2019/20 plan where we can.

In terms of remote auditing, nothing much has changed in the delivery other than not having physical access to sites/people. We are still engaging with clients via Teams and conducting reviews where we have remote access to systems.

We’re a very small team with a co-sourced resource, the staff are split between London and Edinburgh and we started almost straightaway using Microsoft Teams. We have a lot of collaboration software that we use in the business.  As a business we are split all over the world – 30 countries and use this technology a lot. We do a lot of data analytics therefore most of our work we can do electronically anyway using this software. Visits to our sites around the world has stopped, on the whole we found using this software this is a great way to add value. Our audit committee expects me to make some changes but overall, I think I will be able to achieve most of what I want to do. I feel that this is a way of dealing with some of the challenges we currently have.

Similar to what others have mentioned we have the functionality to do remote auditing, we use Microsoft Teams and have access to the systems we need. The biggest challenge for us at the minute is having the people to audit due to the sector we’re in, we don’t have people on site to audit, whilst there is the back office work i.e. finance and other areas that we can audit but for now we are giving them space, understanding the challenges they are facing. We will do another risk assessment about the issues that the business is realising such as furlough and other types of things and look at practicalities  of how we audit, but appreciate there are other priorities working with the business and then we’ll think about how we get back to our business as usual. This is the balance we are trying to get.

Same message across HoIA Scotland – similar challenges – we can do it but is it still the right time to try as push the business as usual agenda or should we be more agile and test our agility as an audit profession.

Internal audit staff are busy working remotely, successfully, they had a week to do some testing to get access to systems and they’re finishing off work they were doing. We need to think about what to do in a couple of weeks’ time and have a view as to how long this will go on for and we’ll then rationalise. At the same time we have an audit committee meeting and prioritising what we will be doing in the last quarter of this year.

Make sure we adapt as much as possible and making sure our stakeholders are aware of what the issues are and how they should be reading what we are giving them.

5. If internal audit is lending a hand to the first line what’s the best strategy for dealing with the question of assumed impairment to independence?

Institute response

Its less about independence and more about our objectivity, and we have to recognise that our Standards and IPPF are principles based.

We are in exceptional circumstances at this moment in time and if we were to use independence as a means of avoid rolling up our sleeves, rather getting stuck in with the business then I think our reputation would be seriously impacted. 

Talk to the audit committee agree with them what this means for internal audit moving forward and remember most of us are employees of the business and the future sustainability and success of the organisation is something we should be focused on, as well as providing assurance around risk, control and governance.

Independence is least significant, but objectivity is paramount but talk to your audit committee.

6. Other

I'm encouraging staff to do online courses where possible for CPE.

7. General feedback from the session

  • Another great session - thank you. I know my colleagues in other organisations in the sector appreciate seeing the outcomes.
  • Thanks for another useful session.
  • Thank you that was a great session.
  • Thank you.
  • Thanks all.

Questions and answers raised by colleagues from local government

Question

Answer

Any guidance (standard wording?) on forming the 2019-20 annual opinion on the adequacy and effectiveness of the control environment given the last 3 weeks has seen significant disruption and the implementation of emergency measures often bypassing standard control measures.

You could reasonably say that internal audit is prepared to provide an opinion based on the percentage of the work completed due to COVID-19. That opinion is either satisfactory, needs improvement whatever language you use.

It’s about flagging up that you have done a limited amount of work and therefore the opinion is based on that limited amount of work and saying within that percentage we did not cover these risks and therefore can give no opinion on those risks.

Are Heads of IA generally writing to the Chairs of Audit Committees under PSIAS 2030 Resource Management and a public sector requirement. ‘Where the chief audit executive believes that the level of agreed resources will impact adversely on the provision of the annual internal audit opinion, the consequences must be brought to the attention of the board’?

This isn’t a question the Institute can respond to in the affirmative but as a guiding principle Standards 20230 states:

The chief audit executive must ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan.

Interpretation: Appropriate refers to the mix of knowledge, skills, and other competencies needed to perform the plan. Sufficient refers to the quantity of resources needed to accomplish the plan. Resources are effectively deployed when they are used in a way that optimizes the achievement of the approved plan.

If therefore the internal audit team has been depleted due to the coronavirus and/or you are not able to conclude the agreed internal audit plan then it would make sense to write formally to the chair of your audit committee to communicate the position internal audit finds itself in. 

At present, it seems that Covid19 will have a significant impact on our ability to deliver the 20/21 audit plan, potentially wiping out the first quarter or even first half of the year.  Would welcome views on how this should be managed in terms of annual opinions.

Internal audit provides the Accounting Officer with an objective evaluation of, and opinion on, the overall adequacy and effectiveness of the organisation’s framework of governance, risk management and control. The Head of Internal Audit usually provides this in an annual assurance statement.

Some IA functions do more than this, for example, conducting an evidenced-based review of the assurance statements received by the AO to support their review of effectiveness of the SIC.

Details regarding how this might be managed are included in the response to questions 1 and 2 above.

We are currently making all our staff available for deployment in other service areas – when they return it would be good to have some kind of “understanding” that although they may have been working / assisting a service area, that auditing that area in the same year is still appropriate.

 

This is a great opportunity for internal audit to show how they can support and add value to organisations. There should always be appropriate supervision and review of any work undertaken. In the current scenario it might be necessary to adjust, perhaps increase the level of supervision required but recognising that moving forward we may be auditing areas we have worked in.

Talk to the audit committee agree with them what this means for internal audit moving forward and remember most of us are employees of the business and the future sustainability and success of the organisation is something we should be focused on.

Standard 1130.A1 – Individual Objectivity says that individuals must refrain from assessing specific operations for which they were previously responsible for at least one year after leaving the operation.

However, in these exceptional circumstances it may be appropriate to look at each individual circumstance eg length of time they having been working/assisting in that area, the work undertaken, whether there may be a conflict that would impair the internal auditor’s objectivity, if need be for some aspects of the audit could another member of the internal audit team undertake some of the work or is it possible to allocate another member of the internal audit team.

We need to be flexible supporting the organisation in whatever way possible is key for all of us as we tackle the challenges, we are facing

Remember to discuss your approach with your audit committee chair

Some wider support for the function – ie. due to the above our delivery against the plans for 20/21 could be 50% - as councils are always looking to cut costs there is a risk that “50% becomes the new plan” – some support that this should not be the case, and that 20/21 is an exceptional, one-off year, would be good !

Standard 2010 Planning requires the CAE to establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organisation’s goals.

Within the audit committee terms of reference their responsibilities should be clear with regards to approving a programme of work for the internal audit activity that links into the organisation’s goals and objectives and the level of assurance the audit committee is seeking. 2020/21 will be a different year at best it is likely that the initial internal audit plan approved will not be delivered in full. It may be necessary to reflect that the organisation has changed and that the risks the organisation is now facing are new and will need to be assessed by internal audit in terms of impact and likelihood. A new plan may evolve that will need to be agreed with the audit committee.

The audit committee need to understand that the level of assurance needed to meet regulatory and legislative obligations will be different. If there is only 50% of time, resources available then it will be about focussing on the key risks and the impact of these risks on the purpose of the organisation.

The audit universe and annual internal audit plan will be useful aids to help communicate the amount of coverage of the organisation by internal audit to be able to report on the assurance framework focusing upon the most important objectives, which invariably means the most significant or highest priority risks, which may be very new to both internal audit and the organisation and the resources required to carry this out.

Will there be any advice on the control environment statements made within the authorities Annual Governance Statements?

Refer to response 1

What happens if IA work and plans are radically revised/reduced simply due to inability to carry out an audit remotely and the fact that all services are focussed on business-critical activity only?

Refer to response 1

S151’s are desperately trying to manage cash flow and keep organisations afloat without going broke due to significant loss of income streams and refocussing finance activity to support this as the purpose of Councils is being turned upside down, the sector is running out of money unless these areas are to be underwritten by government, so in x council we will run out of money to pay staff by August as an example. Senior management and teams have no capacity to deal with audits, staff are unavailable or redeployed, some with limited access, some are sick, some are self-isolating for 12 weeks so it is very likely there could be no formal audits taking place at least until July/August. (Where you are commercial this could have highly significant issues unless you have a very understanding and supportive Client but even then, if there is no money….) where does this leave audit?

All organisations across all sectors are facing particularly challenging and exceptional circumstances currently.  It is very likely that all organisations will change in some way as a result of challenges and lessons learnt in the current scenario. Internal audit is no different. We need to demonstrate to our organisations that we are with them for the long haul, that we will support, advice and guide across governance, risk and internal control. We will work with them to assess new and emerging risks so we understand the challenge that each new risk presents and can help identify key controls that would contribute to mitigating the key risks.

As internal audit we are currently running a risk that either all or part of the internal audit team may be furloughed. We need to ask ourselves was our voice heard before the decision was made, does the organisation know or understand the impact of ‘no’ internal audit even in the short term.

All organisations in all sectors will explore opportunities in relation to furloughing staff as a financial opportunity be, they internal audit staff or finance staff.

Furloughing staff is one thing, but we must stress to our organisations that furloughing internal audit staff does not mean that you don’t need internal audit in your organisation. We need to make sure we stress to the audit committee that for now it may be appropriate to take this action, but it must not be seen as the message that we do not need internal audit in future.

Internal audit provides risk-based assurance and we will need to come back in the future when we get through this and highlight the areas ie new and emerging risks, changes in the organisations structure, we will need to focus on to provide the level of assurance sought by the audit committee, board , CEO and senior management.

Audit committees won’t be meeting for months and some of the members may be in the super vulnerable groups, how does this affect reporting?

Regular contact between the CAE and the chair of the audit committee is essential to keep them updated. If your relationship with the chair of the audit committee is new and evolving this is a great opportunity to earn their respect by sharing with them what is happening, the challenges you are facing and the solutions you are proposing.

Ask them as the chair what level of assurance they are looking for, discuss how you might provide this and agree the way forward.

If your audit committee isn’t meeting for some time use e-mail, the phone but stay in regular contact with your audit committee chair.