Technical and Insight
Work programmes and testing in the Covid-19 era

CPD article: James C Paterson looks at the effect Covid-19 is having on internal auditing and the importance of going back to basics on reasonable assurance.

Reading this article and these related questions can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD. We suggest you use this as a guide when allocating yourself CPD units.                           


ACCA UK’s Internal Audit network panel regularly consults its members on topics that are of particular interest at a given point in time. At the moment, it is recognised that the impact of COVID-19 is having a big effect on internal auditing. We cannot afford gold-plated auditing or controls anymore. Also, we can't afford to go through the motions of doing assignments that made sense at one point in time when things have changed significantly as a result of COVID-19.


The following article looks at how to manage internal audit assignments from a practical perspective in the current context. Specifically, it looks at the work programmes required in the current environment where lean and agile auditing is increasingly expected. It also considers some fundamental questions about what we mean by reasonable assurance.




It's not every day that an internal audit article starts with a quote from Lenin. But here it is: “There are decades where nothing happens; and there are weeks where decades happen.” This was written just before the Russian Revolution in 1917 but is timely in the coronavirus pandemic era. The pandemic's impact has been profound and has impacted governance risk management and Control (GRC) activities and external and internal auditors' work.


This new era demands that internal auditors work on issues that really matter and quickly provide insights with practical solutions. Clearly, this means that the internal audit (IA) function needs to carry out a much more dynamic planning process.  It also means that the day-to-day work programmes and testing in audit assignments need to change as well. This explains the considerable impetus behind IA becoming a trusted advisor, as well as lean/agile ways of auditing, and leveraging data analytics.


However, as readers will appreciate, responding to changing demands in a compressed timescale creates its own risks. Specifically, for IA teams, we might forget some of the fundamentals that underpin our profession's credibility. The trick is to balance the need to be more lean and agile with IA standards. This short article will seek to outline some of the evolving practices that achieve this.


You can read the rest of this article here.



James C Paterson, Risk & Assurance Insights Limited


James is a former head of internal audit, consultant, trainer (face to face and webinars) and the author of: Lean Auditing.



James will be presenting a free ACCA webinar on this topic at 12.30pm BST on 22 April - register now




Internal Audit - a view from the Board

Tim Le Mare explores how Internal Audit can strengthen its position and conversation at Board level.

The concept of the three lines of defence and its various interpretations provides a good tool for positioning and championing Internal Audit within organisations. Like many concepts it is not without its critics and limitations, but on the whole it does provide a good basis to frame the discussion regarding the Board’s Assurance Framework. Tim Le Mare explores how this can be used by Internal Audit to strengthen its position and conversation at Board level.


The recent publication of the Government’s consultation - Restoring trust in audit and corporate governance - will have ramifications across an organisation’s governance framework, including the role of Internal Audit. While the focus of the consultation is on the financial reporting and control framework for listed companies, the principles behind the consultation: the need for clear accountability; robust management self-assessment and attestation; and ensuring adequate and effective independent assurance, are ones that have wider applicability.


Internal auditors are familiar with the need to ensure governance and assurance frameworks are aligned, and have been using the three lines model for over a decade to help guide the interplay between management and the internal audit function. The recent revision to the model, with an increased focus on collaboration, speaks to the importance of ensuring assurance providers - wherever they sit in the organisation - have clear lines of sight and effective working relationships.


While the three lines concept is well known, how does this concept work in practice? One way of exploring this question is to examine the assurance framework from the vantage point of the board, particularly the audit committee. As assurances funnel up through the organisation the audit committee has a prime position at the top of this funnel looking across the three lines and trying to make sense of the various sources of assurance it has available. The Risk Coalition has undertaken significant work in this space looking to understand the connection between board strategy, risk management and the assurance framework. From its work surveying risk and audit committee members, some common themes emerge:


  • The need for assurance to be driven top down from the board
  • A stronger linkage between board objectives and assurance activity
  • A greater focus on assurance stemming from the first line
  • A more effective way of presenting the totality of assurance activity across the three lines.


These themes should be received as positive encouragement of the work assurance providers have been performing to-date. The Risk Coalition’s work shows a real appetite and need at board level for clear actionable assurance information, which is a solid foundation to build upon. The question for all involved in governance and assurance is how to go to the next level and drive a more integrated assurance framework.


For internal auditors, this poses some interesting issues on how best to support the board and audit committee. All too often internal audit is one of – if not the only - leading voice on assurance matters within an organisation. That voice should have a key role in shaping the assurance agenda and closing the gap between board level expectation and current practice.


So how should Internal Audit use that voice?


  • Senior level engagement. Now more than ever with the publication of the consultation on a UK regulatory controls regime, there is a space at the top table for Internal Audit to advise on the optimum assurance model. What is clear is that different stakeholders have different perspectives on the optimum assurance model, largely based on previous experiences and views on organisational strategy and future direction. Ensuring regular dialogue between Internal Audit, the audit committee and the wider c-suite is time well spent in building mutual trust and understanding.


  • Objective led assurance. There is often a tendency for internal auditors to ‘push’ assurance work onto the organisation. Moving to a position where the board is ‘pulling’ assurance from Internal Audit (and other assurance providers) helps to align expectations. Working with the board on developing a culture of objective led assurance is a key way of ensuring the board is clearly communicating to Internal Audit its needs for third line assurance.


  • Clarifying assurance responsibilities. When assurance issues are raised, very often all eyes turn towards Internal Audit as the key assurance provider. While flattering(!) for Internal Audit, it can lead to management taking a back-seat when it comes to driving conversations on assurance. The ‘UK SOX’ consultation paper puts a focus on attestations as a key mechanism for ensuring accountability for control and control assurance is clearly placed on management and the first line. This gives Internal Audit an opportunity to open a wider conversation on the role of the first line in assurance.


  • The big picture view. One of the key themes from the board and audit committee is they need help in understanding and visualising the totality of assurance across the three lines. The use of assurance maps and dashboards to surface and align assurance activity is one that has steadily risen up the audit committee agenda. Internal audit can help influence, particularly the second line, that investing in developing and maintaining this holistic assurance landscape pays dividends in allowing the board to gain a succinct coherent view of assurance activity.


While there is a current focus and debate on financial reporting and control, the above points have much broader applicability across the risk and control framework. Cyber, ESG and wider geo-political risks (eg Brexit) are all examples of priorities jostling for attention. Staying close to the board and its agenda, working to understand how assurances across the three lines combine, and helping the board to understand the totality of assurance, are all areas that will pay dividends in Internal Audit’s standing within the organisation, now and in the future. 


To join the debate, please register for ACCA’s free webinar on 13 May at 12.30pm when I'll look at this topic further with Bryan Foss of Risk Coalition and Lee Glover of Haines Watts.


And look at these additional resources:



Tim Le Mare, Regional Sales Director, Integrated Risk for Workiva

(with contributions from Bryan Foss, Co-Founder and Director of Risk Coalition and Lee Glover, Director at Haines Watts and Chair of ACCA UK’s Internal Audit Network Panel)

Auditing Agile & Agile Auditing

Alison Booth and Mark Paton of Pelicam Assured Delivery discuss the unique set of challenges created by Agile methodologies.

Alison Booth and Mark Paton of Pelicam Assured Delivery discuss the unique set of challenges created by Agile methodologies.


It’s no secret that Agile work methodologies have become something of a must-have for many businesses over the last two decades. Particularly for companies in the technology space, the ability to build, release, measure and pivot product offerings quickly has become an important, if not essential, way of working. From an audit perspective, however, Agile methodologies have created a unique set of challenges which, if not properly dealt with, threaten not only to negate the benefits which Agile working can provide, but actually destabilise the business as a whole. This article will explore the factors which auditors need to be aware of when working within an Agile environment and suggest some practices and approaches which can ensure your auditing function is actually adding value to the agile process rather than detracting from it.


The advent of Agile


Agile working is generally considered to be the brain-child of tech start-up culture; companies like AirBnB and Uber are among the first names that come to mind when you start talking about Agile working. For start-ups, working with limited funding or resources and where the need to launch a product to market before the competition is critical, Agile product development provided a solution. Rather than working in a traditional “waterfall” approach where the project would be defined, built, tested and then released, these businesses opted for an iterative approach. These start-ups realised that by shortening their project life-cycle and building, launching and measuring the success of product or features “bit by bit” - they could go to market more quickly. Start-ups could launch a minimum viable product (MVP), start building a customer base and establishing their brand, and then continue to add to, or “iterate” on their offering.


Agile product development also had an additional benefit for start-ups which may be one of the reasons that so many more established companies suddenly wanted in. By shortening project life-cycles, start-ups reduced overall project risk. Rather than spending two years creating a product which didn’t work as well as expected, or for which there was no real market appetite, start-ups were able to learn from the real-world success of each iteration and change their offering accordingly. In the fast moving world of technology that ability was and still is priceless. Tech companies of all sizes now switch features on and off constantly, giving themselves the ability to optimise their user experience (and their revenues) at the flick of a switch. Venture capitalists were similarly comforted by the benefits of Agile working - the performance of their investment being apparent more quickly and their exposure reduced.


However, not all businesses are start-ups. As more and more established businesses underwent the “digital transformations” of the last two decades, Agile working found itself in unfamiliar surroundings. These businesses want the benefits of Agile working (including reduced risk, increased speed and the ability to attract tech talent) but alongside or within a legacy framework. If not managed properly that contrast can create tension and disconnection between tech or product teams and the rest of the business. This is often most apparent for Audit or risk functions whose responsibility it is to understand the bigger picture.


How can Audit help Agile? How can Agile help Audit?


For someone working in Internal Audit, that might sound like the perfect storm; a tech team responsible for the future of the business, working in a way which doesn't seem to be compatible with the rest of the business. Yet if it’s managed properly, the relationship between Agile and Audit can be a mutually beneficial one. For the Agile team, the Audit function can be the bridge between their projects and the stakeholders elsewhere in the business. Auditors can be the translators of Kanban boards and Jira tickets into documentation which others can easily digest. From an Audit perspective, Agile working need not be a nightmare proposition either. Once understood, shorter project cycles and quicker data and feedback can provide the opportunity to ensure project objectives are still front of mind.


Making that relationship work does require a different approach, and sometimes a different skill set, to that which you might use in a non-agile business. Understanding what that approach is will ensure that your organisation can enjoy all the benefits of Agile working without the perceived risks or shortfalls.


Auditing Agile; the approach and skill set


As an auditor, understanding the way in which the agile part of your organisation works is key to developing the approach and skill set you’ll need to effectively work alongside them. For some people that starts with getting to grips with the vocabulary of Agile; what’s a sprint, a stand-up, Kanban, MVP? For others it means understanding who does what within the team, and what do those job titles means in terms of responsibilities? Should you be working more closely with the scrum master or the product manager? Answering these questions is a good place to start when developing a strategy.


Once these foundations are established, the focus becomes timing and engagement. As you will have noticed, the pace of Agile development is one of its key strengths; ensuring you are in-step with the Agile process is a great way to create the sense of working with an Agile team rather than against them. In practice that means understanding the timing of their daily and weekly review meetings, the length of sprints and release schedules. By engaging with the right people, at the right time, you can ensure your audit reviews happen at a point which will be able to provide the most accurate and constructive insight for the wider business.


Similarly, understanding how the teams communicate and document their projects and workflow is essential. Where in more traditional “waterfall” type businesses a development team might bear the responsibility for documenting their work in a way which is logical for the board, that might not be the case in a business where Agile is working alongside non-Agile departments. For an outsider, documentation might seem hidden or non-existent (particularly in so-called “lean Agile” environments) - but in reality it often in a different format to the one you’re used to. The time required to document everything formally is often a barrier to the speed in which Agile teams are trying to work; you’re more likely to find the information you need on Kanban boards, post-it notes or digital “tickets” on something like Jira. Understanding what information you’re likely to find where is essential if you’re going to a) learn from that information, b) know when something’s been missed.


Effectively auditing Agile teams and processes also requires a level of creativity and flexibility which may not have been part of an auditors job description 10 or 20 years ago. Agile auditors need to be able to quickly switch between looking at the overall picture within the context of the business objectives, to looking at quite granular detail of specific sprint cycles. Understanding how lots of little issues on the granular scale might add up to a larger issue which should be reported to stakeholders is one of the unique challenges which agile auditors will come up against.


Communication is still key


It’s easy to think, having read all the above, that “Agile changes everything” and that the job of an auditor is now unrecognisable. The jargon and methodologies can seem intimidating but in our experience there is a constant theme which underpins all of the changes, and it’s one which auditors will know has been true long before Agile became a “thing”. Communication is still key. Finding the right person to talk to, asking them the right questions, at the right time, and then translating that into clear updates for board members or stakeholders. By doing so effectively you can satisfy the internal risk function of the business while also actually adding value for the Agile team. Communication from stakeholder level back down to the development team will help inform their next development cycle. Suddenly, as an auditor, you’re benefiting from the speed, dynamism and flexibility; from the agility, which made Agile workflows so popular to begin with.


Alison and Mark presented a free webinar on this topic for ACCA which is available on demand - register now.



Alison Booth is the Business Transformation Partner at Pelicam Assured Delivery 


Mark Paton - Financial Services Partner at Pelicam Assured Delivery Mark Paton is the Financial Services Partner at Pelicam Assured Delivery 


The pros and cons of advisory reports

The use of advisory reports is sometimes controversial but there is a role for them. ACCA UK’s Internal Audit Panel discussed the advantages and disadvantages of using such reports recently.

The use of advisory reports is sometimes controversial but there is a role for them. ACCA UK’s Internal Audit Panel discussed the advantages and disadvantages of using such reports recently.


What are advisory reports?


An advisory report sets out best practices to be followed and internal controls needed, in order to improve risk management over the subject area. The Chartered Institute of Internal Auditors paper, Consultancy engagements(22 September 2020)says “There are various assurance and consultancy activities that internal audit may undertake.” Assurance is normal auditing work whereas consultancy is limited scope audit advisory.


IIA Global's glossary defines consulting services as:


Advisory and related client service activities, the nature and scope of which are agreed with the client and which are intended to add value and improve an organisation’s governance, risk management and control processes without the internal auditor assuming management responsibility. Examples include counsel, advice, facilitation and training.


It goes on to suggest, inter alia, that:

  • The standard of work is the same as that delivered for assurance work.
  • It should be made clear to management that all consultancy work will be reported to the audit committee and be included in the overall opinion with progress on results monitored to the extent agreed upon with the client (Standard 2500.C1). 

This second bullet point is particularly important in the context of this article.


What should they not do, or evolve into?


If you look at the Croydon tram derailment in 2016, a safety audit occurred after the event in which a tram driver fell asleep and there were seven fatalities. An audit report was presented a short while afterwards, but this was downgraded to an advisory piece to make it more palatable. This is neither the purpose of advisory work nor is it an acceptable action for a professional internal audit function.


If a piece of work sets out as an audit then it should have an opinion. Auditors need to “own” their opinion and playing with the recommendation gradings to make the report more palatable undermines their credibility as well as the reputation of the organisation concerned and the profession as a whole. If there is a disagreement on the accuracy of the facts on which the opinion is based, then this needs to be addressed and, if appropriate, the opinion revised. However, if the facts are substantiated then the professional opinion of the auditor should stand. It always helps if the basis of opinions is set out in advance. For example, what constitutes a high, medium, or low finding in financial terms (or other) appropriate to the scale of the entity being audited or the speed with which a risk may manifest and how the opinion for this audit fits within the overall assurance framework.


If the work scope sets out as an advisory piece then, the report purpose and format, as well as the methodology implemented should be agreed up front.


However, there is a role for advisory reports and whilst some organisations use them as a Plan B where audits would be unpalatable, others use them effectively to supplement the assurance work and give a broader overview or assist management in developing the entity’s control framework.




A non-executive on the Board may struggle to get certain audits on the plan, but may be able to petition to get advisory pieces on it, despite the politics or timing of critical dependencies.  


That gives you some insight into what management is struggling with, what the Board is struggling with, and what the auditors think, without it being formalised into an opinion. It is a difficult area – you would far rather have opinions on everything, but if you cannot get an opinion piece done because of the environment then an advisory piece is your next best option in some circumstances.


In particular, with the ongoing Covid-19 pandemic, if it is not going to be feasible to cover all planned audits, we could nevertheless do a short advisory piece that will shine a light into the corner and see what comes out, and maybe be able to get an audit on the plan thereafter if issues are detected.


Another advantage is that it is easier to get advisory pieces finished because people seldom argue if there are no opinions involved! And from an auditor’s perspective, purely advisory pieces are better for professional indemnity insurance as you can limit your liability if you are not giving an opinion that you can be held to account on.




With advisory pieces, it will be difficult to hold the auditors to account. Where it is done as an advisory piece, you will not be able to query the opinion for the area under consideration. Even if you are crystal clear up front what you want from an advisory piece, the fact that it is advisory and auditors are working WITH management rather than being held to account on an opinion, makes it much more difficult to get the quality that the Board needs out of it.


Whilst being able to limit your liability is an advantage of doing advisory pieces, it is also a disadvantage as the way to limit your liability is to exclude as much as possible, blame management for failing to provide you with the information you need, and not give any kind of opinion that you can be held to account on. That is likely to mean that stakeholders will not be able to get as much value as they would like from the work that you have done.


Advisory pieces tend be based on experience and best practice. It can be a case of “I’ve seen this somewhere else – it works well – you should consider it” instead of  “I’ve looked at your control framework and it’s not working because you’ve got a gap here and you’ve got an exception there and there’s a work around over the other place”. Audit work actually looks at what you’ve got and determines whether that is fit for purpose.


Where there has been an incident, Internal Audit should go in and see what exactly happened, where the control failures are, and what is being done around it. Advisory can come in and look at the bigger picture and identify the areas of improvement, but the audit or the investigation needs to have taken place before you can get to that stage.


Hybrid approaches


Some internal auditors adopt a hybrid approach – they look at what controls are in place and whether they are working effectively. They ask if various actions have been thought about and then suggest improvements. Fundamentally it’s an audit review but then with some advisory added on top of it.


A final comment


This article seeks to consider the advantages and disadvantages of advisory reports without making a recommendation. We’d be interested in your thoughts on what you’ve seen work or fail as a result of “advisory workscope”. What value did it drive?  Which best practices did you see? To continue the conversation, please go to the GRACE LinkedIn group for ACCA members and share your experiences with others.

Diversity in Internal Audit

Internal auditors work in many different sectors and types of organisation. Hear from some of our members on how they came to be in Internal Audit and what they enjoy about the role.

Collage of ACCA members working in internal audit


Internal auditors work in many different sectors and types of organisation. 


You can hear from some of our members on how they came to be in Internal Audit and what they enjoy about the role on our website





Auditing climate impact

Investors expect material climate risks to be reflected appropriately in audited financial statements, but will their expectations be met?

Reporting on climate is going to be a long journey with many twists and turns along the way, writes Alison Thomas of the Bailey Network in this ACCA article.


Pressure to manipulate results

Recent cases of Deloitte and General Electric highlight the dangers of falling back on estimates and long-term projections.

Jane Fuller, co-director of the Centre for the Study of Financial Innovation, says executives have a big decision to make about the way they report their companies' financial performance as the resurgence of Covid-19 plays havoc with forecasts in this ACCA article.

Upcoming Internal Audit webinars

Register now for our upcoming free webinars for internal auditors.

Register now for our upcoming free webinars for internal auditors:


Work programmes and testing in the Covid-19 era  22 April (12:30)

James C Paterson - Director of Risk AI - will look at how you can manage internal audit assignments from a practical perspective in the current context. Specifically, he'll look at the work programmes required in the current environment where lean/agile auditing is increasingly expected, and he'll consider some fundamental questions about what we mean by "reasonable assurance". 


See James' article on this topic in this e-bulletin.


Internal Audit - a view from the Board 13 May (12.30)

The concept of the three lines of defence and its various interpretations provides a good tool for positioning and championing Internal Audit within organisations. Like many concepts, it is not without its critics and limitations, but on the whole it does provide a good basis to frame the discussion regarding the Board's Assurance Framework. Board level. Tim Le Mare of Workiva, Bryan Foss of Risk Coalition and Lee Glover of Haines Watts will look at how this can be used by Internal Audit to strengthen its position and conversation at Board level.


See Tim's article on this topic in this e-bulletin.


Each webinar will provide one unit of verifiable CPD where it is relevant to your work.

ACCA's Internal Audit week 2021: Resilience in a Dynamic Environment

Save the date for our inaugural Internal Audit week - 20-24 September

ACCA's inaugural Internal Audit Week takes place from 20-24 September 2021.


Bringing you a week of topical online sessions to help you and your business thrive through uncertainty.


Register your interest to receive further information at 

ACCA resources for internal auditors

ACCA's Internal Audit hub is a great resource for those working in Internal Audit or thinking of moving into Internal Audit.

ACCA’s Internal Audit hub provides support to our members working in governance, risk, assurance, control and efficiency (GRACE). The latest edition to the hub is a resource for those moving into Internal Audit. Resources already available include:


  • making the move from external audit to internal audit
  • what is internal audit and what does it do?
  • core skills such as interviewing, designing the test plan, sampling, executing testing, evidence recording and report writing

The content is a mixture of bite-size webinars, brief guides, articles and presentations. We will be adding to the resource over time.


Other sections in the hub:


Learn about internal audit

This section explores what internal auditing is like in practice and the many pitfalls to avoid. A series of guides covers internal audit for beginners, the management team, the audit committee and Heads of Internal Audit. New to this part of the hub is a section on evidencing compliance with professional standards.


Our webinars and other resources

ACCA UK’s Internal Audit Network regularly runs free webinars for its members working in internal audit. Search here for past webinar series on blockchain and crypto currencies for internal auditors, cyber security, de-mystifying IT audit and GDPR.


This section also has a new Resources by theme area that collates material produced by ACCA in the past few year by the themes of ethics, audit management, IT and regulation/legislation.


Our publications and other research

Here you'll find a link to the most recent edition of this e-bulletin and you can also search for CPD articles for internal auditors. 


Internal Audit blog

If you would like to gain some insight into the life of an internal auditor then look at our blog series “A day in the life of the invisible auditor” where a different internal auditor provided some thoughts every week in 2019.

ACCA Brexit hub

You can follow ACCA's views, opinions and guidance on Brexit through its Brexit hub.

You can follow ACCA's views, opinions and guidance on Brexit through its Brexit hub.


Check out our factsheets, guidance and events - we'll be adding to this resource as developments progress.