TIAPS Module 1 Audit and Assurance workbook
Examples of appropriate measures the head of internal audit may take to safeguard against impairments and ensure sufficient independence and objectivity include the following: • Discuss a perception of impairment with relevant parties to describe the controls in place (such as policies, processes, supervision, and review of audit work) that would minimize any actual impairment and so reduce concerns. • Assign a sufficiently competent alternate auditor to an engagement to avoid a conflict of interest in fact or appearance. • Discuss an actual impairment with senior management and the board to seek support and resolution, which may include noting and accepting the risk in the short term while recruiting additional resource for future engagements or contracting with an alternate auditor on a temporary basis from another public entity or external agency. • Reporting an impairment that has been identified after completion of an engagement to the client and the governing body to consider its potential impact on the accuracy and reliability of the conclusions, as required by Standard 2121 – Errors and Omissions. One of the more persistent threats to independence of the internal audit function in the public sector is the absence of a functional reporting line by the head of internal audit to an independent governing body, in some cases because such a body (or individual) does not exist in the way envisaged by the IPPF. There may not be a duly constituted board and the senior executive – as the de facto governing body – may act with little or no separation between management and governance roles. Where there is a governing body, the appointments to it may be directed by the government with political motivations or in accordance with various conventions and practices that have little to do with providing competent oversight of the entity and its internal audit function. Approval of the internal audit plan and budget may be made by those with responsibilities for areas to be audited. In such a position, the head of internal audit must be extra vigilant to maintain and demonstrate independence in determining engagement priorities based on risk and organizational need. In all cases, the head of internal audit must report on the status of independence of the function. Peer review as part of the quality assurance and improvement program as well as more regular external review can also be used to provide validation of independence. Practice varies regarding the establishment of audit committees. For example, a city council – as the governing body of a municipality – may meet periodically as an audit committee such that the members of the council are also the members of the audit committee. Alternatively, an audit committee may have a separate existence from the governing body and act as an advisory panel with membership comprising other independent individuals. Where a government has adopted the European Commission model for Public Internal Financial Control (PIFC), the Central Harmonization Unit (CHU) may act as the audit committee for multiple entities (although bandwidth constraints usually limit the role to monitoring internal audit activity rather than findings.) PIFC is discussed in module T3 Accounting Fundamentals. In large complex public organizations, especially multilateral bodies like the United Nations, but also for ministries with multiple subordinated entities, there may be audit committees with oversight responsibilities of lower-level bodies reporting to their respective governing authorities that are also coordinated by a higher-level committee or board that considers all reports to ensure a coherent aggregated perspective. 40
In other cases, there is no audit committee and oversight is exercised directly by the governing body. Availability of resources can also be an issue for independence, including funding for external quality reviews, required by the Standards at least once every five years. Where small audit teams are faced with a large or complex audit universe, the head of the function must make clear to the governing body the areas that cannot be covered and where assurance cannot be provided. The audit plan must still prioritize engagements according to risks and needs. The nature of such threats to independence in the public sector may be political. Elected and appointed officials may be seeking to extend their terms of office or establish their legacy and are desirous of demonstrating favorable results. Communications are often “spun” in such a way that the information is preferentially presented via generalizations, incomplete truths, and omissions. Auditors may be asked directly or indirectly to tone down or refrain from reporting what may be perceived as negative findings and conclusions in the interests of maintaining favorable public or line ministry opinion. Internal auditors must demonstrate strength of character and moral courage to resist such pressures. 41
- Page 1 and 2: Module 1: Audit and Assurance TIAPS
- Page 3 and 4: Table of Contents Module 1: Audit a
- Page 5 and 6: Relevant Standards Reference is mad
- Page 7 and 8: • Close scrutiny. The activities
- Page 9 and 10: A.2 Public Sector Governance IIA In
- Page 11 and 12: The need for governance arises for
- Page 13 and 14: Although developed for government a
- Page 15 and 16: A.3 Governance Models When evaluati
- Page 17 and 18: defensive aspects to minimize negat
- Page 19 and 20: A.3.3 CIPFA International Framework
- Page 21 and 22: 8. Ensure that its arrangements for
- Page 23 and 24: • Consideration of overlapping in
- Page 25 and 26: A.3: Reflection Which model or mod
- Page 27 and 28: Although they are related, the prin
- Page 29 and 30: B.1.1 Independence, Objectivity, an
- Page 31 and 32: B.1: Reflection Is it possible to
- Page 33 and 34: According to The IIA Position Paper
- Page 35 and 36: B.2: Reflection When was the last t
- Page 37 and 38: When independence or objectivity ar
- Page 39: B.4 Safeguards for Independence and
- Page 43 and 44: C. Assurance and Advisory Engagemen
- Page 45 and 46: It is common to build an allowance
- Page 47 and 48: The following list is taken from Sa
- Page 49 and 50: helping managers developing control
- Page 51 and 52: C.1.5 Internal Audit Opinions Audit
- Page 53 and 54: Leadership and Communication Intern
- Page 55 and 56: C.2 Auditing Governance The IIA Sup
- Page 57 and 58: C.2: Reflection How does your inter
- Page 59 and 60: Fraud may be perpetrated via measur
- Page 61 and 62: circumstances (unethical and often
- Page 63 and 64: Management Issues • Lack of area
- Page 65 and 66: Risk management techniques can be a
- Page 67 and 68: IT controls may be manual, automate
- Page 69 and 70: The IIA’s Cybersecurity Toolkit d
- Page 71 and 72: C.3: Reflection Fraud: How are susp
- Page 73 and 74: Global Perspectives and Insights -
- Page 75: CIPFA: 77 Mansell Street, London E1
Examples of appropriate measures the head of internal audit may take to safeguard against<br />
impairments <strong>and</strong> ensure sufficient independence <strong>and</strong> objectivity include the following:<br />
• Discuss a perception of impairment with relevant parties to describe the controls in<br />
place (such as policies, processes, supervision, <strong>and</strong> review of audit work) that would<br />
minimize any actual impairment <strong>and</strong> so reduce concerns.<br />
• Assign a sufficiently competent alternate auditor to an engagement to avoid a conflict<br />
of interest in fact or appearance.<br />
• Discuss an actual impairment with senior management <strong>and</strong> the board to seek<br />
support <strong>and</strong> resolution, which may include noting <strong>and</strong> accepting the risk in the short<br />
term while recruiting additional resource for future engagements or contracting with<br />
an alternate auditor on a temporary basis from another public entity or external<br />
agency.<br />
• Reporting an impairment that has been identified after completion of an engagement<br />
to the client <strong>and</strong> the governing body to consider its potential impact on the accuracy<br />
<strong>and</strong> reliability of the conclusions, as required by St<strong>and</strong>ard 2121 – Errors <strong>and</strong><br />
Omissions.<br />
One of the more persistent threats to independence of the internal audit function in the public<br />
sector is the absence of a functional reporting line by the head of internal audit to an<br />
independent governing body, in some cases because such a body (or individual) does not<br />
exist in the way envisaged by the IPPF. There may not be a duly constituted board <strong>and</strong> the<br />
senior executive – as the de facto governing body – may act with little or no separation<br />
between management <strong>and</strong> governance roles. Where there is a governing body, the<br />
appointments to it may be directed by the government with political motivations or in<br />
accordance with various conventions <strong>and</strong> practices that have little to do with providing<br />
competent oversight of the entity <strong>and</strong> its internal audit function. Approval of the internal audit<br />
plan <strong>and</strong> budget may be made by those with responsibilities for areas to be audited. In such<br />
a position, the head of internal audit must be extra vigilant to maintain <strong>and</strong> demonstrate<br />
independence in determining engagement priorities based on risk <strong>and</strong> organizational need.<br />
In all cases, the head of internal audit must report on the status of independence of the<br />
function. Peer review as part of the quality assurance <strong>and</strong> improvement program as well as<br />
more regular external review can also be used to provide validation of independence.<br />
Practice varies regarding the establishment of audit committees. For example, a city council<br />
– as the governing body of a municipality – may meet periodically as an audit committee<br />
such that the members of the council are also the members of the audit committee.<br />
Alternatively, an audit committee may have a separate existence from the governing body<br />
<strong>and</strong> act as an advisory panel with membership comprising other independent individuals.<br />
Where a government has adopted the European Commission model for Public Internal<br />
Financial Control (PIFC), the Central Harmonization Unit (CHU) may act as the audit<br />
committee for multiple entities (although b<strong>and</strong>width constraints usually limit the role to<br />
monitoring internal audit activity rather than findings.) PIFC is discussed in module T3<br />
Accounting Fundamentals. In large complex public organizations, especially multilateral<br />
bodies like the United Nations, but also for ministries with multiple subordinated entities,<br />
there may be audit committees with oversight responsibilities of lower-level bodies reporting<br />
to their respective governing authorities that are also coordinated by a higher-level<br />
committee or board that considers all reports to ensure a coherent aggregated perspective.<br />
40
Change language