Controls for Providing Internal Audit Services
By: Ala’ Abdel Aziz Abu Naba’a - Kuwait
Expert in Internal Auditing, Control, and Governance
Introduction
The International Professional Practices Framework (IPPF), issued by the Institute of Internal Auditors - IIA, defines internal auditing as follows:
“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”
As shown in the definition, internal auditing activities (whether performed by internal employees or consultants from outside the entity) provide two main types of services relevant to governance, risk management, and control processes in the entity:
(1) Assurance Services: An objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization.
(2) Consulting Services: Advisory and related client service activities, the nature and scope of which are agreed with the client, are intended to add value and improve an organization’s governance, risk management, and control processes.
In the latest update on the internal audit standards in 2017, a new standard was added, which is standard No. 1112, Chief Audit Executive Roles beyond Internal Auditing. This standard indicated the possibility of providing services outside of internal auditing, such as the responsibility for compliance or risk management activities.
In this article, I will explain the controls included in the IPPF for providing various internal audit services, which could also be used in the preparation and implementation of the Quality Assurance and Improvement Programs (QAIP) in accordance with Standard No. 1300.
Factors affecting the service request from an internal auditing activity
Factors affecting the services request from the internal auditing activity are as follows:
• The executive management, the board of directors, and the audit committee level of confidence in the internal auditing activity.
• The magnitude of the entity, the level of complexity of its operations, and the level of diversification of the knowledge, experience and skills of the employees.
• The existence of material changes in the risks to which the entity is exposed to, due to internal or external events.
• The occurrence of material changes in the work of an entity due to certain events, such as mergers, operation of new production lines, or launching of new products.
• The results of the previous audit tasks, and the repetitions of negative comments without completely addressing the root causes of such problems.
• The results of the work of the external regulatory bodies and the internal control departments.
• The competencies of the internal auditors (practical experience, scientific knowledge, and skills).
Controls for Providing Internal Audit Services
I. General controls for providing internal audit services:
The following is a summary of the most prominent general controls relevant to the provision of internal auditing services (regardless of their classification - assurances or consulting, etc.) in accordance with the IPPF:
(1) To maintain objectivity (an unbiased mental attitude that allows internal auditors to perform audit engagements in such a manner that they believe in their work product and that no quality compromises are made), and avoid conflict of interests (competition between professional or personal interests);
(2) To obtain full understanding of the reason of performing the audit engagement and what the entity aims to achieve;
(3) To obtain an appropriate consultation and assistance if the internal auditors lack the needed knowledge, experience, skills, and other competencies to implement the audit engagement, partially or completely, or even to reject the engagement;
(4) The disclosure of anything that hinders independency or objectivity;
(5) The prior determination of the adequate and appropriate resources to achieve the important objectives, taking into consideration that the potential benefits should exceed the costs of performing the engagement, then making sure that the internal audit resources are appropriate and adequate and will be employed efficiently;
(6) To coordinate with and study the possibility of depending on the work of external and internal bodies that provide assurance and consultation services in order to guarantee the proper coverage and avoid the double efforts;
(7) Setting and documenting a work plan for each audit engagement, which includes the important objectives, the scope, timing and the resources allocated for this plan;
(8) To ensure that the scope of the engagement is adequate to accomplish its objectives;
(9) To ensure the determination, analysis, assessment and documentation of the adequate information to achieve the objectives of the engagement;
(10) Accomplishing the audit engagements with proficiency and due care.
(11) To ensure that the audit engagements are subject to adequate supervision to achieve its objectives, ensure its quality, and develop the skills of the team;
(12) To ensure that the results of the audit engagement are reported to the appropriate parties, then seek to set and maintain a control system that responds to the results that have been reported;
(13) Seeking to report to the appropriate managerial level about the acceptable and the unacceptable risks;
(14) Setting and maintenance of a program to ensure and enhance quality. This program should include internal assessments (an ongoing control for the performance of the internal auditing activity and periodical self-assessments, or assessments that are performed by other personnel from the entity) as well as the external assessments (through performing a comprehensive external assessment, or a self-assessment that is accompanied by an external independent assurance).
II: Controls for Providing Assurance Services
The following is a summary of the most prominent general controls relevant to the provision of assurance in accordance with the IPPF:
(1) Preserving independence (the freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner);
(2) Refrain from assessing the operations that the internal auditors were responsible for during the last year;
(3) Considering the appropriateness and effectiveness of governance, risk management, and control processes;
(4) Considering the probability of significant misstatements, fraud, or noncompliance;
(5) Defining the purpose and nature of assurance services provided by internal auditors in consultation with the executives and the board of directors, then prioritizing the tasks according to the results of the risk assessment and the forecasts of the senior management, the board of directors, and other related parties;
(6) Ensuring that appropriate measures for the assessment process, governance, risk management, and control are in place (such as the international frameworks, the international standards, applicable laws and regulations for which the entity complies, and the regulations and policies adopted by the senior management). Such measures will be used as a basis to expressing the general comprehensive opinion, and in the pre-agreement with the executive management and the board of directors.
III: Controls for Providing Consultation Services:
The following is a summary of the most prominent general controls relevant to the provision of consultation services s in accordance with the IPPF:
(1) Considering the needs and expectations of clients, including the nature, timing, method of reporting, the important results, the complexity level, and the extent of the work necessary to achieve the objectives of the engagement, and the cost of the consultation task compared to its benefits;
(2) Using the previous knowledge acquired through accomplishments of consultation tasks in the implementation of assurance tasks;
(3) Ensuring that the objectives of the consultation task are consistent with the values, strategies, and objectives of the entity.
IV: Controls of Providing Services beyond Internal Auditing:
Generally, providing services outside of internal auditing may impair organizational independence of the internal auditing in reality, but the senior management may believe that it is suitable to expand the role of the chief audit executive beyond the internal auditing.
The following is a summary of the most prominent controls relevant to the provision of such services in accordance with the IPPF:
(1) The senior management shall ensure that the chief audit executive clearly understands the professional code of ethics issued by the Institute of Internal Auditors, along with the concepts of independence and objectivity, and that he is able to address the risks arising from the obstacles to independence and objectivity;
(2) Discussing the organizational dependency relationships, responsibilities, and expectations relevant to that role, with the senior management and the board of directors. During these discussions, the chief audit executive should focus on the standards relevant to independence and objectivity, and the potential obstacles that may arise from this proposed role, and the relevant risks and safeguards that could be used to avoid such risks;
(3) The board of directors shall supervise the mission in order to avoid the potential obstacles that may hinder independence and objectivity of the chief audit executive, and the performance of a periodical assessment of the organizational dependency relationships and responsibilities;
(4) If the responsibilities of the chief audit executive, outside internal auditing, are ongoing, the internal audit charter should describe such responsibilities. However, if these responsibilities are short run responsibilities, the modifications to the internal audit charter and other documents may not be necessary;
(5) The chief audit executive shall disclose the details of any impairments to independence or objectivity, in fact or appearance, in a manner that allows the board of directors of performing a comprehensive assessment of the risks arising from such impairments;
(6) Requesting an external body, outside the internal auditing activity, to supervise the implemented assurance tasks where the chief audit executive is responsible for such tasks;
(7) Requesting the external auditor, who supervises the internal audit activity (in accordance with Standard No. 1312 - External Assessments), to provide additional assurance to the board of directors regarding the tasks in which the chief audit executive has assumed responsibilities outside the internal auditing;
(8) Including feedbacks in the questionnaires of audit clients and the assessments of the board of directors about the performance of the chief audit executive indicating their opinion about the extent of independence and objectivity of the chief audit executive;
Added value to entities:
Assurance services
Consulting services
Services outside internal auditing
Conclusion
One of the beautiful quotes of Larry Harrington: “At the end of the day, we’re not paid by the audit report or by the audit finding. We’re paid by how we can make the company better”.
At the end, and according to Standard No. 1000, Purpose, Authority, and Responsibility,
I stress the importance of defining the nature of the services provided through the internal auditing activity in the internal audit charter. The internal audit charter should be written and signed by the chief audit executive, a representative of the board of directors, and the person to which the chief audit executive reports, in accordance with the implementation guides of the IPPF.