Q: I have read the Accounts Payable guidance on your website and in the first paragraph of this guidance it states that “Accounts payable should not include payments to staff which should be paid via the payroll or expenses system”. Does this mean that staff should not be set up as supplier accounts for payments of personal expense claims? What is the risk of staff expense payments being made by the accounts payable team?
A: There is a risk that expenses going through the creditors system, where tax and NI would be due, may not be assessed/charged or appropriately recorded for HMRC purposes. If you provide expenses or benefits to employees or directors, you might need to report on these to HMRC and you may also need to pay tax and national insurance on them. There are different rules about what you have to report and pay depending on the type of expense or benefit provided.
Q: What does the Chartered IIA recommend regarding outstanding audit actions where management first agrees an action, but then later decides to implement it in a slightly different way after speaking to a consultant?
A: Standard 2500.A1 Monitoring Progress states that: "The chief audit executive must establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action."
The implementation guide to support this Standard – iia.org.uk/media/1688826/ig2500-monitoring-progress.pdf – goes on to refer to status reports prepared for senior management. The chief audit executive (CAE) may be asked to report not just on whether the corrective action has been completed, but also on whether the action taken has corrected the underlying issue.
Based on the requirements of Standard 2500 and the changes that management has implemented, have these corrected the underlying issue? I suggest that you have a conversation both with management and the consultants to understand why the action has been implemented in a slightly different way and what risks are associated with that approach. Internal audit must then form an opinion about whether the change mitigates the risk identified in the audit. If it doesn’t then the change should be discouraged.
Q: What's the current thinking on whether or not audit reports should include an overall RAG rating?
A: Standard 2410 Criteria for Communicating says that: "Communications must include the engagement’s objectives, scope and results." 2410.A1 goes on to say that: "Final communication of engagement results must include applicable conclusions, as well as applicable recommendations and/or action plans. Where appropriate, the internal auditors’ opinion should be provided…" Implementation guide 2410 provides further information on this – iia.org.uk/media/1688871/ig2410-criteria-for-communicating.pdf
In addition, I suggest you look at supplemental guidance (iia.org.uk/resources/ippf/supplemental-guidance) on:
• Audit reports: communicating assurance engagement results, in particular, pages seven and eight, covers the report content and structure, while page 18 considers the point on "rating".
• Formulating and expressing internal audit opinions: the introduction says: "The need for audit opinions and the ability of internal auditing to express them depends on several circumstances, including the needs of stakeholders." It goes on to say that stakeholder requirements for internal audit opinions, including the level of assurance required, should be clarified by the CAE with senior management and the board.
The Financial Services Code, under the section on "Reporting results" says: " The nature of the reports will depend on the remits of the respective governing bodies – iia.org.uk/resources/sector-specific-standards-guidance/financial-services/financial-services-code/#reporting
Q: I am in the process of completing an internal self-assessment against the EQA checklist and have a query about one element. For Attribute Standard 1300, under the Key Conformance Criteria, it states: "Stakeholder expectations and the results of consultations with staff are documented." Could you confirm what exactly you are looking for here?
A: The Implementation Guidance for Standard 1300 states that multiple activities and documents may demonstrate conformance with Standard 1300, the most notable of which are the CAE's documented QAIP itself (ie, the completion of the checklist you are referring to), the results of internal and external assessments, and documentation showing the CAE’s communication of QAIP results with the board/audit committee, eg, minutes of meetings. The latter typically consists of findings, corrective action plans, and corrective actions taken to improve the internal audit activity’s conformance with the Standards and the Code of Ethics.
Additionally, any documentation of actions taken to improve the internal audit activity’s efficiency and effectiveness may help to demonstrate conformance with the Standard. Board/audit committee minutes where the QAIPs and the results were discussed, and presentations to the board, audit committee or senior management may also provide evidence of conformance.
In terms of internal assessments, these consist of ongoing monitoring and periodic self-assessment (Standards 1311), which evaluate the internal audit activity’s conformance with the mandatory elements of the IPPF, the quality and supervision of audit work performed, the adequacy of internal audit policies and procedures, the value the internal audit activity adds to the organisation and the establishment and achievement of key performance indicators.
"Stakeholder expectations" is about providing the board, audit committee and senior management with sufficient information and evidence to enable them to gain assurance in relation to the work performed by internal audit through the knowledge that there is a QAIP in place, that weakness and action plans to address weaknesses are communicated to the audit committee and that the audit committee, a key stakeholder of internal audit, monitors the internal audit activity’s progress to address weaknesses identified.
I suggest that the results of consultations with staff may include any documentation of actions taken to improve the internal audit activity’s efficiency and effectiveness, for example, team meetings/discussion, coaching/training, updates to established methodology etc.
Q: I am about to do an audit for a local authority in respect of fraud and corruption. Could you tell me what the biggest risks are and provide any information that would assist with this audit?
A: There are a number of Global IIA practice guides that have been produced on fraud that highlight risk areas and controls, as detailed below:
Supplemental guidance – iia.org.uk/resources/ippf/supplemental-guidance
• Engagement planning: Assessing fraud risks.
• Internal auditing and fraud.
• Fraud prevention and detection in an automated world.
• Managing the business risk of fraud: A practical guide – iia.org.uk/media/158775/managing_the_business_risk_of_fraud.pdf
On CIPFA's website there is a page called "Fighting fraud and corruption locally". This contains three documents that can be downloaded:
• Fighting Fraud and Corruption Locally 2016-2019 strategy. Page 16 highlights known fraud risks that remain significant and emerging/increasing fraud risks in local government.
• Fighting Fraud and Corruption Locally 2016-2019 companion.
• Fighting Fraud and Corruption Locally 2016-2019 checklist.
Along with the CIPFA Fraud and Corruption Tracker, there are reports from annual surveys that provide a national overview of all fraud, bribery and corruption activity across local authorities. There is also a report from the Audit Commission on Protecting the Public Purse 2014, "Fighting Fraud Against Local Government" – Appendix 2 provides a list of questions for councillors and others responsible for governance.
The Fraud Advisory Panel writes excellent guidance on detecting, preventing and dealing with fraudulent activity, so I suggest you look at its website too.
Contact the Chartered IIA technical helpline on 0845 883 4739 or email email@example.com
This article was first published in November 2019.