Q What is the Chartered IIA's view on what the top auditor should be called? We are a group with a group chief auditor and several companies within the group that each have their own board, audit committee and, therefore, head of audit (within the hierarchy of the internal audit division). What is the current thinking on what their title should be, head of audit, or chief auditor?
A In the UK we tend to use head of internal audit and this is reflected in our guidance, for example the "How to set up a new IA activity" (iia.org.uk/resources/managing-internal-audit/how-to-set-up-a-new-internal-audit-activity) and also in the model internal audit charter (iia.org.uk/resources/managing-internal-audit/internal-audit-charter/model-internal-audit-charter).
However, IIA Global uses chief audit executive (CAE), for example in Standard 1110 Organisational Independence (iia.org.uk/resources/ippf/international-standards/attribute-standards).
The chief audit executive must report to a level in the organisation that allows the internal audit activity to fulfil its responsibilities. The chief audit executive must confirm to the board, at least annually, the organisational independence of the internal audit activity.
This is also used in the Glossary (iia.org.uk/resources/ippf/international-standards/glossary), however in the definition in the last sentence it does say that the job title may vary across organisations:
"Chief audit executive describes the role of a person in a senior position responsible for effectively managing the internal audit activity in accordance with the internal audit charter and the mandatory elements of the International Professional Practices Framework. The chief audit executive or others reporting to the chief audit executive will have appropriate professional certifications and qualifications.
However, the specific job title and/or responsibilities of the chief audit executive may vary across organisations."
Q Is a business right to pre-audit? I've noted examples where a business will perform a deep dive review on a process, ahead of a scheduled internal audit review (ie, to find and fix problems in advance and so reduce the risk of an unsatisfactory opinion). Is this acceptable? Should internal audit be tough on pre-audit activity or accept it as a positive risk assurance activity?
A As the first line of defence, operational management has ownership, responsibility and accountability for directly assessing, controlling and mitigating risks. There should be adequate managerial and supervisory controls in place to ensure compliance and highlight control breakdown, inadequate processes and unexpected events. Engaging in periodic or pre-auditing practices would seem to be a positive step if it helps ensure that they understand the processes, confirms controls are working as expected and helps them to be proactive in mitigating risks.
Q I know that CAEs should have an unrestricted remit and thereby access to all information, locations, people, etc. But how does this relate to the board – do CAEs routinely have access to board papers? I expect that most do not attend board meetings, nor see papers submitted to boards, but are more likely to see the minutes of board meetings. Would that be correct?
A As you say, internal auditors/CAEs should have unrestricted access to all information and should have access to board papers if they need to – for example, if they are undertaking an audit of the board pack or wanting to trace decisions back – but they wouldn’t necessarily receive or have access to board papers and minutes or attend board meetings on a regular basis.
Having said that, more and more CAEs are attending board meetings, predominately to hear and understand the major decisions taken by the board. It is helpful if they are also able to comment, and as the board becomes accustomed to seeing the CAE at the table they will be more likely to seek their thoughts, comments and input on topics such as risk management, internal control and governance, especially around processes and procedures and the rigour of such processes and procedures.
Q One of my audit team will shortly be dedicating around half of their time to fraud investigations/fraud awareness raising, etc. I understand that this means it would not be appropriate for them to audit the fraud risk management framework as they will be part of the development of this (although the main responsibility lies with the organisation's risk and compliance lead, who is not part of internal audit).
Are there any issues we need to think about the other way round? It was mentioned, for example, that were they to start an audit in an area and then become aware of a possible fraud (that they may go on to investigate) they should stop the audit at that point. I'm not sure that this is to do with independence, more a decision as to whether it is appropriate to continue an audit when the priority would be to get to the bottom of a potential fraud?
A In relation to the first point, as you say, it would not be appropriate for a member of the internal audit team who has helped to develop the fraud risk management framework to audit this area. Standard 1130 Impairment to Independence or Objectivity covers this, in particular
1130.A1, which states: "Internal auditors must refrain from assessing specific operations for which they were previously responsible." Objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for which the internal auditor had responsibility within the previous year.
In relation to the second point, internal audit should only be given extra responsibilities for fraud and corruption if:
• It is given a clear and limited mandate that does not prejudice its prime role as the independent third line of defence.
• It has the specific expertise needed in a particular case.
• It has the resource capacity.
• The board/audit committee approves.
Standard 1210.A2 (Proficiency) says that internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organisation, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.
Where a member of the team comes across a potential fraud (including the team member with fraud investigations/awareness responsibilities), then it would be prudent to discontinue the audit, so that the situation can be assessed and to seek advice and guidance from the head of internal audit about how to proceed. You need to ensure that they have the necessary skills to undertake that particular fraud investigation, perhaps liaise with legal and HR departments, and decide whether to use specialists with the possibility of internal audit assisting.
As the internal audit activity is involved in investigations, its role needs to be defined in the Internal Audit Charter and agreed by the audit committee, if this is not already in place. In addition, does the organisation have a response plan setting out exactly what steps should be taken if a fraud or other corrupt practices are reported or detected?
Q One of our departments wants to streamline processes for the transfer of timesheets to the payroll section. They wish to scan and email timesheets to payroll, once authorised. This would speed the process up and reduce the risk of timesheets going missing in transit and members of staff not getting paid. Are there implications for scanning timesheets – for example, would the scanned copy be admissible in court in, say, a possible fraud case or an internal fraud investigation?
A Some areas to consider in relation to scanning of the documents are:
• What happens to the original documents?
• Will the originals continue to be retained in the department?
• If so, for how long will they be retained, and will they be retained in line with GDPR requirements?
• How will the scanned documents be sent, eg, via secure e-mail, and will they be password protected?
If you are intending to hold the originals in the department, then the originals will still be available in the case of a possible fraud/internal investigation. However, often when documents have been scanned the original documents are then destroyed. If this is the case, you will need to be able to demonstrate how you could prove to a court of law or tribunal that it wasn’t possible to alter the documents after they were completed by an individual and before they were scanned by a department.
The ICO has produced a document entitled "How to Disclose Information Safely" which may be helpful.
Also, have a look at your organisation's data retention policies and speak to your data controller regarding GDPR to ensure that you meet the organisation's and regulatory requirements.
Got a question?
Contact the Chartered IIA
technical helpline on 0845 883 4739 or email firstname.lastname@example.org
This article was first published in September 2019.