To optimize an internal audit function it is necessary to:
conform with the International Professional Practices Framework of the global Institute of Internal Auditors;
define the role, responsibilities, and authority of the internal audit function within a formal charter approved by the board;
report to the board;
embrace both assurance and consulting roles within the internal audit mission;
ensure that no business areas are “off-limits” to internal audit;
plan future audit engagements based on the chief audit executive’s risk assessment;
Internal auditing is defined by The Institute of Internal Auditors (IIA) as follows:
“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”1
It is widely accepted that whether or not the staff of an internal audit function are affiliated to The IIA, if the internal auditing corresponds to the above definition, best-value internal auditing will only result when generally accepted internal auditing standards are applied. Internal auditing should be a valued part of the total assurance process. To be so it requires independence from the activities it audits and it needs to report independently to all those who rely on the assurance that internal audit provides.
Today, internal audit is a service for management and also for those, such as boards and audit committees, charged with governance. Particular internal audit functions may also have certain obligations to report to outside parties, such as regulators. It is important that the roles, responsibilities, and authority of internal audit are clearly set out and supported within the organization.
Essential Prerequisites for Internal Auditing
Clear ground rules must be kept to if internal audit is to add best value to both its assurance and consulting roles. In any entity, these should be set out in the internal audit charter, which must be approved by the board or by the board’s audit committee on behalf of the board. The most senior level that relies on the assurance given by internal audit needs to be confident that internal audit is not subordinating its judgment on professional matters to that of anyone else. Usually, at its most senior level internal audit reports to the audit committee of the board. Compromised professional judgment may occur with respect to:
determining the planned programme of audits;
accessing information and personnel necessary to properly conduct an audit;
deciding the content of internal audit reports.
While it may appear that the chief audit executive is reporting directly to the audit committee, as indeed should be so, that reporting is of little value if it is in effect censored by senior management before it reaches the audit committee.
Internal audit is both an audit for management and also an audit of management for the board through the board’s audit committee. If internal audit is compromised professionally, then it is essential that those who rely on the assurance that internal audit gives are fully cognizant of this. An audit committee needs to have time alone with the chief audit executive, with other executives not being in attendance; this can take place in a 15-minute session at the start of each audit committee meeting. Audit committees should also be involved in advance in decisions relating to the appointment, reappointment, dismissal, and remuneration of heads of internal audit.
Organizationally it is preferable that the internal audit function does not belong to the finance/accounting function of the organization as this makes it harder for internal audit to audit financial and accounting matters with sufficient independence and objectivity. It also makes it more difficult for internal audit to be welcomed as having a valuable contribution to make when it audits the operational areas of the business. Ideally, internal audit should report directly to the chief executive or, alternatively, to someone, or to a committee, outside of the main functional areas of the business.
“The chief audit executive must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities. The chief audit executive must confirm to the board, at least annually, the organizational independence of the internal audit activity.”2
Case Study 1
Management and internal audit of a multinational company knew about an overstatement of oil reserves for some two years before the board and the board’s audit committee learnt about it. Executive directors are said to have met before board meetings to agree a common line to be taken at the board. Reports from the chief audit executive passed across the desk of the chief financial officer before going to the audit committee. The chief executive, director of exploration, and chief financial officer left the company; when the company next appointed a new chief audit executive, the company sought an external candidate for the first time.
- Page 1 of 3
- Next section Case Study 2