What follows is an excerpt from the article 'Work programmes and testing in the Covid-19 era' by James C Paterson for Association of Chartered Certified Accountants (ACCA).
Covid-19 is having a big effect on internal auditing so it is important to go back to basics on reasonable assurance.
The role of internal audit (IA) is defined in terms of "providing risk-based in objective assurance.” The standards talk about "assurance engagements” and “assurance services.” They stress the importance of exercising due professional care, ethics and integrity and the need to be independent and objective. The glossary to the IIA standards mentions that “adequate control” should be based on “reasonable assurance”, but neither the terms “assurance procedures” or “reasonable assurance” are precisely defined. This might be explained by the familiarity of many in IA with the external auditing definition of reasonable assurance. However, with IA assignments more and more looking at non-financial risk and needing to be delivered in compressed timescales, the absence of a firm foundation for "reasonable assurance" becomes more problematic.
As I see it, IA teams (and the IIA) need to develop a clear explanation of what is meant by “reasonable assurance.” If we do this in a practical real world way, we will be able to work more dynamically, but not “throw the baby out with the bathwater," when it comes to how much our work can be relied upon.
The current position of IA work programmes and testing
When we think about “reasonable assurance” we are not starting from scratch. Many GRC professionals would say that the essential ingredients for assurance come from being clear about objectives and understanding key risks. Then they make sure that processes and controls are correctly designed and operating effectively to manage risks and opportunities within agreed tolerances.
In organisations with mature GRC, operational staff will work with risk, compliance and other professionals (such as finance) to determine the processes and controls needed to ensure risk is managed to within the correct tolerances (often called the risk appetite). There are two stages: one is to determine from a design (“in principle”) perspective what is required. Then, to implement processes and controls, and oversee their operation, to ensure they are working appropriately in practice. Good practice also demands that to manage any risk effectively, you need preventative processes and controls to stop things from going wrong in the first place and also, detective processes and controls to identify early on if a problem is about to occur.
Moving onto IA: A good IA work programme will typically involve clarifying what the key risks are. After that, the IA function will consult stakeholders concerning the way the risk is managed and normally use internal and external criteria to help judge what is being done. Internal standards will typically include organisational processes or policies that have been approved to meet key regulatory and other standards. External standards that IA may use include best practice frameworks such as COBIT for IT matters, or PRINCE II for large scale systems implementations. The audit process will typically involve validating that risk identification and risk assessment by management is robust, and that processes and controls are both appropriately designed and operating in practice. The majority of IA assignments involve checking what is going on against a work programme of key controls.
Data analytics may be useful in testing a large population of data and enhance the robustness of any assurances, but this relies on the data in the system being clean (remember “garbage in, garbage out”). However, there are many areas where analytics only go part of the way to uncovering issues (e.g., when assessing certain compliance areas, or the management of a project), so they must not be seen as a “cure all”.
Thereafter any exceptions/findings, where things are not designed or operating as they should be, are reported onwards, so that remediation actions can be agreed. In the current context this often requires being clear about the consequences of any short-comings and the root causes why it has happened. It also requires that IA be insightful and pragmatic about the way a risk might be mitigated without excessive bureaucracy or over-control.
In any event, as just described, many IA work programmes do not work backward from impact in the same way that external audits do. Thus, if a manager was to ask: “Are you sure that nothing worse than £10M could happen?", many IA functions would say: “We provide reasonable, but not absolute assurance, and can’t guarantee that something quite bad won’t happen, because of the limitations of our testing”. Over time this sort of response is likely to be more and more problematic, as will be highlighted in the next section of this article.
Current challenges with internal audit testing and work programs
The Covid-19 era has created a number of new challenges for GRC and IA. First of all, many policies, processes, and procedures which seemed to make sense in 2019 may seem rather gold-plated when assessed against the scale of the challenges posed by Covid-19. Also, changes in ways of working create risks that may not be easily quantified (e.g., remote working, less hands-on supervision, employee well-being/morale declining). Finally, IA assurances are often required with much shorter notice and with less resource.
All of this means that it is absolutely fundamental the IA functions become much more disciplined about how much assurance they are giving. At present there is a growing appreciation that IA should be much more explicit about the breadth and depth of work being done, i.e., explain the range of inputs/data that has been examined to form an opinion.
For a given area of scope, an example of current good practice is to distinguish between:
- Assignments that review the design of a new process, procedure or set of controls to manage a risk to an acceptable level
- Assignments that consider both the design of processes, controls etc. and audit the operating effectiveness of the most key controls that need to be in place to manage a risk to an acceptable level
- Assignments that examine in-depth process/control design and the operation of key and other controls as well to manage a risk to an acceptable level.
The imperative at this time is for IA functions to make it crystal-clear what sort of assignment is being done. Suppose stakeholders want a short and sweet (lean and agile) piece of work from IA with 10 days of effort. In that case, they should appreciate that this may not necessarily give the same level of assurance as a more detailed assignment with 40 days of effort. Thus, a high-level review of new procurement processes may not reveal fraud-related risks, whereas a more detailed audit of controls, and specific transactions, might highlight fraud risk in more detail.
The table below illustrates some of the risk and control areas where it can be very important to be clear: i) what is expected of management and ii) what was in/out of the scope of the specific assignment to be done. A key trap at the current time is to “skip” the step that looks at the design of new processes and – linked to this – to be unclear what is the risk appetite for the area under consideration. Without a clear level of tolerance for what is OK, or not OK, you can’t start the process of determining the right level of control at a management level. Further, you do not have a clear foundation for any IA work.
Thus, you will see an increasing number of instances where a good audit assignment of any type (review or audit) will start with these lean auditing cornerstones:
- Why is the assignment wanted? What is the exam question for audit to answer? (This helps to focus the assignment)
- What do we already know about risks and issues and current action plans? (This ensures we don’t waste time telling people what they already know)
- Are we clear about the risk appetite for the area being looked at, and have we agreed the expected controls? (Otherwise, we will hear: “So what if that’s not working, with everything else going on that doesn’t really matter”).
The future: learning from external audit to deliver outcome-based assurances
There is a lot we can do to develop and improve on the way we communicate the work being done by IA based on the inputs, data and controls audited. However, increasingly IA teams are trying to develop an outcomes-based approach to the work they do, putting it on a par with external audit.
However, the challenge is to recognise that the outcome of an IA assignment may need to be expressed in different terms than you would expect from an external audit. For example, the level of confidence that a project may be able to go live by a given date, or the level of confidence that something is compliant with a complex piece of legislation (e.g., AML). The BowTie framework (used in Root cause analysis) is one tool that can be used to do this, but it is outside the scope of this article to discuss in detail outcome-based approaches to IA.
Nonetheless, a practical step on the road to an outcome-based IA assignment is to work hard to articulate the level of risk than an assignment is looking for. The attached extract sets out the scope of an assignment looking at project costs and benefits. In the first instance, it very clear that the assignment is not examining data and IT security. It also makes it clear, as much as possible, what size of problem in the project cost out-turn and project benefits would be regarded as “just noise, no big deal” and what would be of interest and of value. The more you are clear about this in advance the greater the chance of getting the work programme “just right” and therefore delivering something in a timely and agile way that is also based on a solid foundation of evidence.
I hope that readers have found find this a useful summary of key developments in IA at present (to which I owe thanks to all the great internal auditors I work with). And I also trust that several things are clear:
• No matter what anyone tells you, IA is still a relatively young profession and there are still “new frontiers” out there (such as reasonable assurance) that have to be worked through (and there are more); and
• It is possible to do good IA work in a lean and agile way, but this demands that we don’t forget the fundamentals of our professional standards, and that we work very hard to manage stakeholder expectations and communicate what we are doing with unrivalled clarity.
James C Paterson is a former head of internal audit, consultant, trainer (face to face and webinars) and the author of: Lean Auditing. www.RiskAI.co.uk