Internal audit of systems and controls
Internal audit is the organisation’s third line of defence and provides independent assurance to senior leadership and board that the organisation’s risk management, governance and internal control processes are operating effectively.
The new status quo has led to modified working practices and direct impact on the first and second line of defence, which could now be seen as vulnerable. With this in mind, how do Senior Leadership and Boards ensure that their new processes and policies are adequate, effective and prevent fraud?
More organisations are exploring the use of internal audits to get assurance now that COVID-19 has drastically changed internal processes. Majority of the audits are risk-based and expose vulnerabilities in internal infrastructures, driven by the unique risk profile.
Below are examples of areas we have been asked to provide assurance on:
- Remote working and IT security – with most employees working remotely, does your IT security and safeguarding pass the test?
- Supplier payments including international payments – have you ensured that delegated authority, payments and approvals processes are robust with remote working in place?
- Compliance – have you reassessed your internal controls and risks since COVID-19?
- Financial resilience – have you conducted a deep dive review and financial modelling on COVID-19 impact and assumptions for both the short and long term?
- Financial governance – have you sought assurance over the level of information being shared with key stakeholders and how the information is scrutinised internally?
- IR35 – don’t forget about the new deadline for the IR35 legislation, coming into effect 6 April 2021 in light of COVID-19 challenges and effects, the Government announced a one-year delay to new IR35 rules. These deadlines come into effect 6 April 2021 – are you prepared for this?
The Institute of Internal Auditors have also highlighted several areas that should be considered when looking at independent assurances. Some of the considerations include:
- Climate change risk
- Business resilience and crisis planning
- Blockchain technology
- Non-financial reporting
A balanced level of internal audit activity given the size and complexity of the organisation would provide assurances that Senior Leadership and Board would benefit from.
The landscape for professional firms to offer internal audit services has changed recently. A new Ethical Standard, which came into force in March this year, now restricts auditors from providing additional assurance services to their audit clients so that internal audit services are independent of statutory audit.
A proportionate level of internal audit activity helps with good governance for organisations to meet their business risk expectations. We have seen senior leadership teams and Boards focus on risk management to drive their future internal audits and assurance programmes.
If you have any questions about the above, or haysmacintyre’s internal audit services, please contact Rakesh Vaitha or your usual haysmacintyre contact.