Covid-19 is having a big effect on internal auditing so it is important to go back to basics on reasonable assurance.
Reading this article and answering the related questions can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD. We suggest you use this as a guide when allocating yourself CPD units.
ACCA UK’s Internal Audit network panel regularly consults its members on topics that are of particular interest at a given point in time. At the moment, it is recognised that the impact of Covid-19 is having a big effect on internal auditing. We cannot afford gold-plated auditing or controls anymore. Also, we can't afford to go through the motions of doing assignments that made sense at one point in time when things have changed significantly as a result of Covid-19.
The following article looks at how to manage internal audit assignments from a practical perspective in the current context. Specifically, it looks at the work programmes required in the current environment where lean and agile auditing is increasingly expected. It also considers some fundamental questions about what we mean by reasonable assurance.
It's not every day that an internal audit article starts with a quote from Lenin. But here it is: “There are decades where nothing happens; and there are weeks where decades happen.” This was written just before the Russian Revolution in 1917 but is timely in the coronavirus pandemic era. The pandemic's impact has been profound and has impacted governance risk management and Control (GRC) activities and external and internal auditors' work.
This new era demands that internal auditors work on issues that really matter and quickly provide insights with practical solutions. Clearly, this means that the internal audit (IA) function needs to carry out a much more dynamic planning process. It also means that the day-to-day work programmes and testing in audit assignments need to change as well. This explains the considerable impetus behind IA becoming a trusted advisor, as well as lean/agile ways of auditing, and leveraging data analytics.
However, as readers will appreciate, responding to changing demands in a compressed timescale creates its own risks. Specifically, for IA teams, we might forget some of the fundamentals that underpin our profession's credibility. The trick is to balance the need to be more lean and agile with IA standards. This short article will seek to outline some of the evolving practices that achieve this.
Back to basics: Reasonable assurance
Before we look at IA assurances, let’s reflect on the evolution of external audit. ACCA was founded in 1904 and, over the years, has evolved its standards to keep pace with changing stakeholder requirements. One of the key foundations of robust external auditing is encapsulated in ISA 200 (similar to ISA 700 paragraph 11). It discusses the fundamentals of external auditing, which includes the need: “To obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement.” The standard says: “To obtain reasonable assurance, the auditor shall obtain sufficient appropriate audit evidence to reduce audit risk to an acceptably low level, and thereby enable the auditor to draw reasonable conclusions.” Alongside this, we have the core need to operate professionally with appropriate skepticism, professional judgment and ethics.
Thus, the external auditing definition of “reasonable assurance” is based on external, objective quantifiable criteria, namely, what would constitute a material misstatement? Typically, this will be quantified in terms of a percentage of turnover, net assets, or some other clearly measurable criteria for an organisation. External audit work programmes often work backward from what really matters (e.g., an error of £10M in procurement). They then determine what needs to be done to stop errors from happening and, in turn, the processes and controls that seek to ensure this will happen, testing these accordingly.
Turning to IA, the Institute of Internal Auditors (IIA) was founded in 1941, 80 years ago. The role of IA is defined in terms of "providing risk-based in objective assurance.” The standards talk about "assurance engagements” and “assurance services.” They stress the importance of exercising due professional care, ethics and integrity and the need to be independent and objective. The glossary to the IIA standards mentions that “adequate control” should be based on “reasonable assurance”, but neither the terms “assurance procedures” or “reasonable assurance” are precisely defined. This might be explained by the familiarity of many in IA with the external auditing definition of reasonable assurance. However, with IA assignments more and more looking at non-financial risk and needing to be delivered in compressed timescales, the absence of a firm foundation for "reasonable assurance" becomes more problematic.
As I see it, IA teams (and the IIA) need to develop a clear explanation of what is meant by “reasonable assurance.” If we do this in a practical real world way, we will be able to work more dynamically, but not “throw the baby out with the bathwater," when it comes to how much our work can be relied upon.
The current position of IA work programmes and testing
When we think about “reasonable assurance” we are not starting from scratch. Many GRC professionals would say that the essential ingredients for assurance come from being clear about objectives and understanding key risks. Then they make sure that processes and controls are correctly designed and operating effectively to manage risks and opportunities within agreed tolerances.
In organisations with mature GRC, operational staff will work with risk, compliance and other professionals (such as finance) to determine the processes and controls needed to ensure risk is managed to within the correct tolerances (often called the risk appetite). There are two stages: one is to determine from a design (“in principle”) perspective what is required. Then, to implement processes and controls, and oversee their operation, to ensure they are working appropriately in practice. Good practice also demands that to manage any risk effectively, you need preventative processes and controls to stop things from going wrong in the first place and also, detective processes and controls to identify early on if a problem is about to occur.
Moving onto IA: A good IA work programme will typically involve clarifying what the key risks are. After that, the IA function will consult stakeholders concerning the way the risk is managed and normally use internal and external criteria to help judge what is being done. Internal standards will typically include organisational processes or policies that have been approved to meet key regulatory and other standards. External standards that IA may use include best practice frameworks such as COBIT for IT matters, or PRINCE II for large scale systems implementations. The audit process will typically involve validating that risk identification and risk assessment by management is robust, and that processes and controls are both appropriately designed and operating in practice. The majority of IA assignments involve checking what is going on against a work programme of key controls.
Data analytics may be useful in testing a large population of data and enhance the robustness of any assurances, but this relies on the data in the system being clean (remember “garbage in, garbage out”). However, there are many areas where analytics only go part of the way to uncovering issues (e.g., when assessing certain compliance areas, or the management of a project), so they must not be seen as a “cure all”.
Thereafter any exceptions/findings, where things are not designed or operating as they should be, are reported onwards, so that remediation actions can be agreed. In the current context this often requires being clear about the consequences of any short-comings and the root causes why it has happened. It also requires that IA be insightful and pragmatic about the way a risk might be mitigated without excessive bureaucracy or over-control.
In any event, as just described, many IA work programmes do not work backward from impact in the same way that external audits do. Thus, if a manager was to ask: “Are you sure that nothing worse than £10M could happen?", many IA functions would say: “We provide reasonable, but not absolute assurance, and can’t guarantee that something quite bad won’t happen, because of the limitations of our testing”. Over time this sort of response is likely to be more and more problematic, as will be highlighted in the next section of this article.
Current challenges with internal audit testing and work programs
The Covid-19 era has created a number of new challenges for GRC and IA. First of all, many policies, processes, and procedures which seemed to make sense in 2019 may seem rather gold-plated when assessed against the scale of the challenges posed by Covid-19. Also, changes in ways of working create risks that may not be easily quantified (e.g., remote working, less hands-on supervision, employee well-being/morale declining). Finally, IA assurances are often required with much shorter notice and with less resource.
All of this means that it is absolutely fundamental the IA functions become much more disciplined about how much assurance they are giving. At present there is a growing appreciation that IA should be much more explicit about the breadth and depth of work being done, i.e., explain the range of inputs/data that has been examined to form an opinion.
For a given area of scope, an example of current good practice is to distinguish between:
- Assignments that review the design of a new process, procedure or set of controls to manage a risk to an acceptable level
- Assignments that consider both the design of processes, controls etc. and audit the operating effectiveness of the most key controls that need to be in place to manage a risk to an acceptable level
- Assignments that examine in-depth process/control design and the operation of key and other controls as well to manage a risk to an acceptable level.
The imperative at this time is for IA functions to make it crystal-clear what sort of assignment is being done. Suppose stakeholders want a short and sweet (lean and agile) piece of work from IA with 10 days of effort. In that case, they should appreciate that this may not necessarily give the same level of assurance as a more detailed assignment with 40 days of effort. Thus, a high-level review of new procurement processes may not reveal fraud-related risks, whereas a more detailed audit of controls, and specific transactions, might highlight fraud risk in more detail.
The table below illustrates some of the risk and control areas where it can be very important to be clear: i) what is expected of management and ii) what was in/out of the scope of the specific assignment to be done. A key trap at the current time is to “skip” the step that looks at the design of new processes and – linked to this – to be unclear what is the risk appetite for the area under consideration. Without a clear level of tolerance for what is OK, or not OK, you can’t start the process of determining the right level of control at a management level. Further, you do not have a clear foundation for any IA work.
Thus, you will see an increasing number of instances where a good audit assignment of any type (review or audit) will start with these lean auditing cornerstones:
- Why is the assignment wanted? What is the exam question for audit to answer? (This helps to focus the assignment)
- What do we already know about risks and issues and current action plans? (This ensures we don’t waste time telling people what they already know)
- Are we clear about the risk appetite for the area being looked at, and have we agreed the expected controls? (Otherwise, we will hear: “So what if that’s not working, with everything else going on that doesn’t really matter”).
The future: learning from external audit to deliver outcome-based assurances
There is a lot we can do to develop and improve on the way we communicate the work being done by IA based on the inputs, data and controls audited. However, increasingly IA teams are trying to develop an outcomes-based approach to the work they do, putting it on a par with external audit.
However, the challenge is to recognise that the outcome of an IA assignment may need to be expressed in different terms than you would expect from an external audit. For example, the level of confidence that a project may be able to go live by a given date, or the level of confidence that something is compliant with a complex piece of legislation (e.g., AML). The BowTie framework (used in Root cause analysis) is one tool that can be used to do this, but it is outside the scope of this article to discuss in detail outcome-based approaches to IA.
Nonetheless, a practical step on the road to an outcome-based IA assignment is to work hard to articulate the level of risk than an assignment is looking for. The attached extract sets out the scope of an assignment looking at project costs and benefits. In the first instance, it very clear that the assignment is not examining data and IT security. It also makes it clear, as much as possible, what size of problem in the project cost out-turn and project benefits would be regarded as “just noise, no big deal” and what would be of interest and of value. The more you are clear about this in advance the greater the chance of getting the work programme “just right” and therefore delivering something in a timely and agile way that is also based on a solid foundation of evidence.
I hope that readers have found find this a useful summary of key developments in IA at present (to which I owe thanks to all the great internal auditors I work with). And I also trust that several things are clear:
• No matter what anyone tells you, IA is still a relatively young profession and there are still “new frontiers” out there (such as reasonable assurance) that have to be worked through (and there are more); and
• It is possible to do good IA work in a lean and agile way, but this demands that we don’t forget the fundamentals of our professional standards, and that we work very hard to manage stakeholder expectations and communicate what we are doing with unrivalled clarity.
James C Paterson
James C Paterson is a former head of internal audit, consultant, trainer (face to face and webinars) and the author of: Lean Auditing. www.RiskAI.co.uk