Tools and Templates Archives - Page 5 of 10

Why you need to provide continuous training and coaching to your audit team

We often take it for granted, or in some instances, even loathe it, but training and coaching is critical to the success of your internal audit team. Without it, our teams can fall behind and / or become complacent.

When new team members join your audit team, it’s important that classroom style training be delivered to them. We have developed three modules to support your induction training:

Module 1 – Introduction to Internal Audit
Module 2 – Annual Planning
Module 3 – Internal Audit

Through this induction training, you set the tone and expectation you have for your team. You clearly state the role, purpose, and position of internal audit within your entity. You set the expectations for individuals at each level and even explain the audit process and methodology. You also have an opportunity to show the team culture and encourage team members to be innovative and excited about their new careers.

By providing this training a classroom format, you are able to immediately answer any questions your new starter has, and provide any clarification. Lastly, once the training is delivered, it becomes a reference point. Should the new joiner need to check anything within their first weeks, we can see how much of a self starter they are through their ability to find the training and “self-service” before coming to you for final clarification.

So what does each of these modules contain?

Module 1 – Introduction to Internal Audit

This module provides new starters with a foundation to everything we do in Internal Audit. This module focuses on the Internal Audit team, its position within the business, and key documents such as the Internal Audit Standards, Code of Practice and Three Lines Model.

You can view the free version of this Module here. Alternatively, you can purchase this Module here. Members can download this training here as part of this membership.

Module 2 – Annual Planning

This module walks through the Annual Planning process. Reference are made to the Standards and key concepts taught in Module 1. The purpose of this module is to help the team understand how our audits make it to the annual plan, but also their role in the annual planning process. This module includes a number of activities for the team to practically apply what they have learnt.

You can view the free version of this Module here. Alternatively, you can purchase this Module here. Members can download this training here as part of this membership.

Module 3 – Internal Audit

In this module, team members will learn our audit methodology. Rather than this training being all theory based, team members will actually be given an example / mock audit. They will use this mock audit to practically apply our methodology as they essentially perform an audit step by step.

You can view the free version of this Module here. Alternatively, you can purchase this Module here. Members can download this training here as part of this membership.

The training has been designed so that team members can also print the training modules off and use these as a handy resource tool / guide.

Longer term, this training can also be used as refresher training, reminding team members each year of their role, responsibilities, and expectations we have of the broader team.

Its important team members are provided regular training. We have spoken before about how training can be included as an audit objective as part of your annual goals here. Regular training and investment in team members, particularly for emerging trends such as Agile, or new audit techniques such as data analytics, continuous controls monitoring and dynamic risks assessments, can ensure our audit teams stay ahead of the curve and continue to provide insights and value which the business expect from us.

If your team does not already, understanding the training needs and want of your team are a great idea, and building this into an annual learning plan will help ensure team members are receiving the appropriate amount of training each year.

Does your team have a training plan? If so, let us know how you have built and execute your plan here in our forum.

Implementing a ‘SOX Lite’ Entity Level Controls (or Risk and Controls Matrix) in your business

This post forms part of a series of posts. To review our post regarding Finance Key Controls, please click here, or to view our post about IT Key Controls, please click here.

That the Government gives serious consideration to mandating a UK Internal Controls Statement consisting of a signed attestation by the CEO and CFO to the Board that an evaluation of the effectiveness of the company’s internal controls over financial reporting has been completed and whether or not they were effective, as in SOX 302(c) and (d). This attestation should be received by the Board no later than 28 days before the accounts of the company for the relevant financial period are signed. The Board should then report to shareholders that it has received such an attestation.

Similar to finance and IT controls, entity level controls should be in place for any organisation, regardless if they are required by SOX or not; its simply best practice. These Entity Level Key Controls are there to corporate processes, such as whistle-blower help lines and mandatory training such as the code of conduct training, are all performing / being undertaken as expected.

To assist smaller organisations, we have complied a base 10 entity level key controls which would be expected as a minimum.

You can view an example of the Entity Level Key Controls Database (or Risk and Control Matrix), below:

You can view the free version of the database here.

Alternatively, you can purchase the database here.

Members with a paid subscription can download the template via the Members Area.

How was this list of controls built?

We considered basic Entity Level Controls that are most likely already operating in some form or another within a business. As such, depending on the size, nature, and risks applicable to your business, some of these controls may need to be adapt to be more robust. Nevertheless, these controls are great starting point for any small or medium business.

How do we assess the risk of each control?

For each control, we need to assess the risk. Assessing the risk, in its simplest form, is considering the likelihood of the risk occurring, and the impact if the risk did eventuate. On top of this, we then need to consider the risk appetite of the business. For example, the risk of something occurring might be high, but the impact considered low, as it will only result in a financial loss of say $100 which would be below the company’s loss threshold.

How do we know the controls are working?

Our database has been designed so that for each control, there is a supporting control worksheet. Within this control worksheet, the auditor (or member of the business area or other relevant function), must document the nature of the control, and the process which the control is a part of. The frequency and nature of the control (i.e. Automatic or Manual) are captured in this detailed control worksheet, along with the control owner, control risk and accounts relevant to the control.

The audit team must then map the process and embed the process flow into the control worksheet. They must then perform both design and implementation testing, with all workings documented, and an assessment completed at the end which evaluates if the control has been designed and implemented appropriately.

The relevant business area will then perform testing on a monthly basis (or other frequency as already documented) to ensure the control is working as expected.

Internal Audit will then perform both interim and year end testing to also validate the operating effectiveness of the control.

The results from the testing performed by both the business area and Audit are summarised into the overall control register, allowing the business area to easily see their results which can support their annual attestation regarding the controls.

For audit, the results are also summarised into the overall control register, which can be used to provide independent assurance to both the Audit Committee and Board.

When should these controls be implemented?

If not already, they should be implemented now. Control implementation and effectiveness is also an evolving thing; meaning as the business begins to implement controls, they will likely need to be refined and engineered to make sure they are appropriate and robust for the business. By implementing these controls now and refining them over the next 6 to 12 months, both the relevant business areas and Audit can work together to ensure good controls are in place and operating effectively before the UK SOX equivalent becomes a requirement.

Implementing a ‘SOX Lite’ Finance Key Controls (or Risk and Controls Matrix) in your business

Following the The Brydon Review in 2019, there is a real chance that UK listed companies could be required to implement a Sarbanes–Oxley (SOX) equivalent. As per the ICSA website, amongst the recommendations following the review, there was a clear stand out in regards to internal controls: “That the Government gives serious consideration to mandating a UK Internal Controls Statement consisting of a signed attestation by the CEO and CFO to the Board that an evaluation of the effectiveness of the company’s internal controls over financial reporting has been completed and whether or not they were effective, as in SOX 302(c) and (d). This attestation should be received by the Board no later than 28 days before the accounts of the company for the relevant financial period are signed. The Board should then report to shareholders that it has received such an attestation.”

Finance controls should be in place for any organisation, regardless if they are required by SOX or not; its simply best practice. To assist smaller finance functions, we have complied a base 30 key controls which would be expected as a minimum.

You can view an example of the Finance Key Controls Database (or Risk and Control Matrix), below:

You can view the free version of the database here.

Alternatively, you can purchase the database here.

Members with a paid subscription can download the template via the Members Area.

How was this list of controls built?

Our list of controls what would be considered material accounts as per the financial statements, or material by nature (i.e. cash). These are only generic controls, and would be easily adaptable to any organisation.

How do we assess the risk of each control?

How do we know the controls are working?

Our database has been designed so that for each control, there is a supporting control worksheet. Within this control worksheet, the auditor (or member of the finance team), must document the nature of the control, and the process which the control is a part of. The frequency and nature of the control (i.e. Automatic or Manual) are captured in this detailed control worksheet, along with the control owner, control risk and accounts relevant to the control.

The finance team will then perform testing on a monthly basis to ensure the control is working as expected.

Internal Audit will then perform both interim and year end testing to also validate the operating effectiveness of the control.

The results from the testing performed by both Finance and Audit are summarised into the overall control register, allowing Finance to easily see their results which can support their annual attestation regarding controls over financial reporting.

For audit, the results are also summarised into the overall control register, which can be used to provide independent assurance to both the Audit Committee and Board.

When should these controls be implemented?

If not already, they should be implemented now. Control implementation and effectiveness is also an evolving thing; meaning as the Finance team begins to implement controls, they will likely need to be refined and engineered to make sure they are appropriate and robust for the business. By implementing these controls now and refining them over the next 6 to 12 months, both Finance and Audit can work together to ensure good controls are in place and operating effectively before the UK SOX equivalent becomes a requirement.

My Audit Spot can help discuss your financial key controls matrix with you. Please email us at hello@myauditspot.com if you would like to discuss further.

Why you should have a strategy for your Internal Audit department and how to write one

Similar to an organisation’s own strategy, a strategy for an internal audit department is beneficial for detailing the objectives of the audit department and how we are going to get there. An Internal Audit strategy will also help shows how the department’s activities link to the wider objectives and strategy of the organisation.

There is no specific standard requiring an Internal Audit Strategy, however a good strategy document can help ensure your audit department meets the requirements of the IPPF and Code of Practice (where applicable).

The Chartered Institute of Internal Auditors has a great guidance document which details how to prepare an Internal Audit Strategy. You can download a copy of their guidance document here. Their guidance document provides 14 tips which can help you build a well rounded strategy.

To help give you a starting point for your strategy, we have prepared an easy to use template. Click on the links below to access the templates:

Microsoft Word

Click here for the free Microsoft Word template.
Click here for the editable Microsoft Word template.

Microsoft PowerPoint

Click here for the free Microsoft PowerPoint template.

Click here for the editable Microsoft PowerPoint template.

A snapshot of the Word template is presented below:

Things to include in your strategy

There are many things which can be built into your Internal Audit Strategy. Below are a few of the items which we think you should include, and why:

How Internal Audit will help achieve the company’s objectives. I.e. show how our audits will link directly to the audit strategy.
How Internal Audit will upskill team members. I.e. what our training program will include to increase auditors skills and awareness of the business.
How Internal Audit will measure its success, both in the delivery of audits and achievement of the audit strategy.
How Internal Audit will implement and embed new technologies (i.e. use of data analytics or robotics into audit processes).
How Internal Audit will build more collaborative relationships across the business and assist in thought leadership and best practice (i.e. drop in educational / awareness sessions).
How Internal Audit can assist in implementation of the new Three Lines model.
How Internal Audit can help the business with its risk mitigation strategies and implementation of controls and process improvement.
How Internal Audit can assist in addressing the expectation gap between external auditors and internal auditors.

The objectives of the strategy can be endless, however its best to focus on only a few key areas which will directly impact or link back to the organisation’s own strategy and objectives. Aboveall, consideration should be given to the Chartered IIA’s guidance document when developing your Internal Audit Strategy.

Let us know what your own Internal Audit Strategy looks like in the comments below.

Performing a periodic self assessment as part of your Quality Assurance Improvement Program

The International Standards for the Professional Practice of Internal Auditing (Standards) set the mandatory requirements for every Internal Audit function. As part of the Standards, there is a key component which requires audit functions to establish a Quality Assurance Improvement Program (QAIP).

This post will focus only on how to develop and perform an Internal Audit Self Assessment, however to provide context and assist with your understanding, we have provided background regarding a QAIP.

The Standards

The Standards state the following with reference to a QAIP.

Want a copy of the Standards? Click here to be taken to the IIA where the Standards are available in a number of languages.

1310 – Requirements of the Quality Assurance and Improvement Program

The quality assurance and improvement program must include both internal and external assessments.

So what is an internal assessment and an external assessment, and what are the differences?

The Standards go on to describe these also. For both an internal and external assessment, it is important that the interpretation attached to each Standard is also read and considered.

Internal Assessments

1311 – Internal Assessments

Internal assessments must include:

Ongoing monitoring of the performance of the internal audit activity.
Periodic self-assessments or assessments by other persons within the organization with sufficient knowledge of internal audit practices.

Interpretation: Ongoing monitoring is an integral part of the day-to-day supervision, review, and measurement of the internal audit activity. Ongoing monitoring is incorporated into the routine policies and practices used to manage the internal audit activity and uses processes, tools, and information considered necessary to evaluate conformance with the Code of Ethics and the Standards. Periodic assessments are conducted to evaluate conformance with the Code of Ethics and the Standards. Sufficient knowledge of internal audit practices requires at least an understanding of all elements of the International Professional Practices Framework.

External Assessments

1312 – External Assessments

External assessments must be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the organization. The chief audit executive must discuss with the board:

The form and frequency of external assessment.
The qualifications and independence of the external assessor or assessment team, including any potential conflict of interest.

Interpretation: External assessments may be accomplished through a full external assessment, or a self-assessment with independent external validation. The external assessor must conclude as to conformance with the Code of Ethics and the Standards; the external assessment may also include operational or strategic comments. A qualified assessor or assessment team demonstrates competence in two areas: the professional practice of internal auditing and the external assessment process. Competence can be demonstrated through a mixture of experience and theoretical learning. Experience gained in organizations of similar size, complexity, sector or industry, and technical issues is more valuable than less relevant experience. In the case of an assessment team, not all members of the team need to have all the competencies; it is the team as a whole that is qualified. The chief audit executive uses professional judgment when assessing whether an assessor or assessment team demonstrates sufficient competence to be qualified. An independent assessor or assessment team means not having an actual or perceived conflict of interest and not being a part of, or under the control of, the organization to which the internal audit activity belongs. The chief audit executive should encourage board oversight in the external assessment to reduce perceived or potential conflicts of interest.

Naturally, once an assessment has been performed, it is important that the results are appropriately communicated. This is considered within the Standards also:

1320 – Reporting on the Quality Assurance and Improvement Program

The chief audit executive must communicate the results of the quality assurance and improvement program to senior management and the board. Disclosure should include:

The scope and frequency of both the internal and external assessments.
The qualifications and independence of the assessor(s) or assessment team, including potential conflicts of interest.
Conclusions of assessors.
Corrective action plans.

Interpretation: The form, content, and frequency of communicating the results of the quality assurance and improvement program is established through discussions with senior management and the board and considers the responsibilities of the internal audit activity and chief audit executive as contained in the internal audit charter. To demonstrate conformance with the Code of Ethics and the Standards, the results of external and periodic internal assessments are communicated upon completion of such assessments and the results of ongoing monitoring are communicated at least annually. The results include the assessor’s or assessment team’s assessment with respect to the degree of conformance.

A Quality Assurance Improvement Program

Check the IPPF guidance from the IIA here.

So taking into account each of the Standards above, how do we actually implement a a Quality Assurance Improvement Program? Here are a few steps.

Consider the mandatory requirements of the International Professional Practices Framework.
Consider the all of Internal Audit’s activities.
Consider the current appraisal Internal Audit activity (i.e. survey’s).
Consider how improvement opportunities are identified.
Consider the involvement of management, audit committees and the board in Internal Audit activity.

When considering your QAIP, it is good to build a framework. The IIA has provided an example framework, however this should only be used as a guide. Any framework needs to be reflective of the organisation and the environment which it operates within. To read more about this framework, you can read IIA Guidance here.

In fact, a huge amount of information regarding the QAIP can be found from the IIA here. Alternatively, we have got copies of the documents below. Please note, there are multiple documents here. Please take care and ensure you have downloaded all of the relevant documents,

Performing a periodic self assessment

Now that we have an understanding of what the Standards require and what a QAIP framework looks like, now it is time to perform a self assessment.

The IIA recommends that a self assessment should be performed at least once annually. It would be recommended that an assessment is performed in a quieter period where the results of the assessment will not be conflicting with other key annual audit activities such as annual planning.

When building the self assessment program, the audit function should consider the following:

All mandatory requirements of the IPPF. These include the Standards, Core Principles, Definition and Ethics.
Adequacy and appropriateness of internal audit policies and procedures.
Achievement of KPIs.
Stakeholder expectations and survey results.

Performing the annual self assessment is also a great time for audit teams to review current audit manuals and processes and make necessary updates.

To help audit functions perform their self assessment, we have build a Internal Audit self assessment checklist which helps monitor compliance against the Standards. The checklist does not monitor specifically against other mandatory requirements, nor does it address the other considerations mentioned above, however these are all factored into the checklist through supporting evidence. A copy of the checklist is presented below.

A copy of this free template can be viewed here.

To purchase an editable version of this template, please click here.

The checklist will help audit teams to document the evidence obtained to support their compliance against the Standards, but will also allow teams to record suggested improvement areas. The dashboard included in our template also allows for the effective monitoring of suggested action implementation. All of this combined helps demonstrate continual improvement – a key requirement of the Standards, and can facilitate reporting to management also.

The periodic self assessment is also a great opportunity for audit teams to consider their compliance against the Internal Audit Code of Practice. You can purchase a copy of our Code of Practice Self Assessment template here.

Keep an eye out. We will be preparing a guidance document to help you build a QAIP and implement ongoing and periodic monitoring, to help ensure you are in compliance with the Standards.