Standard

GovS 009 Internal Audit: Continuous Improvement Assessment Framework

Updated 5 March 2024

Figure 1 The structure and scope of functional standard GovS:009 Internal Audit version 2.0

1. Purpose and scope of the assessment framework

1.1 Purpose of this continuous improvement assessment framework

This assessment framework is designed to help drive continuous improvement within and across government organisations, by helping government organisations to assess their adherence to, and practical application of key features in the internal audit functional standard.

This assessment framework is consistent with assessment frameworks for other functions, so that senior leaders can take a consistent and coherent view of performance across all functions in their organisation.

This assessment framework draws on, but does not replace, the internal audit functional standard [1], which should be complied with and should be read in conjunction with that functional standard. This assessment framework is designed for people undertaking assessments of their organisations and for people taking organisational improvement actions as a result of the completed assessment.

For more information on continuous improvement, see the Guide to continuous improvement against functional standards.

1.2 Scope of this continuous improvement assessment framework

This assessment framework applies to the planning, delivery, and management of internal audit activity:

  • in government departments and their arm’s length bodies

  • delivered by civil servants, public servants, co-sourced and/or third-party providers or a combination of these

  • regardless of the tools used for delivery

  • including all internal audit services e.g., assurance, evaluation, compliance, advisory and consultancy, pre-inspection reviews. Where internal audit provides counter-fraud activity, Government Functional Standard GovS 013: Counter Fraud sets the expectations for the management of fraud, bribery, and corruption risk in government organisations.

2. Using this assessment framework

2.1 How the framework relates to the functional standard

This continuous improvement assessment framework draws on its related functional standard and includes a set of statements indicating different levels of organisational capability against aspects of the standard, ranging from non-compliance, or adopting (‘developing’), through ‘meeting the minimum’ (‘good’), to better and best, as shown in Figure 2.

The assessment framework draws attention to how the requirements of the functional standard can be implemented in organisations of different maturities so that the organisation’s leaders can plan improvement initiatives where needed. Not every organisation, or part of every organisation, needs to operate at best.

Figure 2 Good, better, and best

2.2 The structure of the continuous improvement assessment framework

The structure of the assessment framework is designed to give an indicative picture of how well an organisation is doing. It covers:

Theme: is the overall topic being addressed

          Practice area: what is being assessed

                     Criteria: the statements to be met

Theme: A theme is the overall topic being addressed in that section of the assessment framework. The context and more information about the themes addressed can be found in the functional standard.

Practice area: Each theme comprises practice areas. Each practice area has an overall statement about what is expected. A practice area might relate to one or more clauses in the functional standard.

Assessment criteria: Each practice area is supported by a number of criteria. Criteria help to define what is happening in an organisation (observable in practice, backed up by evidence). Criteria denote good, better, or best performance. Refer to internal audit functional standard for context and detail. For example, the content of a ‘governance and management framework’ is described in the governance section of a standard.

2.3 Assessing an organisation

Before starting an assessment, the boundaries of the organisation being assessed need to be defined. A whole department or arm’s length body can be covered, or the assessment can be limited to a defined part. Be careful when defining the boundaries in terms of a specific business area, as the perceived remit of the associated management team might be too narrow for the assessment criteria to make sense. On the other hand, dividing a large organisation, where performance across the organisation varies, into its major groups can help pinpoint where improvements are needed.

Attitude is key. This assessment framework is a tool to support organisational improvement, and the assessment will add no value unless there is honesty in response to the criteria.

In order to be considered ‘good’, ‘better’ or ‘best,’ an organisation needs to meet at least 90% of the criteria for that level. By default, failure to meet at least 90% of ‘good’ criteria means the organisation is ‘developing’. Business leaders should set ambitions for their organisation based on business need, as set out in their strategies and/ or plans. For some organisations ‘good’ might be ‘good enough’. For other organisations, their area of business might dictate that meeting ‘best’ is necessary.

Levels are additive. An organisation needs to meet at least 90% of the criteria of any lower level in order to consider compliance with the higher level. For example, an organisation cannot be ‘better’ if it doesn’t meet at least 90% of the criteria for ‘good.’ Any actions to address criteria that have not been met should focus on those in the ‘good’ criteria in the first instance.

Most functional standards rely on other functional standards (as listed in clause 1.3 of every functional standard). This interdependency means that for an organisation to be operating effectively it needs to consider such dependencies carefully and their impact on the organisation’s operations.

Further guidance on assessment frameworks can be found in the Guide to continuous improvement against functional standards.

2.4 Characteristics of good, better, and best for internal audit

Good: Organisations have an independent and objective internal audit service, integral to its overall governance. Audit objectives are aligned to organisational strategies, objectives, risks, and priorities. Internal auditors have unfettered access to discharge their duties and communicate findings without hindrance. Auditors possess the required capability, capacity, proficiency, and exercise due professional care. Internal audit findings and opinions are shared with senior management and the Accounting Officer and improve the efficiency, effectiveness, and value for money in the organisation. Internal audit activity is underpinned by an internal audit charter, strategy, and plan.

Better: Internal audit has regular quality assessments, ensuring its policies, procedures and practices are updated to reflect evolving good practice and continuous improvement. Stakeholder feedback is sought, and the results of quality assessments drive enhanced performance. Audit work is risk-based, and findings are used to improve governance, risk management and internal control processes within the organisation. Regular progress reports to key stakeholders identify and communicate trends, themes, and insights. The audit charter, strategy and plan are reviewed periodically, ensuring continuing focus on organisational strategies, objectives, risks, and priorities.

Best: Internal audit provides independent and objective assurance and consulting services using a systematic, disciplined and risk-based approach to evaluating and improving the effectiveness of governance, risk management and control. The effectiveness of internal audit activity is analysed and reported across the organisation, ensuring actions improve the service provided. Continuous improvement of internal audit is metric-driven and based on quantitative and/or qualitative measures. The audit charter, strategy, plan, and assurance map are kept under review to reflect material changes to ensure continued focus on organisational strategies, objectives, risks, and priorities, keeping pace with organisational change.

2.5 Using the output of an assessment

Completed assessments can be used to help identify and share good practices, address perceived weaknesses in the performance of the organisation and as input to continuous improvement activity.

The completed assessment framework is for internal government management, designed to facilitate frank and open discussion around performance. Completed assessments are not intended for publication.

2.6 The structure of this assessment framework

The table below sets out the structure of the assessment framework, listing the practice areas addressed in each theme.

Theme 1: Governance of internal audit
Practice area 1.1 Governance and management framework
Practice area 1.2 Strategy and planning
Practice area 1.3 Assurance of internal audit
Practice area 1.4 Roles and accountabilities
Theme 2: Internal audit engagement lifecycle
Practice area 2.1 Planning the engagement
Practice area 2.2 Performing the engagement
Practice area 2.3 Communicating findings
Practice area 2.4 Monitoring of engagements
Theme 3: Internal audit practices
Practice area 3.1 Risk
Practice area 3.2 Control framework
Practice area 3.3 Engagement and communications
Practice area 3.4 Data protection, access, and security
Practice area 3.5 Service levels for engagements
Theme 4: Cross-government internal audit
Practice area 4.1 Cross-government internal audit

3. Assessment framework

3.1 Theme 1 Governance of internal audit

Governance comprises prioritising, authorising, directing, empowering, and overseeing management, and assuring and reviewing performance of internal audit.

####Practice area 1.1 Governance and management framework

A governance and management framework is defined and established within each organisation, which complies with government and departmental policies and directives and with this standard and is referenced from the respective Accounting Officer System Statement.

Good
Criteria denoting good performance
Better
Criteria denoting better performance
Best
Criteria denoting best performance
a) Internal audit is an integral part of the governance and management framework within the organisation. c) The governance and management framework is reviewed at defined intervals to verify that it is operating effectively and reflects evolving good practice. e) A close relationship exists between the ARACs (Audit and Risk Assurance Committees) of sponsoring departments and those within its arm’s length bodies.
b) Framework documents between sponsoring departments and their arm’s length bodies set requirements for internal audit services. d) Sponsoring departments monitor the provision of internal audit services within their arm’s length bodies to ensure this standard is met.  

1.1.1 Governance and management framework: Audit charter

An internal audit charter formalises the governance of internal audit within an organisation

Good
Criteria denoting good performance
Better
Criteria denoting better performance
Best
Criteria denoting best performance
a) The organisation has an agreed and documented internal audit charter compliant with Public Sector Internal Audit Standards (PDF, 424KB) (PSIAS) requirements, developed and agreed by the senior officer accountable for internal audit services in an organisation and approved by the organisation’s Accounting Officer and its ARAC (Audit and Risk Assurance Committee). b) The Accounting Officer, supported by the ARAC, reviews the internal audit charter to ensure arrangements are appropriate and continue to support the organisation’s needs. c) The Accounting Officer, supported by the ARAC, reviews the charter on an annual basis to ensure arrangements are appropriate and continue to support the organisation’s needs.

1.1.2 Governance and management framework: Annual internal audit opinion

The annual internal audit opinion provides professional judgement on the overall adequacy and effectiveness of the organisation’s framework of governance, risk management and control.

Good
Criteria denoting good performance
Better
Criteria denoting better performance
Best
Criteria denoting best performance
a) The senior officer accountable for internal audit services in an organisation provides a timely annual internal audit opinion and reports to the organisation’s ARAC, based on the results of individual engagements and other activities, including findings from real time or embedded assurance. c) The annual opinion takes into account the organisation’s strategies, objectives, and risks (including risk appetite and risk tolerance) and the expectations of senior management, the board, and other defined stakeholders. d) The annual opinion also
- considers whether the risk appetite has been established and reviewed through the active involvement of the board.
- assesses whether risk appetite is embedded within the activities, limits and reporting of the organisation.
b)The annual opinion Is supported by sufficient, reliable, and relevant information.    

Practice area 1.2 Strategy and planning

The internal audit strategy for an organisation provides a statement of how the internal audit service should be developed and delivered, whereas an internal audit plan sets out how objectives, outcomes and outputs are to be delivered in accordance with the strategy

Good
Criteria denoting good performance
Better
Criteria denoting better performance
Best
Criteria denoting best performance
a) An internal audit strategy for an organisation has been developed and communicated by the senior officer accountable for internal audit services. i) The internal audit strategy is reviewed and updated to ensure it links to the organisation’s objectives, risks, and priorities. l) The internal audit strategy is reviewed and updated annually to ensure it links to the organisation’s objectives, risks, and priorities.
b) The internal audit strategy is reviewed by the organisation’s ARAC and approved by its Accounting Officer. j) The plan is kept under review to ensure it remains current and reflects emerging risks and issues. Material changes are proposed to the ARAC and approved by the Accounting Officer. m) The plan is kept under constant review to ensure it remains current and reflects emerging risks and issues. Any changes are proposed to the ARAC and approved by the Accounting Officer.
c) The strategy informs annual or periodic planning. k) Progress reports include
- rationale for proposed changes to the plan
- results of engagements undertaken since last report including audit, consultancy, and advisory services
- insights from real time or embedded assurance
- update on action tracking
- the performance and effectiveness of internal audit services, and changes to resource requirements.
n) Progress reports additionally include:
- significant control weaknesses and breakdowns together with a robust root-cause analysis
- key trends, themes and good practice identified
- potential impact of external developments on the organisation
- areas where residual risk may be unacceptable to the organisation.
d) The senior officer accountable for internal audit services in an organisation develops and maintains an annual or periodic plan in consultation with the accounting officer and senior leadership, setting out intended internal audit activity to be undertaken in the period.    
e)The audit plan is risk based and fulfils the requirement to produce an annual audit opinion and operate an effective assurance framework.    
f) The audit plan considers priority areas for cross-government audit work identified by the senior officer accountable for internal audit across government.    
g) The annual audit plan, and any changes to it, is approved by the Accounting Officer and ratified by the ARAC.    
h) The senior officer accountable for internal audit services in an organisation ensures there are periodic progress reports against internal audit plans, and they are presented to the ARAC.    

Practice area 1.3 Assurance of internal audit

The purpose of assurance is to provide, through a systematic set of actions, confidence to senior leaders and stakeholders that work is controlled and supports safe and successful delivery of policy, strategy, and objectives.

Good
Criteria denoting good performance
Better
Criteria denoting better performance
Best
Criteria denoting best performance
a) Internal audit service providers operate a defined and established quality assurance and improvement programme for internal audit activity, including internal and external assessments. i) The results of internal assessments are communicated to and reviewed by the ARAC. l) The results of internal assessments are shared with the Accounting Officer and the organisation’s Executive Team.
b) The senior officer accountable for internal audit services in an organisation communicates the results of the quality assurance and improvement programme to senior management and the board. j) Lessons learnt from internal assessments are shared across the internal audit team. m) An action plan is in place to ensure improvement plans are developed, monitored and reported to relevant stakeholders e.g., ARAC, on a periodic basis.
c) Ongoing monitoring is an integral part of the day-to-day supervision, review, and measurement of the internal audit activity. k) The organisation’s ARAC consider the effectiveness of the internal audit service on an annual basis.  
d) Periodic assessments of the internal audit activity are undertaken by other persons within the organisation with sufficient knowledge of internal audit practices.    
e) An external assessment of the adequacy of an organisation’s internal audit service is conducted at least once every five years, by an independent assessor qualified in the professional practice of internal auditing and the external assessment process and considers and reports on conformance with the PSIAS.    
f) An appropriate organisational sponsor for the external assessment is identified, who agrees the scope of the review.    
g) The results of external assurance, including progress against resulting improvement plans, is reported to the ARAC on completion and included in the annual report of the internal audit service provider and the annual report and opinion provided to the accounting officer to support the organisation’s governance statement.    
h) The organisation’s ARAC consider the effectiveness of internal audit service on a periodic basis.    

Practice area 1.4 Roles and accountabilities

Roles and accountabilities are defined in the relevant governance and management framework and assigned to people with appropriate seniority, skills, and experience.  This includes, but is not limited to, the activities, outputs, or outcomes they are responsible for, and the person to whom they are accountable.

Good
Criteria denoting good performance
Better
Criteria denoting better performance
Best
Criteria denoting best performance
a) The Accounting Officer ensures there is appropriate internal audit provision in their organisation. k) The senior officer accountable for internal audit in an organisation periodically updates the board and its committees of the quality and nature of support from the organisation, highlighting any issues. q) The senior officer accountable for internal audit services in an organisation is invited to contribute to board meetings that cover governance, risk management and the control environment across the organisation(s).
b) The organisation’s board and its committees ensure support for, and acceptance of, the undertaking of internal audit activity at all levels of the organisation. l) Internal audit expertise and knowledge supports the board to ensure that lessons learned from audit are acted upon.  
c) An ARAC is established to support an organisation’s board and Accounting Officer. m) The chair of the ARAC is a Non-Executive board member with relevant experience  
d) The members of the committee are independent of the organisation, without executive responsibilities. n) There is at least one other independent board member on the committee, plus other Non-Executive director members as necessary, to ensure the right level of skills and experience.  
e) The Accounting Officer and the Chief Financial Officer are required to attend the ARAC. o) The ARAC’s terms of reference are published, and it reports to the board annually on its work and how it has discharged its responsibilities.  
The senior officer accountable for internal audit services in an organisation:
f) is a chartered member of the Chartered Institute of Internal Auditors, or holds a Consultative Committee of Accountancy Bodies qualification, or have an equivalent qualification.
p) The Accounting Officer and the Chief Financial Officer routinely attend the ARAC  
g) leads and directs an internal audit service that is resourced appropriately, sufficiently, and effectively.    
h) ensures internal auditors possess the knowledge, skills and other competencies needed to perform their individual responsibilities.    
i) ensures audit engagements are allocated to auditors of suitable seniority and proficiency operating with due professional care to undertake the work, based on the level of risk and complexity.    
j) periodically ensures that the Accounting Officer has, and uses, the information needed to:
- assess the work of internal audit to improve their organisation’s governance, risk management, internal control, and performance.
- ensure that lessons learned from cross-government audit are embedded in their management and risk frameworks.
- take advice from the organisation’s ARAC as necessary.
   

3.2 Theme 2 Internal audit engagement lifecycle

Figure 3 Life cyle of an internal audi engagement

Practice area 2.1 Planning the engagement

Internal auditors develop and document a plan for each engagement including the engagement’s objectives, scope, timing, and resource allocations. The plan considers the organisation’s strategies, objectives and risks relevant to the engagement.

Good
Criteria denoting good performance
Better
Criteria denoting better performance
Best
Criteria denoting best performance
a) The internal auditor seeks information on the audit area to facilitate planning of the engagement, such as policies and procedures, structure charts and risk registers from the senior sponsor for the internal audit engagement. f) Internal audit engagements avoid overlaps with other assurance activities and duplication of effort, whilst remaining rigorous. g) Scope is proportionate, risk focused and developed using quantitative and qualitative risk data.
b) The internal auditor prepares a terms of reference for the engagement.    
c) The internal auditor agrees the terms of reference with the senior sponsor for an internal audit engagement in an organisation, meeting quality requirements    
d) The senior sponsor for the audit engagement has an opportunity to review the terms of reference and provide ratification before the audit engagement starts, in consultation with the internal auditor and other stakeholders if required.    
e) Internal audit engagements are planned to minimise disruption to the organisation’s work.    

Practice area 2.2 Performing the engagement

Internal auditors must identify, analyse, evaluate, and document sufficient information to achieve the engagements objectives.

Good
Criteria denoting good performance
Better
Criteria denoting better performance
Best
Criteria denoting best performance
Internal auditors:
a) identify and document sufficient, reliable, and relevant information to achieve the engagement’s objectives.
f) The internal auditor:
- takes account of the organisation’s strategic objectives
- reviews operational performance and outcomes planned or achieved
- considers the organisation’s risk appetite
- takes account of adopted values and ethics
h) Innovative audit techniques are considered and utilised where appropriate.
b) base conclusions and engagement results on appropriate analyses and evaluations. g) Relevant functional standards are used to inform all audit activity.  
c) evaluate the design and operating effectiveness of the organisation’s policies and processes.    
d) obtain sufficient, reliable, and relevant information of the adequacy and effectiveness of operational and other control arrangements.    
e) where specialist audit resource is used, relevant functional standards are followed.    

Practice area 2.3 Communicating findings

Internal auditors communicate the results of internal audit engagements including its objectives scope and results.

Good
Criteria denoting good performance
Better
Criteria denoting better performance
Best
Criteria denoting best performance
a) Internal auditors communicate the engagement’s objectives, scope, and results to the senior sponsor for an internal audit engagement, including those relating to consulting engagements. k) Results include findings, recommendations, conclusions, and action plans arising from the fieldwork and evaluation undertaken, p) Recommended practice with wider application to other government organisations is shared for incorporation within cross-government products.
b) Internal auditors ensure that the draft communication meets quality requirements agreed between the senior officer accountable for internal audit services in an organisation and the senior sponsor for internal audit services in an organisation and in accordance with the agreed terms of reference for the engagement. l) Where opinion ratings are given, they are in line with central government definitions.  
c) The senior sponsor for an internal audit engagement in an organisation is given an opportunity to review the draft communication and works with the internal auditor to finalise it, within agreed timescales. m) The final communication incorporates the organisation’s action plan to address findings.  
d) The senior sponsor for an internal audit engagement has an opportunity to approve the draft report before it is finalised. n) Responsibility and accountability for implementing agreed actions is agreed and assigned in the action plan.  
e) The senior sponsor for internal audit services in an organisation consults the senior officer accountable for internal audit services in an organisation before disclosing information within internal audit reports to third parties. o) Where there are delays in implementing agreed actions the audit action owner provides an explanation of the delay and an assessment of the impact of the delay on achievement of objectives and/or value for money.  
f) The Principal Accounting Officer seeking access to another organisation’s internal audit report follows the protocol for sharing internal audit reports.    
g) Organisations are encouraged to share relevant learning from audit engagements appropriately across the organisation, to strengthen the first and second lines of assurance, and improve governance, risk management and control.    
h) Results are solution focussed and feasible and provide an opinion on the overall adequacy and effectiveness of the framework of governance, risk management and control relating to the work within scope.    
i) The senior officer accountable for internal audit services in an organisation determines the nature, timing, and extent of follow-up to completion of actions, in agreement with the organisation’s senior managers and its ARAC.    
j) Outstanding actions are monitored and reported to the ARAC.    

Practice area 2.4 Monitoring of engagements

The senior officer accountable for internal audit in an organisation establishes and maintains a system to monitor the disposition of results communicated to management

Good
Criteria denoting good performance
Better
Criteria denoting better performance
Best
Criteria denoting best performance
a) Monitoring progress is an integral part of the day-to-day supervision, review, and measurement of the internal audit activity. i) Ongoing monitoring is incorporated into the routine policies and practices used to manage the internal audit engagements and uses processes, tools and information considered necessary. k) The follow-up process ensures that implemented actions have had the desired impact on the control framework.
b) The senior officer accountable for internal audit services in an organisation agrees with the ARAC how monitoring the completion of agreed audit actions should be delivered, and the division of associated responsibilities such as progress reporting. j) Ongoing monitoring of audit results communicated to management is reported to the ARAC.  
c) The senior sponsor for an internal audit engagement in an organisation develops and provides an action plan for implementing each recommendation in the audit report, or a management comment where no action is proposed.    
d) The action plan includes realistic and achievable timescales for completion.    
e) The senior officer accountable for internal audit services in an organisation establishes a follow-up process to monitor and ensure that management actions have been effectively implemented or that the senior sponsor for the internal audit engagement has accepted the risk of not taking action.    
f) Should the senior officer accountable for internal audit services in an organisation conclude that management has accepted a level of risk that might be unacceptable to the organisation, the accounting officer is alerted and consulted.    
g) If the senior officer accountable for internal audit services in an organisation determines that the accounting officer has not resolved an issue of unacceptable risk, they escalate the matter to the organisation’s board via the ARAC.    
h) The senior officer accountable for internal audit services in an organisation agrees the monitoring and communication of the results of consulting engagements.    

3.3 Theme 3 Internal audit practices

This section includes practices which supplement those in the previous section, and which can be used throughout the internal audit cycle.

Practice area 3.1 Risk

Risk identification and assessment enables organisations to determine and prioritise how risks should be treated. In assessing and managing risk, the requirements and guidance of the Orange Book [6] should be followed.

Good
Criteria denoting good performance
Better
Criteria denoting better performance
Best
Criteria denoting best performance
a) To support an internal audit engagement, organisations provide evidence of risk assessment, which includes but not limited to:
- business plans
- risk registers
- governance statement
- assurance maps
- management information on performance
c) A risk assessment is used to inform the annual audit plan and to ensure that internal audit activity aligns to the organisation’s strategies, objectives and risks. f)The senior officer accountable for internal audit services in an organisation develops and maintains an assessment of how well risk appetite is embedded within the activities, limits and reporting of the organisation.
b) The senior officer accountable for internal audit services in an organisation develops and maintains an assessment of how well risk appetite has been established and is being maintained. d) The senior officer accountable for internal audit services in an organisation develops and maintains an assessment of how well risk appetite represents current circumstances and reflects active review by the board and executive management. g) Organisational assurance maps provide:
- a clear statement of assurance processes
- better understanding of the risks and key processes, and completeness of assurance
- identification of major gaps in assurance and duplication of assurance
- better targeting of resources and improved governance and reporting to boards and committees.
  e) Assurance maps are developed and maintained by the organisation to enable and promote a common understanding, and a collective view of assurance across the organisation.  

Practice area 3.2 Control framework

Control is an action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals can be achieved.

Good
Criteria denoting good performance
Better
Criteria denoting better performance
Best
Criteria denoting best performance
a) Audit engagements include recommendations for improving the control environment, including embedding lessons learned. b) An organisational control framework is defined and established, to enable auditors to assess:
- the design and effectiveness of the control environment
- how well the operation of controls is working
- the impact of gaps in or ineffective operation of controls.
c) Audit engagements consider, but are not limited by, the following aspects of the control environment within an organisation:
- integrity and ethical values
- management’s philosophy and operating style
- organisational structure
- assignment of authority and responsibility
- human resource policies and practices
- competence of personnel
    d) Internal audit consider the results of any control environment self-assessment used to:
- create clear lines of accountability for controls
- reduce the risk of fraud and/or error
- provide assurance that internal controls systems are reliable
- incorporates data analytics technology and techniques to examine data to identify and report unusual patterns of activity
- lower an organisation’s risk profile

Practice area 3.3 Engagement and communications

Organisational feedback helps improve the quality of internal audit services, through a better understanding of the needs of the organisation and perceived quality of delivery.

Good
Criteria denoting good performance
Better
Criteria denoting better performance
Best
Criteria denoting best performance
a) The senior officer accountable for internal audit services in an organisation agrees with the senior sponsor for internal audit services in an organisation the planned engagement and communication measures to meet their needs and includes feedback mechanisms and effectiveness measures, for example surveys to measure the sponsor’s satisfaction. c) Feedback and satisfaction levels are monitored, reported, and communicated to internal auditors and the ARAC. f) Strategic feedback on the performance of internal audit is sought on an annual basis to ensure its services are meeting the needs of the organisation.
b) The senior officer accountable for internal audit services in an organisation seeks feedback on individual engagements and engages regularly with organisation sponsors to discuss performance. d) Response rates are monitored, and reminders issued as appropriate.  
  e) Unsatisfactory feedback for individual assignments are discussed with the respondent and relevant improvement actions are taken.  

Practice area 3.4 Data protection, access, and security

Both the organisation and the internal audit service provider are data controllers under current data protection legislation.

The internal audit charter authorises access to records, personnel, and physical properties relevant to the performance of internal audit engagements

Good
Criteria denoting good performance
Better
Criteria denoting better performance
Best
Criteria denoting best performance
a) Appropriate technical and organisational measures in relation to the processing of protected data are in place. d) The senior officer accountable for internal audit services in an organisation ensures that there is a mechanism to ensure security clearances are maintained in accordance with organisational policy. e) Accountability and responsibility for protection of information and access to it is supported by ongoing review and verification of security clearances and, where necessary, withdrawn.
b) The senior officer accountable for internal audit services in an organisation ensures that internal auditors have the appropriate security clearance for the work being done, in line with the memorandum of understanding as appropriate, so that internal auditors can be given full access to relevant client information.   f) Internal auditors that hold security clearances to SECRET or above are considered for Industry Personnel Security Assurance accreditation.
c) Information relevant to the engagement is managed in accordance with GovS 007, Security [7].(PDF, 308KB)    

Practice area 3.5 Service levels for engagements

A documented agreement between the internal audit service provider and the customer is in place that identifies both the services required and the expected level of service.

Good
Criteria denoting good performance
Better
Criteria denoting better performance
Best
Criteria denoting best performance
a) The senior sponsor for internal audit services in an organisation defines the level of internal audit service expected, with sufficient resources to deliver a service in line with required standards (including conducting the work needed to inform the annual audit opinion). c) KPIs (Key Performance Indicators) that will be used to measure the effectiveness of the internal audit service are agreed and there is a defined process for measuring and reporting performance. d)There is a mechanism for addressing any issues or concerns that arise and a process for identifying and building on continuous improvement.
b) Service levels are defined and established:
- through a memorandum of understanding or service level agreement, where the organisation obtains its internal audit service from a shared service, to cover the contracting aspects of the arrangement, where appropriate
- through a contract, where an organisation obtains its internal audit service from an external provider.
- Appointment of third-party suppliers follows GovS 008, Commercial [8].(PDF, 508KB)
   

3.4 Theme 4 Cross-government internal audit (for completion by the senior officer accountable for internal audit across government only)

Cross-Government internal audits provide insights on controls, risks, and issues across government organisations, suggesting improvements that can be made to reduce risk and achieve objectives. The chief executive of the Government Internal Audit Agency (GIAA) is the senior officer accountable for internal audit across government.

Practice area 4.1 Cross-government internal audit

Cross government internal audit objectives are aligned to government policy, objectives, and risks.

Good
Criteria denoting good performance
Better
Criteria denoting better performance
Best
Criteria denoting best performance
a) The senior officer accountable for internal audit across government is accountable to HM Treasury for the development and oversight of a strategy for internal audit in government, and:
- provides leadership and direction for improving internal audit practice across government
- adopts a single set of detailed professional standards, and drives continuous improvements in these standards
g) The senior officer accountable for internal audit across government:
- strengthens internal audit capability across government, including through external assurance
- provides additional oversight and guidance to heads of internal audit across the function
- is involved in departmental head of internal audit appointments
n) The views of the Permanent Secretary of HM Treasury and/or heads of functions and functional governance bodies are sought and reflected in cross-government audit plans.
b) Cross-cutting assurance activity is planned and conducted with the consent of relevant Accounting Officers. h) The senior officer accountable for internal audit across government develops a cross-government internal audit strategy, in consultation with organisational representatives.  
c) The senior officer accountable for internal audit across government defines the framework for external quality assessments of internal audit in government. i) The cross-government strategy draws upon priority areas and insights identified by Heads of Function and functional governance bodies.  
d) For cross-government engagements the internal auditor provides a summary report drawing together common themes. j) Cross-government audit plans are developed in consultation with those accountable for sponsoring and providing internal audit services in organisations, to draw out issues of mutual interest.  
e) Sharing of assurance ratings, detailed findings and recommendations is limited to those organisations already directly involved in the work. k) Internal auditors ensure that sponsors of arm’s length bodies in departments are able to review draft content relating to the sponsor organisation contained in a summary report, before it is finalised.  
f) The senior officer accountable for internal audit across government ensures confidentiality while sharing high-level cross-government insights. l) For cross-government engagements the internal auditor provides detailed reports to each organisation.  
  m) Where required, the senior officer accountable for internal audit across government plans and conducts specific cross- government internal audit reviews to support the needs of organisations and government as a whole. This might include, but should not be limited to, cyber security, sustainability, and data governance.  

4. Annex A References

ID Description
1 HM Government, GovS009, Internal Audit (PDF, 324KB) (2022)
2 Cabinet Office, Functional standards and associated guidance (collection)
3 Public Sector Internal Audit Standards (PSIAS)(PDF, 424KB) (2017)
4 Corporate governance in central government departments: code of good practice (PDF, 514KB) (2017)
5 Protocol for sharing internal audit reports (PDF, 58.6KB) (2022)
6 HM Government, The Orange Book: Management of Risk – Principles and concepts (2023)
7 GovS 007: Security (2021)
8 GovS 008, Commercial (2022)

5. Annex B Glossary

See also the common glossary of definitions which includes a list of defined terms and phrases used across the suite of government functional standards. The glossary includes the term, definition, and which function owns the term and definition.

Term Definition
arm’s-length body (ALB) Central government bodies that carry out discrete functions on behalf of departments, but which are controlled or owned by them. They include executive agencies, Non-Departmental Public Bodies and government-owned companies.
More information on classification of public bodies can be found here: Classification of public bodies: information and guidance - GOV.UK (www.gov.uk)
assurance A general term for the confidence that can be derived from objective information over the successful conduct of activities, the efficient and effective design and operation of internal control, compliance with internal and external requirements, and the production of insightful and credible information to support decision making. Confidence diminishes when there are uncertainties around the integrity of information or of underlying processes.
audit and risk assurance committee The governance group charged with independent assurance of the adequacy of the risk management framework, the internal control environment and the integrity of financial reporting. The audit committee provides oversight of financial reporting, risk management, internal control, compliance, ethics, management, internal auditors, and the external auditors.
audit opinion The rating, conclusion and/or other description of results provided by the senior sponsor for internal audit services in an organisation addressing, at a broad level, governance, risk management and/or control processes of the organisation. An overall audit opinion is the professional judgement of the chief audit executive based on the results of a number of individual engagements and other activities for a specific time interval.
board The highest-level governing body (e.g. a board of directors, a supervisory board, or a board of governors or trustees) charged with the responsibility to direct and/or oversee the organisation’s activities and hold senior management accountable.
consulting services Advisory and related client service activities, the nature and scope of which are agreed with the client, are intended to add value and improve an organisation’s governance, risk management and control processes without the internal auditor assuming management responsibility. Examples include counsel, advice, facilitation and training.
control environment The attitude and actions of the board and management regarding the importance of control within the organisation. The control environment provides the discipline and structure for the achievement of the primary objectives of the system of internal control. The control environment includes the following elements: integrity and ethical values; management’s philosophy and operating style; organisational structure; Assignment of authority and responsibility; human resource policies and practices; and competence of personnel.
defined (way of working) In the context of standards, defined denotes a documented way of working which people are expected to use. This can apply to any aspect of a governance or management framework – for example processes, codes of practice, methods, templates, tools and guides.
established (way of working) In the context of standards, established denotes a way of working that is implemented and used throughout the organisation. This can apply to any aspect of a governance or management framework – for example processes, codes of practice, methods, templates, tools and guides.
governance Governance defines relationships and the distribution of rights and responsibilities among those who work with and in the organisation. It determines the rules and procedures through which the organisational objectives are set and provides the means of attaining those objectives and monitoring performance. Importantly, it defines where accountability lies throughout the organisation.
governance and management framework A governance and management framework sets out the authority limits, decision making roles and rules, degrees of autonomy, assurance needs, reporting structure, accountabilities and roles and the appropriate management practices and associated documentation needed to meet this standard.
internal auditing An independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.
internal audit charter The internal audit charter is a formal document that defines the internal audit activity’s purpose, authority and responsibility. The internal audit charter establishes the internal audit activity’s position within the organisation; authorises access to records, personnel and physical properties relevant to the performance of engagements; and defines the scope of internal audit activities. It should be reviewed periodically and approved by the audit committee.
internal audit engagement A specific internal audit assignment, task, or review activity, such as an internal audit, control self-assessment review, fraud examination, or consultancy. An engagement may include multiple tasks or activities designed to accomplish a specific set of related objectives.
memorandum of understanding (MOU) The MOU documents the common intent of both parties regarding the commissioning and delivery of the internal audit service and provides a framework and set of principles to guide the parties in the working arrangements.
organisation In the context of government functional standards, ‘organisation’ is the generic term used to describe a government department, arm’s length body, or any other entity, which is identified as being within the scope of the functional standard.
plan A plan sets out how objectives, outcomes and outputs are to be delivered in accordance with the strategy.
risk appetite The amount of risk that an organisation is prepared to accept, tolerate, or be exposed to at any point in time.
risk management Risk management is the co-ordinated activities designed and operated to manage risk and exercise internal control within an organisation.
root cause analysis Root cause analysis is a process for understanding ‘what happened’ and solving a problem through looking back and drilling down to find out ‘why it happened’ in the first place. Then, looking to rectify the issue(s) so that it does not happen again, or reduce the likelihood that it will happen again.
standard A standard is an agreed document that provides requirements, specifications, guidelines or characteristics that can be used consistently to ensure that materials, products, processes and services are fit for their purpose.
strategy A strategy outlines longer term objectives, outcomes and outputs, and the means to achieve them, to inform future decisions and planning.

5.1 Clarification of roles

Role
accounting officer The most senior official in a public sector organisation; the person Parliament calls to account for stewardship of its resources.
senior officer accountable for internal audit services in an organisation This role is often called the head of internal audit (HIA) or chief audit executive (CAE). Where internal audit is provided by a group or shared service, a senior officer could be responsible for more than one organisation (a designated group), supported by heads of internal audit for each organisation in the group.
senior officer accountable for internal audit across government This role is done by the same person who leads the internal audit function across government, the chief executive of the Government Internal Audit Agency (GIAA), who currently reports to the second permanent secretary of HM Treasury.
senior sponsor for the internal audit engagement Usually a deputy director or director in an organisation responsible for the area under review.
senior sponsor for internal audit services in an organisation A senior finance officer such as the chief operating officer or finance director usually undertakes this role, with free and unfettered access to the accounting officer.