Audit & Risk

You asked us

Our technical helpline provides valuable advice to members on a host of professional issues. Here are some of the questions you’ve recently asked.

in Features.

Article Image

Q.If the auditee does not agree with the audit finding(s), how should I resolve this? 

A. 1. Audit findings should be discussed with the auditee to ensure there are no surprises in the report. An end of audit meeting (closing meeting) enables the internal auditor and the auditee to discuss the overall tone of the report, the key observation(s) and how weaknesses might be addressed.

2. Discuss with the auditee how you reached your conclusions. If they disagree, you must understand the reason – can they present any factual evidence in support of their views to help you review your original findings?

3. If the auditee cannot provide such evidence, discuss this with your audit supervisor/manager.

4. If no agreement can be reached, add something in the report to explain your differences of opinion. Such differences should be recorded in the audit report so they can be reviewed by senior management, who may take a different view from the auditee.

Q.My audit committee feels that full coverage should be provided over a three-year period (with higher risk areas obviously being audited on a more frequent basis), but I can’t find anything to confirm any requirement for a minimum frequency. 

A.Using a risk-based approach may mean that some areas in the audit universe with a low risk ranking may never be audited. However, this highlights the importance of other forms of assurance for these areas, such as the first and second line assurance providers, and the need for coordination of assurance. An assurance map may help with this and the three lines of defence model can be used to document which line of defence is providing assurance across the key risks, helping the audit committee to understand the assurance provision. 

Q.What is your view on how internal audit should approach revised assurance ratings on audited areas once all related management actions have been completed? Do those areas need to be retested in order to issue a new assurance rating? 

A.Follow-up internal audit work provides revised assurance that management actions have strengthened controls and mitigated risks. Otherwise, the second line could provide revised second line assurance or, if the three lines of defence model isn’t in place, the organisation should look to a management self-assessment assurance with internal audit looking at including high risk areas in the audit plan for the next year.

Q.Are there minimum documentation requirements for internal audit working papers, or guidance on best practice?

A.You can find the relevant Standards – 2310, 2320 and 2330 – at www.iia.org.uk/perfomancestandards.
In addition, related practice advisories that expand on these are available at
www.iia.org.uk/analyticalprocedures and at www.iia.org.uk/documentinginformation. Also have a look at our top tips guidance on working papers at www.iia.org.uk/toptips

Q.An auditee has asked internal audit to prepare a self-assessment checklist on their behalf. Does this undermine the audit function’s independence?

A.It’s an understandable concern, but it’s positive that the auditees are being proactive about managing their risks. Therefore: 

  • Create a draft checklist with management;
  • Make it clear that management owns the checklist and they are responsible for ensuring it is fit for purpose;
  • Ensure that the auditor(s) involved in creating the checklist are not involved in auditing that area;
  • Consider whether training is required.

Q. Are there guidelines on how often risk registers should be reviewed or updated? 

A. No, however managers need to have processes to ensure that risk registers are updated to reflect new or changing risks and that internal controls are adapted and developed accordingly. Changes may be external, eg Brexit, or internal, eg launching a new product. In both cases the changes will have risk implications that need to be considered. The Standard for risk management is 2120 –www.iia.org.uk/performancestandards – and the associated practice advisory Guidance 2120 – 1 www.iia.org.uk/rmp. Also have a look at the guidance on risk management processes; in particular “management monitoring of responses” at www.iia.org.uk/processes

Got a question?
Contact the Chartered IIA technical helpline on 0845 883 4739 or email technical@iia.org.uk

The IIA: find out more

Visit the main IIA site

Jobs

Auditor

Post Number: FSA02
Grade: 7- SO2 Salary: £23,166 - £29,854
Hours: 37 per week

Audit Manager

£38,789 - £42,474 pa
37 hpw, permanent.

Senior Internal Auditor

Sector: Not For Profit
Salary: £41,000 (raising to £46,000 after probation)
Location: London
Job Ref: SD/148943

Careers advice

Destination designation

The Chartered IIA is keen to work with organisations that want to ensure all their internal auditors have the right skills to succeed in today’s industry. One of these is Citigroup, which recently launched a training scheme accredited by the institute and put 20 senior internal auditors through the Chartered by Experience route to achieve CMIIA. So what does this look like in practice?
Words: Ruth Prickett

Gold standard – the value of recognition

Being chartered demonstrates your skills and competence and gives you influence within both your organisation and the wider profession. All dedicated internal auditors should aspire to it, writes Ian Peters, chief executive of the IIA.

Chartered by Experience

There is a new route to becoming a chartered internal auditor: Chartered by Experience.

Training & Development

CPE: Solid foundations

Continuing professional education is an important tool for developing your skills, progressing through your career and ensuring that the qualification and the profession are respected. The Chartered IIA’s CPE requirements will be changing in April to bring them into line with those of IIA Global. So what do you need to know to stay ahead?
Words: Ruth Prickett

Destination designation

The Chartered IIA is keen to work with organisations that want to ensure all their internal auditors have the right skills to succeed in today’s industry. One of these is Citigroup, which recently launched a training scheme accredited by the institute and put 20 senior internal auditors through the Chartered by Experience route to achieve CMIIA. So what does this look like in practice?
Words: Ruth Prickett

Gold standard – the value of recognition

Being chartered demonstrates your skills and competence and gives you influence within both your organisation and the wider profession. All dedicated internal auditors should aspire to it, writes Ian Peters, chief executive of the IIA.

Tools

You asked us

Our technical helpline provides valuable advice to members on a host of professional issues. Here are some of the questions you’ve recently asked.

Early warning systems

New regulatory demands for whistleblowing – or “speak up” – policies are raising the bar on best practice. Internal auditors need to take note.
Words: Alexander Glebovskiy

CPE: Solid foundations

Continuing professional education is an important tool for developing your skills, progressing through your career and ensuring that the qualification and the profession are respected. The Chartered IIA’s CPE requirements will be changing in April to bring them into line with those of IIA Global. So what do you need to know to stay ahead?
Words: Ruth Prickett