Everybody knows you have to meet the professional standards, the Public Sector Internal Audit Standards (PSIAS). But it can sometimes feel that they represent theory rather than the day-to-day practice of internal auditing. Heads of internal audit have so many things to juggle that perhaps worrying about conformance with the standards may not always be at the forefront of their minds.
What if we turned it around and emphasised that the standards should be shaping and guiding working practices on a day-to-day basis? After all, compliance isn’t just for the head of internal audit to worry about, responsibility lies with all internal auditors.
A good starting point is the Core Principles for the Professional Practice of Internal Auditing which were incorporated into PSIAS in April 2016. The principles articulate internal audit effectiveness so we ought to be able to trace them through all the activities of an internal audit team. They are a good focus for training and development of the audit team – and a short but meaningful way of communicating the value of internal audit to senior managers and the audit committee.
For some principles finding that integration into everyday working should be relatively straightforward. For example ‘communicates effectively’ should be evidenced in every conversation between auditors and clients and every audit report or brief written. Others reflect the well-established approach to audit planning and reporting: ‘provides risk-based assurance’. Some principles, however, require a little more thought and in CIPFA workshops last October we considered how they can be integrated and evidenced with three groups of audit managers and professionals.
Three principles stand out for reflection. Can you put hand on heart and say that your internal audit team meet the following principles?
Using the principles to guide annual planning to ensure the team are focusing on the issues and risks that matter to the organisation and its objectives is one way to identify that integration. Encouraging auditors to think laterally, share ideas, read widely, network and learn from practice elsewhere will enable them to add value to their audit reports with insight. Formally incorporating longer-term issues and how the organisation is responding to them into audit scopes will not only help to embed the principles but also make sure that internal audit is seen as a valuable resource and improvement partner.