Professional Documents
Culture Documents
The drive for greater efficiency in public spending and the more
localised delivery of services is changing the focus of government.
As a result, the risks are changing and the governance, risk management,
internal controls and assurance processes need to adapt.
Internal audits role in this is essential both in providing assurance
on the effectiveness of controls over key systems and in advising
executive management and those responsible for governance on
the management of risk. These are not easy tasks when resources
are stretched and increasing demands are made of internal audit
by departmental boards enhanced by highly experienced non-
executive board members with commercial backgrounds.
But the profession can reach new levels of influence and
recognition as it responds to the challenges it faces.
This series of case studies is designed to support that response.
Arranged under six themes common to all internal audit teams, they
draw on interviews with private and public sector heads of internal
audit, who explain their approaches to the challenges of, for example,
building relationships with audit committees, evaluating the impact of
internal audit and undertaking a risk based approach to internal audit.
The examples are not necessarily meant to represent best
practice but are intended to showcase a range of responses
to the demands placed upon internal auditors.
We hope they will be a valuable tool to promote new ideas
and support the development of your internal audit function.
2
Contents
Auditing projects 13
3
Applying internal audit resources
Internal audit needs to make sure that the resources it has are sufficient to
meet the expectations of the audit committee. This requires careful planning
and a realistic view of the budget and skills that the audit function has.
responsible for and determine what is risk- 2 Look at the range and depth of assurance
based and what level of assurance they provide that is being provided to management
and how they understand risk, says Kidd. from other assurance providers within the
We determine whether all these organisation: this will reduce duplication and
assurance providers share the same view free up resources to provide deeper assurance
of risk and whether their appreciation of in other areas.
key risks is aligned. We also review how 3 Make sure that internal audits work is
well senior management is managing risk aligned to managements view of risk: the
to make sure that they also appreciate and function may be focussing on the wrong
understand risk in the same way, he adds. issues if it does not understand managements
Kidd says that the scope of internal risk priorities.
audits work is defined by the risks identified
and prioritised by senior management
and the audit committee, which forms the Kidds team conducts a wide-range of
basis of the audit plan. The Met Offices risk audits some of which are highly specialist,
management team then manages those risks, such as reviewing how the Met Office
while internal audit liaises with the team to manages its ongoing response to volcanic
suggest controls and to review progress. ash-related requirements and so requires
The internal audit function also operates a either sufficient expertise in-house, or to
rolling plan of audits that may be considered source those skills from an external provider.
for review. Kidd says that this is a way of Fortunately, we do have a lot of specialist
constantly refreshing the audit programme skills in-house, and we can source expertise from
to ensure that the audit committee and within the business if we need to, as well as tap
management are kept aware of emerging risks the skills of our external assurance providers.
and that assurance is continually focused on However, this requires planning: we always
the most important risks to the business. need to keep some of our resource unallocated
The rolling plan is a working document that in case we are asked to provide assurance on
sits in the background throughout the year, says risks that suddenly become very important.
Kidd. If there is a risk area that is coming to light Asking for further resources outside the budget
or we get a request to review then it goes on depends on a strong business case, he says.
the rolling plan. We then categorise these audits
for possible review depending on how highly
management prioritise risks related to them.
We speak to people across the business
individually to validate whether risk registers
are accurate and whether they reflect the
key areas of risk that they face within their
business areas, says Kidd. It is not just an
annual process: we constantly have a watching
brief to see if there are any emerging risks
that we need to be aware of and to budget
for in any future audit plan, he adds.
8
Scope of internal audit
10
Scope of internal audit
12
Auditing projects
14
Auditing projects
16
Auditing projects
Clive Walker, director of internal gaps where there is little or no risk coverage.
audit, Transport for London (TfL) Adopting an integrated assurance
framework provides the board and senior
Created in 2000, Transport for London (TfL) management with a better view of what
is the functional body of the Greater London is going on, and how risks are regarded,
Authority responsible for the capitals transport identified and managed throughout the
strategy. It oversees the London Underground, organisation, says Walker. It also provides
bus services, elements of surface rail and internal audit with more information about
street maintenance for major routes. It has an the extent of coverage that other assurance
internal audit department of 42 staff led by the providers are carrying out, and defines the
director of internal audit, Clive Walker. There scope and extent we provide assurance on
are nine internal auditors dedicated to auditing projects. It has also led to less perception
contracts and projects, which is led by TfLs of duplication in review work, he adds.
senior audit manager (commercial) Roy Millard. Walker says that TfL is working on hundreds
TfLs internal audit function has continuously of projects at any one time, which vary
played a role in providing assurance on all substantially in cost, scope and timescale.
types of projects, but the relationship of Internal audit is just one of the functions that
this assurance to that provided by other provides assurance on how these projects are
assurance providers has been better defined managed, and the level of our involvement
since the organisation established an depends on the extent of the assurance
integrated assurance framework in 2011. that other providers are giving, he says.
Walker says that the framework has Internal audits work in project management
increased visibility about the extent and type at TfL has typically been focused on two areas:
of assurance that functions such as health and taking a sample of projects and carrying out
safety, risk management, and the Programme thematic reviews on particular aspects of
17
Management Office are providing. It has also project management, such as risk management,
ensured that assurance providers share the or engaging in audits of specific projects.
same view of risk, and has helped to highlight
Walker says that internal audit maintains a
Internal audit has an important role generic view of the project lifecycle to ensure
in ensuring that projects succeed that there is an independent and consistent view
and deliver the intended benefits taken, irrespective of the various project and
programme management methodologies in
on time, to specification, and to use throughout TfL. Internal audit then forms a
budget Clive Walker, TfL risk-based approach by providing an overview
of the generic activities expected for each audit
area at each stage of the project lifecycle.
Millard says that the first step is to find
Walker says his audit function uses a scoring
out how many projects there are and what
mechanism that provides an assessment
they hope to achieve. We consider reviews
of how critical these projects are and what
of projects based on their size, value and
internal audit needs to do on them. He
potential cost exposure to the organisation,
then prioritises internal audits resources to
as well as what their life-cycles are, and at
ensure an appropriate level of assurance.
which stages of the project we should get
Internal audit has an important role in
involved and can add value, he says.
ensuring that projects succeed and deliver the
We also consider risk metrics: is the
intended benefits on time, to specification,
project critical to the business, or is it being
and to budget, says Walker. An integrated
done differently? Are there reputational
framework helps make the process easier as
and political risks? Is there a critical health
it shows more clearly where there are gaps
and safety element? Will the project involve
in assurance, and who should be responsible
multiple stakeholders? Is the project already
for providing it. This increased visibility in
in trouble, and can it be turned around? As
management information should result in
we follow a risk-based approach, we need
better programme delivery, he adds.
to determine what impact specific risks will
have to the projects delivery, and how critical
they will be to the business, he adds.
18
The relationship with the audit committee
20
The relationship with the audit committee
22
Risk-based internal audit
EDF Energys corporate risk policy sets out 2 Identify and prioritise risks to be reviewed
a three-tier approach to how people assess in each business area and develop an audit
and report risks. These are listed as critical, universe to ensure that no key business
significant, or registered. While critical activities are overlooked and account is taken
risks are prioritised by the business, Smith of previous audit coverage.
and his team of 20 internal auditors review 3 Develop an audit programme that stretches
them to see if the business assessment is the team and promotes a high degree of
consistent with its findings. The EDF Trading productivity and limited downtime. For
risk policy and classification is separate, example, an auditor can work simultaneously
but the same audit approach applies. on the reporting phase of one audit and the
As part of the planning process, the internal planning phase of the next.
audit team looks at the organisations risk
register to see if it is complete and that there 4 Establish a warning system to notify
are no major risks missing. The function also internal audit whether recommendations for
considers which of these risks would have the further action are being implemented on time
most serious impact if controls were ineffective. and correctly.
The business scores these risks on the basis 5 Ensure that internal audit follows up
of controls that are in place rather than on an on reports to check that senior managers
inherent basis, which means that there is a are implementing internal audits
danger that some may be understated. When recommendations properly.
developing our audit plan, we need to consider
whether the controls in place are well-designed 6 Risk-based internal audit is not just for large
and are working, says Smith. Equally, we can internal audit departments the smaller the
add value by pointing out where too much internal audit team, the more important it
resource is being targeted at risk control. is for it to follow a risk-based approach. A
For EDF Trading, this involves internal audit risk-based internal audit approach can ensure
talking to its executive team to discuss their that resources are prioritised on reviewing the
views on risk and to see if the risk register controls for the most significant risks to the
accurately reflects them. For the larger EDF organisations objectives.
Energy business it involves talking to the 7 The success of a risk-based internal audit
seven-strong executive and the wider senior approach is dependent on identifying
leadership team which is made up of around the correct risks to review from the start.
60 business managers. If there is a misalignment, Internal audit must do this to add value to
new risks are added to the risk register and management as well as providing assurance to
internal audit considers whether these risks the audit committee.
should be added to its review programme.
24
The internal audit function relies on its audit
universe which provides the function with an One of the key steps to success
organisation-wide view of risk to determine with a risk-based approach is for
which business activities and related risks internal audit to talk to the board
require a review in the coming year. EDFs UK
audit team and audit universe is split into four
and senior management to ensure
practices that reflect the organisations different that their top-down view of big
business areas nuclear activities and thermal risks aligns with what internal
generation; energy supply and renewables; audit has found in bottom-up
optimisation and trading; and corporate and risk registers and from its current
steering functions. If an internal audit practice
reviews Alistair Smith, EDF
requires additional skills or resource, it can look
for expertise within the wider internal audit
function, from another part of the business, Once the audit plan is finalised, Smith informs
or from its external co-source provider. the UK audit team of the programme that has
The head of each audit practice maintains been agreed and talks to the EDF Energy and
their own audit universe, submitting an EDF Trading executive teams about the audit
audit plan to the UK audit director based on plan for their part of the business. Both executive
the risks identified within that area of the teams have the opportunity to make further
business. Smith then puts the four internal suggestions at this stage. He then meets with
audit plans together with his senior team, the audit committee of each business one
and submits a plan for the UK operations to of the four quarterly meetings he holds with
the audit committee for approval based on each every year to sign off the audit plans.
the risk assessment, historic audit coverage,
executive priorities and the group audit plan. Audit scope
EDFs UK internal audit team is made up of
50% professional internal auditors, and 50% The next step is to agree the scope of each audit
of people who have been recruited from the review the audit objectives, how many people
business who will stay with the team for around should be involved and how long it should take
2-3 years. Smith believes that this approach to complete so that the internal audit function
has several benefits. By bringing people can properly resource it. As part of this process,
into internal audit from the business to work the internal audit teams draw up a list of risks
with us for a couple of years, we create a fluid and controls that they expect to find in the area
team that is constantly being refreshed and to be audited so that they can compare them
has a mix of up-to-date business experience with what they actually find in place. The teams
and expertise in audit methodology, he develop a list of interviewees and a test plan.
says. When people return to their business Following interviews with people in the
area or move to a new activity, they do so business and control testing, the internal audit
with a wider knowledge of the company teams validate the findings from the fieldwork
and a strong grounding in risk control. and draft a report. The managing directors of
The audit plan is put to the groups corporate the business areas are shown the audit findings
audit team in Paris, which reviews it, suggests and recommendations, often as PowerPoint
changes, and recommends additional areas presentations and an executive summary.
to review as part of the group-wide audit When finalised, the report will go to the audit
programme. Every subsidiary around the group committee and corporate audit in Paris.
has to send a list of top risks to the group risk Internal audit also reviews the progress that
team every six months so that it is kept informed the organisations business areas have made
of emerging issues. These are shared with group in response to audit actions in implementing
audit to enable it to suggest additional reviews. effective procedures to control risk. Action
progress is reviewed at least quarterly and, one
25
year after an audit report has been issued, the
internal audit function issues a formal audit Useful professional guidance
closure report that has ratings based on a
The International Standards for the Professional
traffic light system green signifying that its
Practice of Internal Auditing cover risk-based
recommendations have been completed, and
internal audit planning in the 2010 series
red saying that key control actions still need
and in more detail in the related Practice
attention. Internal audit takes a summary to the
Advisories: PA2010-1 Linking the Audit Plan to
audit committee to discuss the central findings.
Risk and Exposures (http://bit.ly/JNbjl2) and
In advocating a risk-based internal audit
PA2010-2 Using the Risk Management Process in
approach, Smith acknowledges that there
Internal Audit Planning (http://bit.ly/IueSgZ).
are some potential downsides that need to
The Chartered Institute of Internal
be managed. For example, if the internal
Auditors has produced a position statement
audit function identifies the wrong risks to
on risk-based internal auditing (http://bit.
review, then the assurance provided may be of
ly/JSmSeu) that is now used globally (http://
limited value to the business and key controls
bit.ly/IVwEd0). It has also produced a guide
could go unchecked. Furthermore, a risk-
called An Approach to implementing risk-based
based approach can require more up-front
internal auditing (http://bit.ly/ISNU0Y).
planning work and more resource than
Global IIA has also produced practice
the traditional audit by rotation. Another
guides that may be useful: Assessing the
problem is that a purely risk-based internal
adequacy of risk management using ISO 31000
audit approach could mean that some low-
(http://bit.ly/IGBYBO) and Co-ordinating Risk
level risks may escape any kind of formal
Management and Assurance (http://bit.ly/
monitoring, especially if there is not a good
GZNoj7).
dialogue with second line assurance functions.
Professional qualifications also highlight
One of the key steps to success with a
the benefits of following risk-based internal
risk-based approach is for internal audit to
audit. Both P3 Learning Text Topic 1 (internal
talk to the board and senior management to
audit and the organisation) and Effective
ensure that their top-down view of big risks
Delivery of Audit and Assurance Learning Text
aligns with what internal audit has found in
include a section on variations of the risk-
bottom-up risk registers and from its current
based internal audit model.
reviews, says Smith. Providing these views are
Visit www.iia.org.uk for more information,
aligned, a risk-based internal audit approach
including the Knowledge Centre, which
can add value at all levels of the organisation.
contains a wide range of resources on risk
Smith also believes that a risk-based internal
management and internal auditing.
audit approach is not limited to large internal
audit departments. He believes that any size
internal audit function can adopt the approach.
The smaller the internal audit team, the
more important it is for you to follow a risk-based
approach so that you can make sure that your
resources are prioritised to the most significant
risks to the organisations objectives, says Smith.
If you have a team that only carries
out 10 reviews a year, then they should be
looking at the ten areas of risk that are of
most concern and that the controls in these
areas are working effectively, he adds.
26
Evaluating internal audit
30
The series of case studies in this document have been produced by the Chartered Institute of Internal
Auditors in collaboration with the National Audit Office, as part of a joint initiative to support the
development of the internal audit profession in the public sector. With thanks to the contributors:
British Telecom ( BT), Department for Work and Pensions (DWP), EDF Energy, Enstar Group, Ignis
Asset Management, InterContinental Hotels Group (IHG), The Met Office, Transport for London
(TfL), Travis Perkins, SABMiller.
Useful links:
www.iia.org.uk/casestudies
To read the National Audit Offices review of Internal Audit in central Government
www.nao.org.uk/internal-audit-2012
All members across the globe work to the same International Standards and
CodeofEthics.
Each year over 3,000 of our members take training with us or study for
ourqualifications.
Over 2,000 members are Chartered Internal Auditors and use the
designationCMIIA.
www.iia.org.uk