Internal audit has a range of stakeholders who rely on its work, seeking assurance that the organization is running well and that there are effective controls in place.
Internal audit has a responsibility to its stakeholders to provide reports on the operation of the organization’s risk management, control, and governance processes. It also has a responsibility to justify the value of its work and the organization’s spending on internal audit resources.
Internal audit can report on its work to its stakeholders by:
reporting on the outcomes of its internal audit work;
reporting on the quality of its internal audit work.
Together, these elements combine to provide stakeholders with an overall view of the effectiveness of internal audit; one without the other will only provide a partial reporting structure.
Internal audit has a variety of stakeholders who rely on its work. These include: the board of directors; the audit committee; the chief executive officer; senior executives such as the chief financial officer, chief information officer, chief risk officer, etc.; the external auditors; in some cases, regulatory bodies; and stockholders—who, in the case of government organizations, could be the public.
All these stakeholders are seeking assurance that the organization is running well, and that effective controls are in place and operating properly. Internal audit has an important role to play in providing assurance to these stakeholders, but the trick is how to report the results of its work to them effectively.
Assurance can be equated with the term governance, the four pillars of a good corporate governance framework being—according to the Institute of Internal Auditors—executive management, the audit committee, external audit, and internal audit. Each of these elements relies to an extent on the others, and they all need to be operating effectively to provide overall assurance to stakeholders.
The board of directors will generally want to see a combined assurance model in place for the organization that provides three lines of defense, as shown in Table 1. This demonstrates the interdependencies between the four pillars of good corporate governance and the three lines of defense that go to make up a combined assurance model.
|First line of defense||Second line of defense||Third line of defense|
|Management controls||Management of risk||Independent assurance|
|Real-time focus||Real-time focus + review focus of 1st line||Review focus of 1st and 2nd line|
|Elements Policies and procedures Internal controls||Elements Risk management Legal department||Elements External audit Internal audit|
|Role Review compliance Impplement improvements||Role Comfirm compliance Recommend improvements||Role Independently confirm compliance Recommend improvements|
Source: National Australia Bank, with amendment.
- Page 1 of 5
- Next section Reporting on the Outcomes of Internal Audit Work