Audit & Risk

You asked us

Our technical helpline provides valuable advice to members on a host of professional issues. Here are some of the questions you’ve recently asked.

in Features.

Article Image

Q.If the auditee does not agree with the audit finding(s), how should I resolve this? 

A. 1. Audit findings should be discussed with the auditee to ensure there are no surprises in the report. An end of audit meeting (closing meeting) enables the internal auditor and the auditee to discuss the overall tone of the report, the key observation(s) and how weaknesses might be addressed.

2. Discuss with the auditee how you reached your conclusions. If they disagree, you must understand the reason – can they present any factual evidence in support of their views to help you review your original findings?

3. If the auditee cannot provide such evidence, discuss this with your audit supervisor/manager.

4. If no agreement can be reached, add something in the report to explain your differences of opinion. Such differences should be recorded in the audit report so they can be reviewed by senior management, who may take a different view from the auditee.

Q.My audit committee feels that full coverage should be provided over a three-year period (with higher risk areas obviously being audited on a more frequent basis), but I can’t find anything to confirm any requirement for a minimum frequency. 

A.Using a risk-based approach may mean that some areas in the audit universe with a low risk ranking may never be audited. However, this highlights the importance of other forms of assurance for these areas, such as the first and second line assurance providers, and the need for coordination of assurance. An assurance map may help with this and the three lines of defence model can be used to document which line of defence is providing assurance across the key risks, helping the audit committee to understand the assurance provision. 

Q.What is your view on how internal audit should approach revised assurance ratings on audited areas once all related management actions have been completed? Do those areas need to be retested in order to issue a new assurance rating? 

A.Follow-up internal audit work provides revised assurance that management actions have strengthened controls and mitigated risks. Otherwise, the second line could provide revised second line assurance or, if the three lines of defence model isn’t in place, the organisation should look to a management self-assessment assurance with internal audit looking at including high risk areas in the audit plan for the next year.

Q.Are there minimum documentation requirements for internal audit working papers, or guidance on best practice?

A.You can find the relevant Standards – 2310, 2320 and 2330 – at www.iia.org.uk/perfomancestandards.
In addition, related practice advisories that expand on these are available at
www.iia.org.uk/analyticalprocedures and at www.iia.org.uk/documentinginformation. Also have a look at our top tips guidance on working papers at www.iia.org.uk/toptips

Q.An auditee has asked internal audit to prepare a self-assessment checklist on their behalf. Does this undermine the audit function’s independence?

A.It’s an understandable concern, but it’s positive that the auditees are being proactive about managing their risks. Therefore: 

  • Create a draft checklist with management;
  • Make it clear that management owns the checklist and they are responsible for ensuring it is fit for purpose;
  • Ensure that the auditor(s) involved in creating the checklist are not involved in auditing that area;
  • Consider whether training is required.

Q. Are there guidelines on how often risk registers should be reviewed or updated? 

A. No, however managers need to have processes to ensure that risk registers are updated to reflect new or changing risks and that internal controls are adapted and developed accordingly. Changes may be external, eg Brexit, or internal, eg launching a new product. In both cases the changes will have risk implications that need to be considered. The Standard for risk management is 2120 –www.iia.org.uk/performancestandards – and the associated practice advisory Guidance 2120 – 1 www.iia.org.uk/rmp. Also have a look at the guidance on risk management processes; in particular “management monitoring of responses” at www.iia.org.uk/processes

Got a question?
Contact the Chartered IIA technical helpline on 0845 883 4739 or email technical@iia.org.uk

The IIA: find out more

Visit the main IIA site

Jobs

Senior Auditor

Ref: HE/3188
Directorate: Finance & Business Services
Location: Nationwide
Salary: £40,188 - £44,208
Number of Positions: 5
Full-time

Principal Auditor

Salary: £36,937 - £39,660
Permanent – 37 hours
Location: Westgate Plaza One, Barnsley, South Yorkshire

Careers advice

Destination designation

The Chartered IIA is keen to work with organisations that want to ensure all their internal auditors have the right skills to succeed in today’s industry. One of these is Citigroup, which recently launched a training scheme accredited by the institute and put 20 senior internal auditors through the Chartered by Experience route to achieve CMIIA. So what does this look like in practice?
Words: Ruth Prickett

Gold standard – the value of recognition

Being chartered demonstrates your skills and competence and gives you influence within both your organisation and the wider profession. All dedicated internal auditors should aspire to it, writes Ian Peters, chief executive of the IIA.

Chartered by Experience

There is a new route to becoming a chartered internal auditor: Chartered by Experience.

Training & Development

Destination designation

The Chartered IIA is keen to work with organisations that want to ensure all their internal auditors have the right skills to succeed in today’s industry. One of these is Citigroup, which recently launched a training scheme accredited by the institute and put 20 senior internal auditors through the Chartered by Experience route to achieve CMIIA. So what does this look like in practice?
Words: Ruth Prickett

Gold standard – the value of recognition

Being chartered demonstrates your skills and competence and gives you influence within both your organisation and the wider profession. All dedicated internal auditors should aspire to it, writes Ian Peters, chief executive of the IIA.

PwC launches cyber-breach simulation game for executives

Big four consultancy PwC has launched "Game of Threats" – an interactive game to teach senior executives the risks of cyber-attacks and encourage them to test how they would respond in real time.

Tools

Harnessing the power of technology in ERM: driving a continuous and verifiable process

Sponsored content
Some of the greatest strides in the formalisation of enterprise risk management (ERM) have occurred within the past decade – prompted by problems such as the global financial crisis and the increasing threat of cyberattacks. So how do organisations effectively focus on a formalised risk management structure? Workiva's white paper "Harnessing the Power of Technology in ERM: Driving a Continuous and Verifiable Process" suggests some answers.

You asked us

Our technical helpline provides valuable advice to members on a host of professional issues. Here are some of the questions you’ve recently asked.

Raising Standards

IIA Global is introducing two new professional Standards and updating some of its existing Standards with effect from 1 January 2017. So what are the changes?