A brief guide to working with other providers
If it’s to work efficiently and effectively, internal audit needs to work well with other providers of assurance, particularly in large organisations.
Principles and approach
Identify and map the other sources of assurance to the board, including:
internal to the organisation:
- risk (second line);
- Sarbanes-Oxley Act (SOX);
- health and safety;
- quality; and
- line management (first line).
external to the organisation:
- external audit; and
- regulators and HMRC.
Assurance work help
Identify and obtain information which would help you in your assurance work, including:
- risk appetite and key risk indicators (KRIs);
- risk registers, incidents and losses reported;
- committee packs and first line management committee reports including KPIs;
- second line inspection/compliance reports;
- SOX reports and documentation;
- quality certification ie British standards;
- SAS 70 reports (now SSAE 16 in the US and ISAE 3402 internationally);
- external audit management letter;
- regulatory reports and HMRC reports; and
- independent consultants’ reports.
Share information with other assurance areas, subject to confidentiality controls, including:
audit plan; audit reports; issues raised and accepted; issue resolution progress.
Assess whether you can place reliance on other assurance work in your audits:
- Assess their controls and test them, including any inspection/compliance checking
- Assess how well their controls have managed the risk (substantive testing)
- Reassess what additional audit work you need to do to provide assurance.
Integrated assurance reporting
Consider driving the emerging area of integrated assurance reporting, including:
- grid of assurance from different sources. This could be using ‘traffic light’ reporting, with one axis being risk category and the other assurance provider;
- provide an explanation of why assurance differs when needed; and
- use reporting as an opportunity to explain the different attributes of the assurance provided. Aspects you could cover include the robustness of assurance provided, business areas covered, risk scope, timing/frequency of checks, depth of testing, etc. Remember, internal audit assurance is the most robust.