top stories

Share

Audit Policy and Advice, HM Treasury

Comments from the Association of Chartered Certified Accountants
January 2002

Executive Summary

The Association of Chartered Certified Accountants (ACCA) is pleased to have this opportunity to comment on the proposed Good Practice Guidance on Audit Strategy issued by Audit Policy and Advice, HM Treasury. These comments have been prepared in consultation with members of ACCA's Internal Audit Sub-Committee.

ACCA believes that it is an excellent idea for the proposed Good Practice Guide (the Guide) to develop new approaches to audit strategy in line with the revised Institute of Internal Auditors' definition of internal auditing. We commend the useful advice contained in the Guide on the complex task of setting an audit strategy within this new context of internal auditing. We consider, however, that the Guide needs further expansion and development to provide practical guidance on developing internal audit strategies.

ACCA suggests that it is over ambitious to describe the annual internal audit opinion as "a positive annual assurance". We believe that this may lead to an expectations gap developing between senior managers and internal audit and, indeed, that it is not practical for internal audit to deliver such an opinion.

The scope of the proposed internal audit strategy should be reduced so that it becomes a practical document for audit committees to assimilate. In addition, the extent to which internal audit can rely on the organisation's risk management assessment should be explained in more detail.

General Matters

Practicality of overall internal audit opinion

1. ACCA believes that it is questionable whether internal audit can give positive annual assurances on the whole of an organisation's risk management, control and governance processes. We believe that further thought needs to be given to this description of the annual internal audit opinion.

Further explanation required

2. We consider that the proposed Guide requires some further explanations, especially as it is recommending a fundamental change in the approach to internal audit planning (and execution). Some of the concepts are not clearly explained (see paragraph 4 below) and some of them are not used consistently. Thus the Guide refers, at various places, to an organisation's:

• risk management, control and governance process(es)
• risk management, control and governance arrangements
• risk management(,) control and governance
  and
• risk control and governance.

3. We consider that the phrase "risk management, control and governance processes" should be used throughout the Guide. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defined internal control as a process and our recommendation would make the Guide consistent with that document.

4. ACCA acknowledges that some of the concepts included in the Guide are being refined through the process of developing it. Readers who have not previously been involved in this process need, however, to understand the concepts which are being used. The following terms, for example, should be clearly explained in the Guide:

• "stewardship reporting processes" in the third bullet point of paragraph 3.1
• "developed assurance processes" included in paragraph 5.1
  and
• "CRSA reviews" in the first bullet point of paragraph 5.2.

5. We are concerned that the proposed audit strategy will include a large amount of detail. For example, the Guide recommends that this document should include:

• internal audit's view of the organisation's risk analysis
• internal audit's approaches
• internal audit plans
• internal audit staff recruitment and training strategy
• internal audit reporting arrangements
  and
• arrangements for quality assurance of internal audit.

6. We believe that the audit strategy would be easier for the audit committee to manage if most of this material were to be included in summary form only. We also consider that much of the proposed material would be considered, by either an in-house audit team or by an external supplier, to be too commercially confidential to be made available to those attending audit committee meetings. For example, the audit staffing strategy referred to in paragraph 7.3. In particular, we believe that the audit strategy and the internal audit plans (strategic or otherwise) should be prepared as two separate documents.

Use of limited internal audit resources

7. In developing an internal audit strategy, the greatest challenge relates to the allocation of limited internal audit resources across an organisation. We consider that guidance is needed on how this can be undertaken effectively. We also consider that the Guide should recognise that internal audit planning often actually starts with the available audit days and then works backwards to the audit coverage. We believe that the Guide should advise that, when talking to the audit committee, the Head of Internal Audit should make it clear that meeting additional expectations will have resource implications which require to be funded.

Detailed Points

Section 2: Overview of the Audit Strategy

8. ACCA does not believe that this section clearly differentiates between the audit strategy and the internal audit strategic plans. It is unclear whether these are to be produced as two separate documents or whether the strategic plan should be produced as part of the audit strategy. We believe that the former arrangement is preferable.

9. Together with the Annex to the Guide, this section should be more explicit on the form of the internal audit annual opinion. The Government Internal Audit Standards (GIAS) refer to an opinion on the effectiveness of the organisation's risk management, control and governance arrangements (for example, at paragraph 6.1.1). We consider that this section should define what is meant by "effectiveness".

10. The phrase "particularly in respect of Standard 1 (scope)" should be omitted from the end of the fourth bullet point in paragraph 2.1 as the Guide does not explain why this standard in particular should be considered. We also believe that the phrase "at any point in time" at the end of the first line of paragraph 2.2 is confusing and should be deleted. The sense of the sentence is not lost if this phrase is omitted.

11. We believe that the first bullet point in paragraph 2.2 is inconsistent with paragraph 6.1.4 of GIAS. GIAS refers to the organisation's risk assessment and calls for the Head of Internal Audit to make recommendations, if necessary, for its review. Paragraph 2.2 of the Guide suggests that internal audit should assist "management to develop their risk analysis and evaluation".

12. We believe that the second and third bullet points in paragraph 2.2 are confusing as they refer to a review by internal audit of the organisation's risk analysis rather than to reviews of the controls implemented to manage the organisation's risks.

Section 3: Pre-requisites for developing the Audit Strategy

13. ACCA does not believe that the control system should be equated to responses to risks (fourth bullet point in paragraph 3.1). We consider that risks may be controlled, terminated, insured against or accepted. Only the first of these responses is achieved through internal control.

14. Paragraph 3.2 raises some major issues. Internal audit may rely on the organisation's assessment of risk if this is reliable and complete. If the management suppresses certain aspects of its activities, such as the way it recruits and promotes senior people (including directors), it follows that audit cannot simply use its corporate risk assessment exercise. Internal audit may need to review aspects of corporate governance, such as the extent to which top management decisions are fair and transparent. This can place some strain on the relationship between audit, senior management and the accounting officer. Another problem with the risk assessment process is achieving a degree of consistency across the organisation. This requires effective communication between the relevant managers. As well as asking whether internal audit understands the organisation's objectives, internal audit should also ask whether people across the organisation clearly understand them.

15. Paragraph 3.2 of the Guide states that management is responsible for the "economy, efficiency and effectiveness" of risk management, a phrase generally used in relation to value for money. We do not consider that this phrase is clear in this context and we believe that this sentence should, therefore, be replaced with:
Risk identification and assessment are the responsibility of management, and in particular of the Accounting Officer; they, not internal audit, are accountable for the organisation's risk management, control and governance processes.

16. We believe that there should be reference at paragraph 3.3 to the need for internal audit to assess whether the risk assessment is kept up to date and is responsive to events which impact on the organisation.

17. We believe that the first sub-bullet point in the third bullet point of paragraph 3.6 should be improved to read: "Prevent a consequent adverse audit opinion…".

18. We believe that the Guide should recommend that the audit committee is informed if, as mentioned in paragraph 3.7, management and internal audit are not able to agree on the adequacy of the organisation's risk analysis.

Section 4: Identifying audit coverage necessary

19. We do not consider that the current guidance in paragraphs 4.1 and 4.2 is sufficient. We believe that paragraphs 4.1 and 4.2 should be expanded to provide an adequate and comprehensive guide to the material which is summarised in Annex 1 of the Guide.

20. Paragraph 4.3 states that the organisation's risk analysis should be reviewed every year, with the implication that any significant changes will impact on the audit strategy. As a result, the audit strategy may be revised each year. If, however, the Head of Internal Audit (or incoming auditors) are new, this may not be practical. We believe that there should be some recognition of this in the Guide and some provision for transitional arrangements. The Guide should also provide guidance on the possible life of an audit strategy and the trigger points for its review. It should state a maximum life before a full review of the strategy is undertaken (e.g. three years).

21. We are also concerned that the implication of paragraph 4.3 is that one of the components of the audit strategy will be a multi-year strategic internal audit plan. This is a practice that many internal audit sections have moved away from in recent years.

Section 5: Looking for opportunity to rely on the work of others

22. In Paragraph 5.3, the reliance on external audit is rightly emphasised. We suggest that it would be helpful if the full reference to the guide Internal - External Audit Co-operation were provided in this paragraph. We also consider that reliance on the work of those involved in Risk Management should be added. Risk Managers or teams may have systems documentation, information on non-compliant events, etc. which will inform the audit plan/programme/opinion.

Section 6: The audit toolbox

23. The title to this section sounds like a buzzword. We consider that a more neutral term, for example "The range of audit services" should be used.

24. We also believe that the first bullet point of paragraph 6.2 is over ambitious as it is unusual for internal auditors to be able to consider fully "every aspect and stage of the audited subject". During their audits, internal auditors should only consider those aspects of the system which are necessary for them to obtain assurance on the adequacy of the internal controls. In addition, they should only need to consider those internal controls which are necessary to manage the organisation's risks in line with its risk appetite.

25. We question whether control risk self assessment (CRSA) should be described as an audit tool, or a service. It should, more properly, be seen as a management tool. There is a move, however, by some internal auditors, to integrate CRSA with systems audit. In this case, the terms of reference for the audit are set through a CRSA workshop with management at which key operational risk areas are identified before the audit fieldwork starts. Another workshop held at the end of the audit then considers the recommendations arising from the audit in terms of an appropriate (i.e. improved) risk management strategy.

Section 7: Identifying and procuring skills and resources necessary

26. In paragraph 7.2, we consider that the phrase "it may not be good value to appoint in-house staff" should be replaced with a more neutral phrase, such as, "it may not always be good value to appoint in-house staff".

Section 8: Reporting

27. The first bullet point of paragraph 8.2 is unclear. We believe that this should clearly refer to targets for the prompt issue of audit reports. For example, issuing draft reports within ten days of the completion of the fieldwork.

Section 9: Quality assurance

28. We believe that this section should refer to the setting of, and reporting on, agreed performance indicators for the internal audit service.

Annex 1: Criteria to define the optimum audit opinion

29. We believe that the Annex should also mention how risk management activity should be designed and implemented, based around (i) a clear assurance reporting infrastructure, and (ii) the action taken by management to make staff aware of risk management and internal control reporting requirements. The second bullet point of paragraph 1 should refer to the controls in place to manage these risks.

Back to top