Q.If the auditee does not agree with the audit finding(s), how should I resolve this?
A. 1. Audit findings should be discussed with the auditee to ensure there are no surprises in the report. An end of audit meeting (closing meeting) enables the internal auditor and the auditee to discuss the overall tone of the report, the key observation(s) and how weaknesses might be addressed.
2. Discuss with the auditee how you reached your conclusions. If they disagree, you must understand the reason – can they present any factual evidence in support of their views to help you review your original findings?
3. If the auditee cannot provide such evidence, discuss this with your audit supervisor/manager.
4. If no agreement can be reached, add something in the report to explain your differences of opinion. Such differences should be recorded in the audit report so they can be reviewed by senior management, who may take a different view from the auditee.
Q.My audit committee feels that full coverage should be provided over a three-year period (with higher risk areas obviously being audited on a more frequent basis), but I can’t find anything to confirm any requirement for a minimum frequency.
A.Using a risk-based approach may mean that some areas in the audit universe with a low risk ranking may never be audited. However, this highlights the importance of other forms of assurance for these areas, such as the first and second line assurance providers, and the need for coordination of assurance. An assurance map may help with this and the three lines of defence model can be used to document which line of defence is providing assurance across the key risks, helping the audit committee to understand the assurance provision.
Q.What is your view on how internal audit should approach revised assurance ratings on audited areas once all related management actions have been completed? Do those areas need to be retested in order to issue a new assurance rating?
A.Follow-up internal audit work provides revised assurance that management actions have strengthened controls and mitigated risks. Otherwise, the second line could provide revised second line assurance or, if the three lines of defence model isn’t in place, the organisation should look to a management self-assessment assurance with internal audit looking at including high risk areas in the audit plan for the next year.
Q.Are there minimum documentation requirements for internal audit working papers, or guidance on best practice?
A.You can find the relevant Standards – 2310, 2320 and 2330 – at www.iia.org.uk/perfomancestandards.
In addition, related practice advisories that expand on these are available at
www.iia.org.uk/analyticalprocedures and at www.iia.org.uk/documentinginformation. Also have a look at our top tips guidance on working papers at www.iia.org.uk/toptips
Q.An auditee has asked internal audit to prepare a self-assessment checklist on their behalf. Does this undermine the audit function’s independence?
A.It’s an understandable concern, but it’s positive that the auditees are being proactive about managing their risks. Therefore:
- Create a draft checklist with management;
- Make it clear that management owns the checklist and they are responsible for ensuring it is fit for purpose;
- Ensure that the auditor(s) involved in creating the checklist are not involved in auditing that area;
- Consider whether training is required.
Q. Are there guidelines on how often risk registers should be reviewed or updated?
A. No, however managers need to have processes to ensure that risk registers are updated to reflect new or changing risks and that internal controls are adapted and developed accordingly. Changes may be external, eg Brexit, or internal, eg launching a new product. In both cases the changes will have risk implications that need to be considered. The Standard for risk management is 2120 –www.iia.org.uk/performancestandards – and the associated practice advisory Guidance 2120 – 1 www.iia.org.uk/rmp. Also have a look at the guidance on risk management processes; in particular “management monitoring of responses” at www.iia.org.uk/processes
Got a question?
Contact the Chartered IIA technical helpline on 0845 883 4739 or email firstname.lastname@example.org