Essential Prerequisites for Internal Auditing
Clear ground rules must be kept to if internal audit is to add best value to both its assurance and consulting roles. In any entity, these should be set out in the internal audit charter, which must be approved by the board or by the board’s audit committee on behalf of the board. The most senior level that relies on the assurance given by internal audit needs to be confident that internal audit is not subordinating its judgment on professional matters to that of anyone else. Usually, at its most senior level internal audit reports to the audit committee of the board. Compromised professional judgment may occur with respect to:
determining the planned programme of audits;
accessing information and personnel necessary to properly conduct an audit;
deciding the content of internal audit reports.
While it may appear that the chief audit executive is reporting directly to the audit committee, as indeed should be so, that reporting is of little value if it is in effect censored by senior management before it reaches the audit committee.
Internal audit is both an audit for management and also an audit of management for the board through the board’s audit committee. If internal audit is compromised professionally, then it is essential that those who rely on the assurance that internal audit gives are fully cognizant of this. An audit committee needs to have time alone with the chief audit executive, with other executives not being in attendance; this can take place in a 15-minute session at the start of each audit committee meeting. Audit committees should also be involved in advance in decisions relating to the appointment, reappointment, dismissal, and remuneration of heads of internal audit.
Organizationally it is preferable that the internal audit function does not belong to the finance/accounting function of the organization as this makes it harder for internal audit to audit financial and accounting matters with sufficient independence and objectivity. It also makes it more difficult for internal audit to be welcomed as having a valuable contribution to make when it audits the operational areas of the business. Ideally, internal audit should report directly to the chief executive or, alternatively, to someone, or to a committee, outside of the main functional areas of the business.
“The chief audit executive must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities. The chief audit executive must confirm to the board, at least annually, the organizational independence of the internal audit activity.”2
Case Study 1
Management and internal audit of a multinational company knew about an overstatement of oil reserves for some two years before the board and the board’s audit committee learnt about it. Executive directors are said to have met before board meetings to agree a common line to be taken at the board. Reports from the chief audit executive passed across the desk of the chief financial officer before going to the audit committee. The chief executive, director of exploration, and chief financial officer left the company; when the company next appointed a new chief audit executive, the company sought an external candidate for the first time.