Q&A : You asked us

 

Q. I am a head of internal audit and, owing to staff changes within my organisation, I have been asked by the chief finance officer to become one of the higher level cheque signatories. It is a large organisation with a number of levels and monetary limits to the procedures. I can see that this is a management function. Could it also potentially be not in accordance with the attribute standards around objectivity?

A: Standard 1100 Independence and Objectivity says: "The internal audit activity must be independent, and internal auditors must be objective in performing their work."

The implementation guide relating to this Standard goes on to say:  "It is also recommended that the chief audit executive not have operational responsibilities beyond internal audit, as these other responsibilities may, themselves, be subject to audit."

There is also Standard 1112 , which says: "Where the chief audit executive has, or is expected to have, roles and/or responsibilities that fall outside of internal auditing, safeguards must be in place to limit impairments to independence or objectivity." Both the guide and the Standard can be found in full at iia.org.uk/internal-audit-charter

The Interpretation Guidance for this Standard goes on to say: "The chief audit executive may be asked to take on additional roles and responsibilities outside of internal auditing, such as responsibility for compliance or risk management activities. These roles and responsibilities may impair, or appear to impair, the organisational independence of the internal audit activity or the individual objectivity of the internal auditor. Safeguards are those oversight activities, often undertaken by the board, to address these potential impairments, and may include such activities as periodically evaluating reporting lines and responsibilities and developing alternative processes to obtain assurance related to the areas of additional responsibility."

I don’t think this covers the signatory role that you are being asked to fulfil as this is a control function and would affect your independence and objectivity and be a conflict of interest should you, or your team, undertake a delegated financial authority audit.

 

Q. If a chair of the bank is an independent non-executive director, can they also become chair of the audit and compliance committee as well?

A. The UK 2018 Corporate Governance Code specifically states that the chair of the board should not be a member of the audit committee. You can find reference to this on page ten of the code under section four "Audit, Risk and Internal Control". Provision 24 states that: "The board should establish an audit committee of independent non-executive directors, with a minimum membership of three, or in the case of smaller companies, two. The chair of the board should not be a member. The board should satisfy itself that at least one member has recent and relevant financial experience. The committee as a whole shall have competence relevant to the sector in which the company operates.

You can view the UK 2018 Corporate Governance Code at bit.ly/2K5mvig

 

Q. I have a question about adopting lean principles in internal auditing. It seems that many of the Standards are principles-based, for example having a methodology to justify why you select certain topics for an audit or basing your conclusion from an audit engagement upon evidence. But I believe that the Standards are silent on the extent of detail or documentation needed. It seems that a lean philosophy could therefore be compatible with meeting the Standards.Can you help me to understand what would be the minimum needed to comply with the IIA Standards and have a successful external quality assessment (EQA)?

 

A. The International Standards are an authoritative set of guidance that are principles-based and provide a framework for internal auditors. The Standards and Implementation Guides are not prescriptive since the content of, for example, working papers, audit plans, etc, will vary in different organisations. They therefore allow flexibility, although the Implementation Guides provide some suggestions. 

The Chartered IIA has drawn up a checklist that our EQA reviewers use for external assessments. We have also published a "Summary of Internal Audit Performance" based on the EQAs of internal audit functions we completed in 2017-18.

In addition, we have produced guidance on lean auditing and published various articles in Audit & Risk, including "Lean auditing: what, how and why".

 

Q. I am currently undertaking an internal audit review on health and safety, including a review of governance arrangements. We have been discussing the potential use of the corporate risk management system, including the risk register, for potential inclusion of health and safety risks. I was wondering whether the Chartered IIA had a view on this or whether you have seen good practice elsewhere? In general, most of the organisations I have audited tend to have processes for assessing activities through a formal health and safety assessment process, though rarely are these risks included/considered for a corporate risk register.

A. A holistic approach to managing risk ensures that there are no gaps in risk information, and that interrelationships and impacts can be identified and managed. It also ensures that an assessment can be made by the board and senior management of the principal risks.

The Financial Reporting Council's "Guidance on Risk Management Internal Control and Related Financial and Business Reporting 2014" says on page 24 : "The board has responsibility for an organisation’s overall approach to risk management and internal control. The board’s responsibilities are:

Ensuring the design and implementation of appropriate risk management and internal control systems that identify the risks facing the company and enable the board to make a robust assessment of the principal risks.

Determining the nature and extent of the principal risks faced and those risks which the organisation is willing to take in achieving its strategic objectives (determining its risk appetite)." 

This would include health and safety hazards and controls where they represent significant operational and compliance risks. I would expect, because of the significance of health and safety risks, that internal audit would be able to:

a. provide assurance regarding the risk assessment process for health and safety risks; and

b. undertake internal audits on health and safety processes so that they can provide assurance to the board and audit committee that health and safety risks are identified, managed and mitigated. 

If there are significant health and safety risks, then

a. they should be formally documented on the organisation's corporate risk register; and

b. the health and safety function should also have its own risk register.


Got a question?
Contact the Chartered IIA technical helpline on 0845 883 4739 or email technical@iia.org.uk

 

This article was published in July 2019.