Wider dissemination of internal audit results adds value

The statutory internal audit function at pension funds (PW 143a) is taking on an increasingly robust form. This has raised the question, "To what extent can the results of the internal auditors of implementing organizations, to which pension funds have outsourced much of their work, be used?" But are internal auditors ready for that?

As the person responsible for the internal audit function ("key function holder") at several pension funds, I try to make the sharing of internal audit results from the implementing organizations negotiable. I find it effective to efficiently use information from the audits, which are already being conducted.

Implementing organizations respond very differently. Some internal auditors submit their reports including findings and recommendations, others do so in outline form, and a final group provides no information because they say they report exclusively to their company's management. A fascinating playing field, therefore, where one view or uniformity is lacking.

Inquiries to Professional Standards of the Institute of Internal Auditors, provided me with guiding information: the relevant professional standard "2440- Dissemination of Results "* allows the head of the internal audit function to disseminate internal audit results as he sees fit, provided the potential risks to the organization are weighed, permission is obtained from the responsible management, and arrangements are made for further dissemination. 

A clear guideline from the professional standards, to disseminate internal audit results more broadly, if deemed effective. I am certainly going to use this guideline in the upcoming alignments with internal auditors. Also because I believe in the added value of sharing internal audit information. After all, it gives pension funds more insight into the control of the organization. Without the extra costs that would otherwise be incurred for performing additional audits. Submitting internal audit results is a useful addition to reports on the control of the organization, which are usually provided to pension funds annually (such as ISAE 3402, COS 3000 and ISO reports).

Make clear agreements about the sharing of internal audit results by recording this in the audit charters of both audit functions involved and/or contractual agreements between client and contractor. This is in addition to the "right to audit," which is already widely laid down in the contractual agreements between implementing organizations with pension funds and which is explicitly mentioned in DNB Guidance as an essential outsourcing condition. Laying down the agreements provides clarity and continuity in information sharing.

A fascinating topic, about which I enjoy exchanging views with peers. Would you like to know more or continue this discussion over a (digital) cup of coffee? Feel free to contact me at hans@arcpeople or 06-51389261. I look forward to getting in touch with you!

* https://na.theiia.org/translations/PublicDocuments/IPPF-Standards-2017-Dutch.pdf