It is an exciting time to be in internal audit. The Government’s consultation on ‘Restoring trust in audit and corporate governance’ has a far-reaching impact for internal audit functions and it is important that action is taken so functions can add value early on in the journey.
The proposed reforms will pose a number of questions for internal audit functions. I think it is critical that Chief Internal Auditors are engaging with Audit Committee members to talk through the proposed reforms and how to respond within internal audit. For example, I would expect internal audit to be involved in and play an important role in any impact assessments and the programme for strengthening the framework for reporting on internal controls.
I have set out the key considerations below.
What does it mean for internal audit functions?
A strengthening of the internal control framework for financial reporting
A new UK framework for reporting on internal controls is coming, and internal audit can play a pivotal role whilst maintaining independence and objectivity.
Assurance over existing internal controls - Audit Committee chairs will be interested in the current position of the internal control framework over financial reporting and the action required to close any gaps. I believe internal audit functions have a really important role to play here. Undertaking an internal audit of the existing operating model is a valuable way to understand this position and feed into any internal control programme and scoping activity. This isn’t a small task and gaining clarity over the key financial processes and IT systems used to identify material controls is important.
Internal control implementation programme/steering group – It is critical that first line takes responsibility for designing and implementing the internal control framework. However, third line assurance can both add value and provide useful insight. The Chief Internal Auditor should be actively involved in any implementation programme so they can challenge and provide a view throughout the journey. For some companies this journey will be significant, and the scale of any programmes should not be underestimated. Consideration could also be given to performing audit activity over the implementation programme.
Independent assurance following implementation – The assurance requirements following implementation have not yet been fully considered and don’t feature heavily in the white paper. There will be an impact on internal audit and financial reporting controls; and processes should be captured in the audit universe. It could also change the skill set required within the internal audit function, e.g., focus on financial reporting expertise.
Developing internal controls for financial reporting is a good starting point. It will be interesting to see whether Audit Committees push for greater assurance over internal controls relating to key areas of business risk, e.g., cyber, data management, regulatory reporting, etc., as this agenda takes shape.
The development of an audit and assurance policy
The white paper proposes to introduce a statutory requirement on public interest entities to publish an Annual Audit and Assurance Policy. This will set out the approach to seeking assurance over its reported information over a three-year cycle. It will also provide an opportunity to set out a company’s approach to internal audit and broader assurance activity. This document should be owned by the Audit Committee and be the Chief Internal Auditor should be heavily involved in its preparation. I believe this is going to the heart of assurance mapping across the three lines of defence and identifying key sources of assurance. This is a complicated area to get right and many internal audit functions I speak to find this particularly challenging. Key considerations for this policy include:
- The objectives of the policy and the approach taken to develop it (including whether employee and shareholder views have been considered)
- The main sources of independent and objective assurance over the next three-year cycle
- Coverage over the internal control framework and the company’s Resilience Statement over the next three years, including reporting relating to ESG related factors
- The steps being taken to strengthen its internal audit and assurance capability over the next three years
- The approach to tendering external audit activity.
Other factors in the white paper
There are some other considerations in the white paper for internal audit functions:
- Prevention and detection of material fraud – IIA Standards already require internal audit functions to review and assess controls relating to fraud on a regular basis. We would expect internal audit functions to continue to assess fraud on a regular rotation basis and this should feed into the audit and assurance policy.
- Reporting on payment processes – The white paper recommends that there is improved reporting on payment policies and performance. The Government wants to keep focus on eradicating poor payment practices. Internal audit is well positioned to assist in this area and provide assurance on an appropriate rotation basis, e.g., through data analytics.
Although we don’t yet have all the detail, there are some key actions that internal auditors can take now to get ahead:
- Drive the internal control awareness agenda across the business and at Audit Committee level to ensure it is given appropriate focus
- Get involved in the SteerCo which has been implemented to develop the reporting arrangements on internal controls and contribute on its implementation.
- Support the business in the drafting of the Audit and Assurance Policy prior to being approved by the Audit Committee
- Perform health check assessment of the financial control environment before the implementation of internal controls to support the business in identifying its starting point.
At KPMG, we have been instrumental in helping our clients understand an implement SOx in the US. There are some key learnings from the US SOx implementation which should be considered for UK SOx:
- Internal audit departments not being involved in the Steering Committee resulted in the implementation of unsustainable frameworks
- Significant number of manual controls being implemented and limited automation meaning the internal control framework was unsustainable
- Audit Committee not being brought along the journey during the implementation phase which resulted in challenge late in the day
IA departments not having the relevant skills and experience on SOx related matters
KPMG can help you to prepare for UK SOx by:·
- Assess: Risk and Readiness – Understand as-is control framework and gaps
- Transform: Remediate / Design – Remediate and design controls that work for the business
- Transform: Implement – Assist with control implementation
- Test: Design and end to end solution – Dry run and test efficacy of the internal control reporting framework
- Go Live – Testing & Reporting – Run live processes of all the in-scope controls and annual schedule of work (from Q1 2024 onwards)
If these are the areas you are looking for support in or want to discuss anything else, please contact me.
Some or all of the services described herein may not be permissible for KPMG audited entities and their affiliates or related entities.