The scope of your work as an internal auditor depends mainly on the risks that your organisation faces. But how those risks are identified and prioritised will vary from process to process, as will the level of flexibility built into your audit plan.
At the Met Office – one of the organisations featured in a set of case studies published recently by the IIA and the National Audit Office – the function’s scope is defined by the risks prioritised by its senior management and audit committee. The risk management team deals with those risks, while internal audit liaises with it to suggest controls and review progress.
“The internal audit team takes an overall view of the risk and assurance landscape,” says Jonathan Kidd, HIA at the Met Office. “We look at the risks in key areas against corporate objectives and the risk appetite of management.”
Internal audit works with management to rank proposed audits on an ABC model from high to low risk. It also uses assurance mapping to identify any gaps and determine which assurance provider should review the management of that risk. This “rolling plan” sits in the background throughout the year, but new risk areas or requests for reviews are added as they arise.
“It’s not just an annual process,” Kidd says. “We have a watching brief to see if there are any emerging risks that we need to be aware of and to budget for in any future audit plan. Internal audit then categorises these audits for possible review, depending on how highly management prioritises the risks related to them. We also speak to people across the business individually to validate whether risk registers are accurate and reflect the key risks their business areas face.”
At Travis Perkins, a company supplying the UK building and construction industry, the scope of internal audit’s work is set out in its audit charter. This defines what the function can and cannot do. It is ratified annually by the audit committee. According to David Finch, director of group business risk and assurance, this provides a “go anywhere, look at anything” remit.
“If internal audit is going to sit independently, it is best to set the charter and terms of reference as wide as possible,” he says. “It allows us the freedom to do what we think is right for the role of internal audit.”
There are about 200 business risks on the company’s risk register, ranging from general to specialist to unpredictable “black swan” risks. These are prioritised using a matrix, but Finch deliberately does not account for all of internal audit’s work in the audit plan. Instead, he leaves a contingency so that the appropriate extra resources can be made available if needed.
At global hotel chain InterContinental Hotels Group (IHG), an integrated assurance model and risk-based internal audit approach helps the function to define its coverage.
“This integrated approach gives us a better idea of how other assurance providers understand risk, control it and deliver assurance, so we don’t duplicate work,” says Bruce Vincent, IHG’s global head of internal audit. “By understanding and assessing the effectiveness of the activities of other assurance providers, such as IT, legal and risk management, we can work out if we need to review some of these areas more deeply or if we can prioritise resources for reviews elsewhere.”
While the annual audit plan is prepared and approved by IHG’s audit committee between August and December, the internal audit team makes continuous reassessments using a dynamic risk assessment model. Vincent says: “This allows us to adjust the annual audit plan to take account of emerging risks and to reassess and reprioritise activities as and when required.”
Visit www.iia.org.uk/casestudies to download the series of case studies that the IIA and the National Audit Office have published on internal audit practices.
Useful guidance can also be found in the International Standards. Practice Advisory 2050-2 focuses on assurance mapping, while Standard 1000 and Practice Advisory 1000-1 cover purpose, authority and responsibility (bit.ly/JNjK4R).