How Should Internal Audit Use the Work of the 2nd Line and External Advisors in their work?

In today's complex and dynamic business environment, Internal Audit (IA) plays a crucial role in providing independent and objective assurance to the Board and management. To be truly effective and efficient, IA cannot operate in isolation. A key aspect of a successful IA function is the ability to strategically leverage the work performed by other assurance providers, particularly those within the second line of defence and external advisors.

This blog post will explore how IA can effectively utilise the work of these crucial partners, drawing on best practices and the guidance highlighted in our recent internal discussions.

Understanding the Landscape: The second line of defence comprises functions that manage risks and ensure compliance with policies and regulations. This typically includes departments like Risk Management, Compliance, Health & Safety, and Quality Assurance. These functions conduct their own assessments and monitoring activities, generating valuable insights and assurance.

Leveraging the Second Line: A Collaborative Approach: As our internal notes rightly emphasise, coordination is paramount. The Head of Audit (HOA) must actively engage with the second line to understand their roles, responsibilities, and the scope of their work. This collaboration offers several significant benefits:

• Minimising Duplication and Enhancing Value: By understanding the assurance activities already performed, IA can avoid redundant efforts and focus its resources on areas where additional or independent assurance is most needed. This targeted approach maximises the value IA brings to the organisation.

• Identifying Coverage Gaps: Collaboration can also highlight potential gaps in the overall assurance coverage of key risks. By mapping the assurance activities of both IA and the second line, we can identify areas where risks might be inadequately addressed.

• Building a Holistic View of Risk: Engaging with the second line provides IA with a broader and deeper understanding of the organisation's risk landscape, informed by the perspectives of those directly involved in managing specific risks.

Developing a Robust Methodology for Reliance: While leveraging the work of the second line is beneficial, it's crucial to establish a clear and rigorous methodology for evaluating the reliability of their work. Our notes outline several key factors to consider:

• Potential Conflicts of Interest: IA must assess any potential or actual conflicts of interest within the second-line function and ensure appropriate disclosures have been made.

• Reporting Relationships: Understanding the reporting lines of the second-line function is essential to evaluate potential influences on their objectivity.

• Professional Competence: IA should assess the relevance and validity of the professional experience, qualifications, and certifications held by the individuals performing the work in the second line.

• Methodology and Due Professional Care: It's vital to evaluate the methodology employed by the second line, ensuring it demonstrates due professional care in planning, supervision, documentation, and review.

• Reasonableness of Findings and Conclusions: IA must review the findings and conclusions of the second line to determine if they are reasonable and supported by sufficient, reliable, and relevant evidence.

Documenting the Basis for Reliance: When IA decides to rely on the work of the second line, it's imperative to document the basis for that reliance. This documentation should clearly demonstrate that the decision was justified and appropriate based on the evaluation conducted. This provides transparency and accountability for IA's reliance decisions.

The Role of External Advisors: Beyond the second line, IA often engages with external advisors who possess specialised knowledge or skills in specific areas. These advisors can provide valuable insights and support IA's work in areas such as IT security, forensic accounting, or regulatory compliance.

How to Effectively Use External Advisors:

• Clear Definition of Scope: Ensure a clear and well-defined scope of work for the external advisor, outlining the specific objectives and deliverables.

• Due Diligence in Selection: Conduct thorough due diligence to select advisors with the necessary expertise, experience, and independence. Evaluate their qualifications, track record, and potential conflicts of interest.

• Understanding their Methodology: Just like with the second line, understand the methodology employed by the external advisor to ensure it aligns with IA's standards and objectives.

• Review and Validation of Findings: Critically review the findings and recommendations provided by the external advisor, ensuring they are supported by evidence and are relevant to the audit objectives.

• Integration of Work: Clearly document how the work of the external advisor has been integrated into the overall internal audit engagement and how it supports the audit conclusions.

Maintaining Independence and Responsibility: It is crucial to remember, as our notes highlight, that while IA can and should leverage the work of the second line and external advisors, the HOA remains ultimately responsible for the conclusions reached by the internal audit function. Reliance on others does not absolve IA of its responsibility to provide independent and objective assurance. IA must maintain its professional scepticism and perform sufficient procedures to ensure the reliability of the information and assurance obtained from other sources.

Conclusion: A Collaborative Ecosystem for Effective Assurance: In conclusion, a strategic and well-managed approach to leveraging the work of the second line of defence and external advisors is essential for a high-performing Internal Audit function. By fostering collaboration, establishing robust evaluation methodologies, and maintaining a clear understanding of responsibilities, IA can enhance its efficiency, broaden its coverage, and ultimately provide greater value to the organisation. Embracing this collaborative ecosystem ensures that the organisation benefits from a comprehensive and coordinated approach to risk management and assurance.