7. What is internal audit’s role, scope, and mandate? How should internal audit be resourced (capacity and capability)? What is the relationship between the audit committee and internal audit?
In the new 2024 Global Internal Audit Standards (Domain III - Governing the internal audit function) there is a requirement for the head of internal audit to work closely with the audit committee to establish the internal audit function, position it independently, and oversee its performance.
The internal audit function is only able to fulfil the purpose of internal auditing when the head of internal audit reports to the audit committee, is qualified, and is positioned at a level within the organisation that enables internal audit to discharge its services and responsibilities without interference.
The internal audit function receives its mandate from the audit committee. The mandate specifies the authority, role, and responsibilities of the internal audit function and is documented in the service’s charter. The internal audit function delivers the mandate by bringing a systematic, disciplined approach to evaluating and improving the effectiveness of governance, risk management, and control processes throughout the council, in every internal audit engagement, irrespective of the topic.
The audit committee, in conjunction with management, needs to ensure that internal audit has unrestricted access, to data, records, information, personnel, and physical properties necessary to fulfil its terms of reference.
The audit committee needs to satisfy itself that the internal audit charter clearly documents the purpose of internal auditing, the commitment to adhering to the Global Internal Audit Standards, the independence and objectivity of the internal audit function and how this is delivered, the scope of internal audit work, the internal audit quality and assurance programme and its responsibility to delivery of the annual internal audit conclusion (opinion).
The scope of internal audit services, detailed in the internal audit charter, covers the entire breadth of the council for which the internal audit function is responsible for providing services. This may include all activities, assets, and personnel of the organisation or may be restricted to a subset according to geography or other division. The scope may specify the nature of internal audit services (for example, assurance only or assurance and advisory, focus on the financial area, compliance with laws and/or regulations).
Audit committee oversight is essential to enable the overall effectiveness of the internal audit function. Achieving this requires collaborative and interactive communication between the audit committee and the head of internal audit as well as the audit committee’s support in ensuring the internal audit function has sufficient resources to fulfil the internal audit mandate.
A discussion of resources between the audit committee and the head of internal audit typically occurs at least annually in connection with presentation of the internal audit plan; having a quarterly discussion is a leading practice.
8. How does internal audit set its audit plan? Is internal audit providing assurance around business-critical risks? Does it contain the internal audit topics you would expect to see?
The Institute of Internal Auditors (the professional body for the internal audit profession) has recently produced a new set of standards which state that the head of internal audit must create an internal audit plan that supports the achievement of the council’s objectives.
The audit committee is responsible for approving the internal audit annual risk-based plan. To enable the committee to approve the plan it needs to satisfy itself that the internal audit plan is based on a documented assessment of the council’s strategies, objectives, and risks. The assessment must be performed at least annually.
The audit committee should review the risk register provided by management alongside the internal audit risk-based plan provided for approval and question any missing risks.
The audit committee as part of the approval process may, as appropriate, provide input to the plan e.g. considering if all the principal risks are being covered. If not, it will seek a response from internal audit as to why not.
The internal audit plan should include evaluation of the council’s governance, risk management and control processes, and should consider coverage of information technology governance, fraud risk, the effectiveness of the council’s compliance and ethics programmes, and other high-risk areas. The plan also needs to be dynamic and updated in a timely way in response to changes in the council’s business, risks operations, programs, systems, controls, and culture.
The plan should ensure that all key risk areas are covered over a period of time, if not every year, then over a period of years.
The internal audit team should be suitably resourced and skilled, and a workforce plan should be in place to show how suitable staff will be recruited and developed to meet the changing needs of the organisation and the changing risk environment within which it operates.
The head of internal audit must discuss the internal audit plan, including significant interim changes, with the audit committee and management. The plan and significant changes to the plan must be approved by the audit committee.
The audit committee and management in collaboration with the head of internal audit should keep continuously appraised of the council’s risk management framework and of new and emerging risks as appropriate. This will include risk being a regular agenda item with management updating the risk register as appropriate. If the council’s environment is dynamic, for example there are issues around provision of services and financial stability, the internal audit plan may need to be updated as frequently as every six months, or even quarterly.
As the audit committee receives information regarding the business-critical risks associated with the delivery of the council’s objectives and services, it should compare the risks to the topics (risk areas) included on the internal audit plan. An opportunity to challenge either the internal audit plan or managements risk registers then presents itself. For example, why is internal audit looking at a particular risk area if it isn’t included on the council’s risk register?
Management should be using its insights and knowledge to support the audit committee to carry out its direct responsibility for oversight of the external auditor. This would include evaluating the auditor’s performance, partner rotation, and reviewing external audit plans.
9. How do we know we have an effective internal audit function? What is the feedback from management regarding internal audit?
Audit committee oversight is essential to enable the overall effectiveness of the internal audit function. Achieving this principle requires collaborative and interactive communication between the audit committee and the head of internal audit as well as the audit committee’s support in ensuring the internal audit function obtains sufficient resources to fulfil the internal audit mandate.
Public Sector Internal Audit Standards (‘PSIAS’) require the Head of Internal Audit to develop and maintain a quality assurance and improvement programme (QAIP) that covers all aspects of the internal audit activity, and which includes the Audit Committee’s direct review of the External Quality Assessment (EQA). Every five years peers should externally independently assess the internal audit function.
The head of internal audit must develop, implement, and maintain a quality assurance and improvement programme that covers all aspects of the internal audit function. The programme includes two types of assessments, external assessments and internal assessments. At least annually, the chief audit executive must communicate the results of the internal quality assessment to the audit committee and management. The results of the external quality assessments must be reported when completed.
The head of internal audit’s communications to the audit committee and management regarding the internal audit function’s quality assurance and improvement programme should include:
- The scope, frequency, and results of internal and external quality assessments
- Action plans that address deficiencies and opportunities for improvement, including timelines for completion. Actions should be agreed with the audit committee.
- Progress toward completing the agreed-upon actions.
An assessment of the internal audit function’s quality may consider:
- The level of contribution to the improvement of governance, risk management, and control processes.
- Productivity of internal audit staff (for example, planned hours compared to actual hours on projects or time used on audit projects compared to administrative time).
- Compliance with internal audit laws and/or regulations.
- Cost efficiency of the internal audit processes.
- Strength of relationships with senior management and other key stakeholders.
A useful indicator of internal audit effectiveness may be the extent to which its recommendations are valued and acted upon my management.
The head of internal audit must develop and conduct internal assessments of the internal audit function’s conformance with standards and progress toward achievement of performance objectives. Internal assessments must be documented and included in the assessment conducted by an independent assessor as part of the council’s external quality assessment.
The external assessment must be performed at least once every five years by a qualified, independent assessor or assessment team. The requirement for an external quality assessment may also be met through a self-assessment with independent validation. The audit committee should consider the responsibilities and regulatory requirements of the internal audit function and the head of internal audit, as described in the internal audit terms of reference, when defining the scope of the external quality assessment.
Mechanisms commonly used for ongoing monitoring include feedback from internal audit stakeholders, including management, regarding the efficiency and effectiveness of the internal audit team. Feedback may be solicited immediately after the engagement or periodically (for example, semi-annually or annually) through survey tools or discussions between the chief audit executive and management.
10. How should internal and external auditors work together to complement each other? Is the relationship effective? What are the 2-3 things we should be most worried about?
External auditors should not place absolute reliance upon evidence provided by the internal auditors. They should ensure they maintain their own independence, objectivity, and professional scepticism. However, the external auditor can choose to use evidence from the work of internal audit when conducting its own auditing work, if its planned testing covers relevant areas, and if an assessment of internal audit’s structure and quality control procedures indicate that it can be relied upon.
The head of internal audit and the partner responsible for external audit should ensure appropriate and regular communication and sharing of information.
In 2024, local authorities face a multitude of challenges that demand innovative solutions and strategic planning. The most pressing issues will vary for each authority, but the following will be relevant everywhere:
1. Financial constraints
Council budgets are under strain due to increasing demands for services and limited resources. Balancing fiscal responsibility with meeting community needs is an ongoing challenge.
2. Cybersecurity
Protecting sensitive data and critical infrastructure from cyber threats is paramount. Councils must invest in robust cybersecurity measures to safeguard against breaches and disruptions.
3. Digital transformation
The accelerated pace of technological advancement presents both opportunities and challenges for councils. Adopting digital tools and platforms is essential for improving service delivery, enhancing communication, and streamlining administrative processes. However, ensuring inclusivity in digital strategies is vital, bridging the digital divide and ensuring all residents can benefit from technology.