By Jim McFie, a Fellow of ICPAK
The Kenya Public Finance Management Act requires every entity within the national government and
every entity within the county governments to maintain an internal audit function. The Act even defines internal auditing as “an independent, objective assurance and consulting activity designed to add valueand improve an organisation’s operations, which helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of riskmanagement, control, and governance processes”.
This definition agrees almost word for word with the definition provided by the Institute of Internal Auditors, a body with more than two hundred and thirty thousand members. Every national andevery county government entity must ensure that internal audits in respect of the entity are conducted in accordance with international best practices. Furthermore, the Institute of Internal Auditors is recognised in the Public Finance Management Act as a body which must have a representative on the Public Sector Accounting Standards Board (PSASB) in Kenya.
The PSASB is a Semi-Autonomous Government Agency mandated to provide frameworks and set standards for the development and management of accounting, financial and internal audit systems for all state organs and public entities, and prescribe formats for financial statements and reporting by all state organs and public entities. In the Public Audit Act, “the final report by an internal auditor which has been deliberated on and adopted by an audit committee of a State Organ or public entity, may be copied to the Auditor General, who must have unhindered access to all internal audit reports of a State Organ or any public entity which is subject to audit by the Auditor-General”.
In the Banking Act, the only reference to internal audit is to include the chief internal auditor as a senior officer in any institution licensed under the Act: however, the Prudential Guidelines of the Central Bank of Kenya require the board of directors of every bank to “setup an effective internal audit department, staffed with qualified personnel to perform internal audit functions, covering the traditional function of financial audit as well as the function of management audit”: in addition, the bank’s Chief Executive must ensure that the board is frequently and adequately appraised about the operations of the institutionthrough presentation of relevant internal audit reports as presented to the audit committee.
The Head of Internal Audit should be a member of the Institute of Certified Public Accountants of
Kenya (ICPAK) and is a senior officer who is responsible and should be held accountable for overseeing the dayto-day management of the bank. If the internal audit function is outsourced, approval from the Central Bank of Kenya must be obtained. The Kenya Companies Act, the Insurance Act and the Retirement Benefits Act make no mention of the internal audit function. But the Insurance (AntiMoney Laundering and Combating Financing of Terrorism) Guidelines, 2020, promulgated by the Insurance Regulatory Authority, requires insurers, takaful operators, micro-insurers underwriting life assurance, brokers and agents to ensure that the internal audit or compliance function regularly verifies compliance with anti-money laundering and financing of terrorism policies, procedures and controls.
The Sacco Societies Act requires every Sacco society to appoint an “internal auditor who shall report to the board of directors on the internal control systems and financial matters of the society; no person shall be appointed as an internal auditor under this section unless the person holds such professionalqualifications in accounting and has suchexperience in deposit-taking business, as may be prescribed by the Authority”. Both the Sacco Societies (Non-deposittaking Business) and the Sacco Societies (Deposit-taking Sacco Business)
Regulations 2020 have a similar but slightly different requirement: “A Sacco society shall appoint an internal auditor who shall report to the board of directors and be responsible for the Sacco Society’sinternal audit function and reviewing and reporting on the adequacy of the internal audit system and the financial matters of the Sacco society”. The Capital Markets Authority’s Code of Corporate Governance Practices for Issuers of Securities to the Public 2015 states that the Board of directors of every company quoted on the Nairobi Securities Exchange must “establish an internal audit function, whether internally based or externally sourced and identify a head of internal audit who reports directly to the AuditCommittee.
The head of internal audit shall have relevant accounting or auditing qualifications and be responsible
for providing assurance to the Board that internal controls are operating effectively. Internal auditors shall carry out their functions in accordance with the International Standards in Auditing (ISA), any standards promulgated by the Institute of Internal Auditors (IIA) and the Code of Ethics and Conduct”. In my opinion, internal auditors do not carry out their functions in accordance with the International Standards in Auditing because in paragraph five of the introduction to the “Preface to the International Quality Control, Auditing, Review, and Other Assurance, and Related Services Pronouncements”, under the heading.
“The Authority Attaching to International Standards Issued by the International Auditing and Assurance Standards Board”, it reads “International Standards on Auditing (ISAs) are to be applied in the audit of historical financial information”. Internal auditors generally do not audit “historical financial information”: their scope of work is much wider. The Institute of Internal Auditors (IIA) promulgates the International Professional Practices Framework (IPPF); it is the conceptual framework that organizes authoritative guidance disseminated by the IIA.
The IIA is a global entity which provides internal audit professionals worldwide with authoritative guidance organized in this Framework partly as mandatory guidance and partly as recommendedguidance. In 2021, the Internal Audit Foundation, a global resource for advancing the Internal Audit profession, and the IIA launched a global survey to explore practices within the profession, receiving more than three thousand six hundred responses from one hundred and fifty countries. Data collected fromthis survey has been used to develop a global view of internal auditing.
This research and benchmarking were used to develop and propose a new Framework. During 2022 the IIA engaged stakeholders broadly and used the findings to revise and develop new proposed Standards. Between January and March this year, the new proposed IIA International Professional Practices Framework (IPPF) including the International Standards for the Professional Practice of Internal Auditing (Standards) were translated into the twenty-three languages different to English (unfortunately Swahili is not one of those twenty-three) in which the Framework is available. The draft of the proposed Global Internal Audit Standards is now available for public comment until 30 May 2023. This is where members of ICPAK can make their voices heard.
The draft Standards are available at https://www.theiia.org/en/standards/StandardsPublic-Comment/ Later this year, the new Standards will be released: the International Professional Practices Framework Guidance (Practice Guides) and relevant products will be refreshed. Late next year, the new Standards will become effective twelve months after the release date.
From the website mentioned above, one can access a table of contents which is a complete list of the sections of the Proposed Global Internal Audit Standards, a detailed mapping of statements and concepts from the present 2017 version of the International Standards for the Professional Practice of Internal Auditing to the Proposed Global Internal Audit Standards, and a comparison of the Glossaries from thepresent 2017 version of the International Standards for the Professional Practice of Internal Auditing withthe Proposed Global Internal Audit Standards. This article would become excessively long if I were to indicate all of the changes that are proposed in arriving at the new Framework. There are twenty pages of changes to the 2017 Glossary terms: one change which catches my eye is that the term “add value” has been excluded from the new Glossary.
The 2017 definition of “add value” was “The internal audit activity adds value to the organization (and its stakeholders) when it provides objective and relevant assurance, and contributes to the effectiveness and efficiency of governance, risk management, and control processes”. The reason for excluding “add value” is that “The term “add value” had become overused and not very meaningful. It is no longer used as a leading phrase in the Purpose or elsewhere in the Standards. Add value is determined by each organization and does not need to be defined in the Standards glossary”. I think all of us should take note of this thinking in our normal conversations. A word that was not defined in the current 2017 Glossary is “competency” but is proposed to be included in the new Glossary defined as “Knowledge, skills, and abilities”.
The word is used only once in the twenty-five page 2017 Standards in paragraph 2050: Coordination and
Reliance: Interpretation: “In coordinating activities, the chief audit executive may rely on the work of other assurance and consulting service providers. A consistent process for the basis of reliance should be established, and the chief audit executive should consider the competency, objectivity, and due professional care of the assurance and consulting service providers”. In the proposed one hundred and eight page proposed “Global Internal Standards” the word appears fifteen times in addition to its definition in the glossary. Principle 3 in the new standards is entitled “Demonstrate Competency” which is explained by the following: “Internal auditors apply the knowledge, skills, and abilities to fulfill their roles and responsibilities successfully.
Demonstrating competency requires developing and applying the knowledge, skills, and abilities to provide internal audit services. This includes internal auditors advancing their understanding of business, management, and technology; as well as economic, environmental, legal, political, and social contexts”. There are one hundred and twenty-four pages showing a mapping of statements or concepts from the International Standards for the Professional Practice of Internal Auditing (2017) to the proposed Global Internal Audit Standards (2023). There are many interesting changes, too many to comment on here.
I encourage all members of ICPAK who are involved in the internal function in any entity in Kenya to go through the new document and submit suggestions as to how it can be improved.