Case Study 2
The independent chairman of the board of a bank fired the bank’s chief executive. The inside story was that the in-house chief audit executive used his direct access to the chair of the audit committee to contact that chair, by phone, between audit committee meetings, to discuss his concerns about apparent misconduct by the chief executive.
The chair of the audit committee, which comprised exclusively independent directors, convened a special meeting of the committee to follow this up. No executives other than the chief audit executive, who was invited to attend part of the meeting, knew that it was taking place. At the meeting the audit committee asked internal audit to investigate the matter further and report the findings directly to the committee. The chief audit executive timed the audit fieldwork to coincide with the annual vacation of the chief executive. The internal auditors gathered evidence which showed that the chief executive was using company resources for his personal benefit. Hence, when the chief executive returned from vacation, the chairman of the board dismissed him.
Had the chairman of the board not been independent, it would have been harder for the audit committee to deal with this matter effectively. His independence meant that the chairman the audit committee was able to keep him “in the loop” throughout, without risk that the confidentiality of the enquiry would be jeopardized.
Had internal audit been outsourced to an external service provider, it might have been less likely to learn about the alleged misconduct by the chief executive. However, internal audit is often identified as a point where concerned employees may blow the whistle, and this can be so whether or not internal audit is in-house.
The Scope of Internal Audit
Contemporary internal auditing provides assurance to management and to the board, and also offers consulting services. The nature of both these services should be set out in the internal audit charter. The two services overlap: an assurance audit is likely to lead to advice on making improvements; consulting work may reveal issues that have to be taken up by internal audit in the context of its assurance role. Of the two, assurance is the core role, but some would argue that not to offer consulting services would now be inconsistent with professional internal auditing standards and would miss an opportunity to add value.
There should be no no-go areas for internal audit assurance as this limits the assurance that internal audit is able to provide; where there are no-go areas (i.e. restrictions of scope) the implications need to be clearly understood by those who rely on the assurance that internal audit gives.
Unlimited scope for internal audit includes the authority to audit across the operational areas of the business, not just within accounting and finance, and at all levels. An emerging issue is whether internal audit is able to provide assurance to boards themselves that the policies of boards are being implemented by management and that there are no banana skins round the corner, unknown to the board, on which the company may slip in the future.
Consulting services by internal auditors may include the provision of counsel and advice, of facilitation (such as facilitating control self-assessment workshops of managers and staff), or of training services. Internal auditors avoid assuming any management responsibilities as part of their consulting services, neither would they take on responsibility for designing processes except in an advisory capacity. One reason is that internal auditors need to be independent of management processes in order to be able to audit those processes objectively.
Internal auditors will undertake consulting work only when both internal audit and the client consider this to be justified. On the other hand, the management of a business activity should not be allowed to prevent an assurance audit from taking place.
“The chief audit executive should consider accepting proposed consulting engagements based on the engagement’s potential to improve management of risks, add value, and improve the organization’s operations. Accepted engagements must be included in the plan.”3
More and more heads of internal audit are being asked not just to report the results of individual audits but also to provide overall assurance opinions, annually or more frequently, to top management and to boards or their audit committees. This makes it more important that internal audit optimizes the utilization of its scarce internal audit resources—in order to maximize the reliability of the overall opinion that internal audit gives.
Internal audit should plan its program of audits annually, based on a risk assessment which makes use of inputs from management and from the board or the board’s audit committee. Internal audit should map its plan of audits to management’s own risk map or risk register. But a proportion of internal audit time should be set aside to “look round the corners” that top management are not looking around in case there are major unnoticed or concealed risks. Not all critical risks may be on top management’s radar screen, and so value is added when internal audit spends a proportion of its available time auditing in areas of the business that are not perceived to carry significant risks.
While the future plan of audits will be determined annually, the internal audit function should have a longer perspective on audit coverage that takes into account audit work done over previous years and earmarked to be done over the next three years or so. The chief audit executive should consider the extent to which work done in earlier years can be utilized in coming to the overall assurance opinion.