The Chartered Institute of Internal Auditors this week released draft Code of Practice and sought feedback from audit professionals and the wider community on the proposed Code. The Code, in my opinion, is a much needed document, especially in light of the recent high profile collapses such as Carillion.
However, the potentially new Code faces some big challenges if it wishes to become fully effective, although I am sure the Institute can meet the challenges. As Brendan Nelson highlights in the Foreward to the draft Code, in the two years since the introduction of the Finance Services Code, there has been substantial improvement in how internal audit is viewed in an organisation.
So what do you need to know about the draft code?
Where can you find the code?
To access a copy of the draft code, simply CLICK HERE or on the image.
When does the consultation open?
The consultation period is already open now. Responses to the draft consultation should be submitted in Microsoft Word through the email address provided on the website through the above mentioned link.
When does the consultation period end?
Closing date for submissions is Friday 11 October 2019.
Subscribe to our mailing list here and we will send you a reminder prior to the closing date.
Who can provide responses?
Responses are welcome from anyone and everyone, although the Institute states they are particularly interested in responses from those working in the audit procession, executives, and a whole raft of other people listed on page 4 of the document.
It wouldn't be a blog if I didn't provide my two cents on the matter, so here goes.
Generally, I find the Code a very well thought out, structured and holistic document. It covers all facets of an audit and the audit function, methodically setting principles for each component of the risk assessment, planning, fieldwork, report, and presentation phases. Additionally, it all sets a number of principles surrounding the structure of the internal audit team and its quality assurance programs.
The Code is broad and high level in some of the principles it has set, although this is so that the Code can be applicable to a variety of businesses, industries, and their maturity. A 'one size fits all' approach is never easy, although I feel that the Institute has done extremely well in pulling this off.
After going through the code, there are a few highlights for me:
Governance Arrangements - The Code makes reference to including governance arrangements in the scope, and assessing their design and operating effectiveness. Whilst I completely agree this should be included, I am concerned that audit team members may not necessarily know what should be considered in such a review (even despite the Institute having some great guidance here). I do have a suggested recommendation for this, which I will touch on later.
Risk Appetite and Risk Culture - This part made me so happy. At times, us auditors may be a tad risk adverse; taking a very strict approach to some processes, however on the flip side, management may not necessarily understand the meaning of risk appetite and culture. Management may perceive the current risk tolerance to be appropriate without fully understanding the implications of the risk. This is where I think audit needs to call this out more boldly. Detailing in the report the entity's risk appetite, and the attitude to risk of the auditee, should be included. Furthermore, piratical and relatable examples should be included in the report to demonstrate where the business areas approach to risk may fall below par, be excessive, or be just right. At present, I feel this is an area that we, as audit, do not communicate well enough, and do not assess in sufficient detail.
Key Corporate Events - I support the inclusion of this, however think it should go further to encourage the regular involvement of audit throughout the event. For instance, large scale projects or IT developments should have an audit resource directly implemented into the teams, who will listen to scrum / project meeting updates and provide rolling reporting on what the project should consider, stop doing, or note identified risks. Such 'hot audits' help insure any potential issues are identified early, and rectified quickly, avoiding in post implementation issues and eliminating the need for lengthy retrospective reviews.
Reporting - I agree with these principles, however have one recommendation, which I have included below.
Independence and authority of internal audit - Again, this is a great section, however my biggest concern is the reality of this. Whilst the Code may state we can have full access to all information (which we should!), in practice, we always know that there is information management may not want to show given its "commercial sensitives", etc. Whilst I wold hope such situations wouldn't happen, I am positive that they would, and I don't feel that this Code is going to change that.
These are only some of my favourite / most notable parts of the Code, however as mentioned earlier, I consider this to be a very well structured and laid out document.
So, what are these recommendations I rattled on about earlier?
Whilst this is an extremely comprehensive and well laid out document, I believe it should be supported by an 'Illustrative Guide' once fully operational. For instance, I question how well some audit teams would assess governance arrangements. Such a guide would allow the Institute to directly reference some of their great resources and materials to the register, allowing audit teams to quickly and easily identify items for consideration which they may have missed. This would be applicable across many components of the Code. Furthermore, the Institute should consider some components of the External / Financial Statement auditing standards (ISA's). These standards cover items such as design, implementation and operating effectiveness. The standards spell out what should be done, and could prove to be extremely beneficial to audit teams. Across both financial statement and internal audit, the ability of people to perform appropriate D&I and TOE procedures is worrying; hence the need for an illustrative guide to help us bring up the standard.
With regards to reporting - I hate the boring old school reporting. Slapping an overall assurance rating, calling out each observation, its risk and the recommendation does no good. In the coming weeks I will be uploading a number of audit reporting templates along with a supporting blog, but basically, I feel that an audit report needs to move away from the current finding an action approach, to a more holistic view. What did we do? What were the processes? Where did the issues lie? What are the risks and controls? Whats our fraud assessment? Are the processes designed, implemented and operating as expected? Our reports need to be more transparent and show everything that is going on, not just the issues. Furthermore, they also need to show how our audit fits into the bigger picture / whole of the organisation.
Finally, I believe the Institute should investigate the option of a peer review program. As professionals, we should be able to work together more collaboratively to ensure our audit practices are up to scratch, whilst providing opportunities to learn from other individuals in the profession.
So to conclude, I believe the Institute has done a great job with this document, however the real test will be the Code's implementation, and support provided to the profession to helps us adhere to every aspect of the Code.
Do not forget to make your submission.