Site icon Risk and Control: Ideas for a better tomorrow

IPPF and Recommendation

This is a work of fiction. If you find any similarities with a real life situation or a person then you should ignore real life situation/ person. As author of this work has limited the scope of this work to fiction.
A fictional dialogue between Management and Internal Audit.
Management: I need you to look into a situation and help me in resolving the issue.
Internal Auditor: Ok.
 
After the review:
Management: I saw your report where you have mentioned that there is a problem. But how should we fix it.
Internal Auditor: I have made recommendation that the problem should be fixed.  IIA standard “2130 – Control” states that “The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement.”
Management: Ok. You mentioned that it should be improved. But tell me how.
Internal Auditor: If I tell you how, then it may create an independence issue.
Management: How?
Internal Auditor: IIA Standard “2500 – Monitoring Progress” states that “The chief audit executive must establish and maintain a system to monitor the disposition of results communicated to management.” Further standard 2500.A1 states that “The chief audit executive must establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action”.
If I recommend something, then I cannot be testing it. Standard 1130.A1 states that “Internal auditors must refrain from assessing specific operations for which they were previously responsible. Objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for which the internal auditor had responsibility within the previous year.”
Management: Okay. But you are not responsible for the solution, you need to tell me. If I like it, I will carry out it. If I don’t like it, I may not. Your definition of Internal Auditing says “Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.” So how I will improve if you know and don’t tell me. Do you want me to hire a consultant to again do the review and tell me what to do when you know what We should do?
Internal Audit: IIA standard does offer for Consulting Services. It says “Consulting services are advisory in nature, and are generally performed at the specific request of an engagement client. The nature and scope of the consulting engagement are subject to agreement with the engagement client. Consulting services generally involve two parties: (1) the person or group offering the advice — the internal auditor, and (2) the person or group seeking and receiving the advice — the engagement client. When performing consulting services the internal auditor should maintain objectivity and not assume management responsibility.”
But I can do that only after a year. Standard 1130.C1 allows that “Internal auditors may provide consulting services relating to operations for which they had previous responsibilities. “ But I will not be able to do an assessment for this are as required by 1120.A1.
Management: So you will not tell me how to improve? If you tell me how to improve, then you will not assess that area for a year. I won’t be knowing whether the solution is working or not for a year? Don’t your standard “2110 – Governance” says that “The internal audit activity must assess and make appropriate recommendations for improving the governance process in its accomplishment of the objectives”. And standard “2410 – Criteria for Communicating” says “ Communications must include the engagement’s objectives and scope as well as applicable conclusions, recommendations, and action plans.”
Internal Auditor: I have recommended as the per the standard that there is a need to improve the control.

Exit mobile version