Newsletter Q&A

The IIA–Australia issues an e-mail newsletter every fortnight. Newsletter Q&A is a feature in conjunction with our ‘IAassist ask a question’ service. Newsletter Q&A seeks to provide insights to issues that affect many Internal Auditors. Members are welcome to send questions to

Please see below list of questions answered in previous newsletters:

I am seeking advice about the scope of internal audit services and whether internal auditors can provide expert services beyond ‘traditional audits’.

My organisation’s internal audit service is completely outsourced to a service provider firm. Would they also provide ‘advisory services’?

What is the position when internal audit engagements are performed by external service provider firms? Is the organisation’s internal audit function still responsible for the quality of internal audit work performed by an external service provider firm? If internal audit work is done by a firm, the firm would presumably have its own internal quality assurance procedures over its work. Would the organisation contracting the firm also have any quality assurance responsibility?

From time-to-time, another part of the organisation will engage the internal audit service provider to perform consulting engagements. Is there a problem with this?

I am a solo internal auditor in a not-for-profit organisation. From time-to-time and when budget permits, a service provider is procured to audit a technical topic that I don’t have the skills to audit such as IT. We recently requested service provider proposals from a small number of firms and selected one to perform an IT audit. We were getting ready to start the audit when we received a service agreement from the service provider saying we needed to sign it before the audit commenced. The service agreement document was a few pages and contained reference to the audit being performed in accordance with ASAE 3000 ‘Assurance engagements other than audits or reviews of historical financial information’, plus a bunch of stuff such as: › The internal audit report and the information contained in it will be confidential and not to be used or disclosed in any way without the service provider’s prior consent. › The report will be copyright to the service provider, with all rights reserved. › Work papers from the audit will be retained by the service provider which is accepted industry practice. Is this normal?

What are good practice reporting arrangements for internal audit to have effective independence from management?

In my organisation, internal audit reports functionally for its operations to the audit committee through the chair, and administratively to the head of corporate services. Is this a recommended practice?

I have just taken over as chief audit executive of an internal audit function. The internal audit plan I inherited has time allocated to support the external auditor’s work on the annual financial statements audit. Is this normal practice?

I understand good practice internal audit reporting arrangements are for the chief audit executive to report functionally for internal audit operations to the audit committee through the chair, and administratively to the chief executive officer. But who should assess chief audit executive performance?

What are reasonable internal auditor time utilisation rates? Is there guidance on productive audit time and other time such as administration?

An internal audit report prepared by internal audit formed part of the papers for an audit committee meeting. Between internal audit submitting the report to the secretariat and it reaching the audit committee, it was altered by senior management. How can this be avoided?

I am not an internal auditor but have a friend who is. In discussions with my friend, internal auditing sounds like a career that interests me, especially as the skills required to be an internal auditor seem to be transferrable between corporate organisations and the public sector, plus across different industries. Can you offer some ideas about how I might break into an internal audit career?

I’ve heard of the concept of using guest auditor specialists from within the business to bring technical expertise to audits? Wouldn’t this be a problem from an independence perspective?

I recently joined an audit committee as an independent member. My background is legal, which is the skill the organisation wants me to contribute to their audit committee. I don’t know a lot about other things that audit committees cover, including internal audit. What might be some tips?

I am an internal auditor with an internal audit plan that contains audits I conduct throughout the year. The end result of each audit is an internal audit report. In recent times, management has started to question why internal audit reports aren’t ‘balanced’ by containing positive commentary, in addition to what needs to be fixed that was discovered by the audit. I have always written internal audit reports based on what needs to be fixed, which I believe is called ‘negative by exception’. If I was to provide positive commentary in internal audit reports, wouldn’t I need to do a lot of extra audit work to provide assurance over the positive commentary?

I am a solo internal auditor who started up an internal audit function at my organisation about one year ago. I don’t want to name my organisation or industry sector for obvious reasons which will become clear. I recently completed an internal audit on payroll, the first payroll audit ever performed, which found many employees are being underpaid. I took this up with the chief financial officer who told me if I issued the report in its present format, it would almost certainly affect my employment. I took this to mean I would be fired. I also took it to mean management is aware that employees are being underpaid, either deliberately or accidentally, and is doing nothing about it. What can I do?

In the last Newsletter Q&A, you answered a question from a solo Internal Auditor in a new Internal Audit function. The Internal Auditor completed the first ever internal audit on payroll that found many employees were being underpaid, with management almost certainly having knowledge of this, but doing nothing. The Internal Auditor was threatened to change the report or face unpleasant consequences. What can an Internal Auditor do when something like this happens and their job security is threatened?

My internal audit unit recently had a five-year external quality assessment performed by an independent person from outside our organisation. We rated pretty well against the 52 internal audit standards but were marked down on Standard 1320 ‘Reporting on the quality assurance and improvement program’. What should be done to conform with this standard?

When internal auditors conduct internal audit engagements, they test samples and review documents. When preparing the audit file, are internal auditors required to retain copies of all samples and documents tested, or are they only required to retain evidence of exceptions? What do the IIA Standards require? What is the most common practice used by internal auditors? 

I work in a fairly large internal audit function with international operations. The internal audit unit has in-house internal auditors distributed around the world and quite a number of these say they are Certified Internal Auditors (CIAs). What is the best way to confirm whether someone is certified?

I am an audit manager in an in-house internal audit function. I report to the head of internal audit.
With the pandemic crisis currently happening, I asked the head of internal audit if perhaps our internal audit function should take some time off from the audits we are doing in line with the approved internal audit plan and use the time to help out our organisation in any area where help might be needed.
The head of internal audit replied that the audit committee approved the internal audit plan and we must continue to action it by performing audits. I figure we are getting in the way at this difficult time, but the head of internal audit sees it differently. Plus, he said what could we do anyway because we need to stay independent.
What do you think?