By George Cavaleros
Internal audit is not a one-size-fits-all function, and typically not everyone in the organisation agrees on what its primary focus should be. If you ask yourself as an audit committee member what you see as internal audit’s primary function—assurance and value protection, strategic focus and value creation, business risk insights and risk mitigation, or some combination thereof—and compare your response to those of other key stakeholders in the organisation, you may be surprised at the range of views you encounter.
The key activities of leading-edge internal audit functions align with the expectations of the audit committee and management, and are flexible enough to meet the changing business strategies and needs of the organisation. Often, internal audit primarily concentrates on financial and compliance areas; however, in some organisations, more of an enterprise risk focus may be adopted—one that considers strategic and operational risks as well as financial and regulatory risks, with internal audit serving as a strategic adviser.
To continue to enhance the expected performance of the internal audit function and its value to the organisation, audit committees should periodically assess whether internal audit is performing the appropriate activities, has adequate resources and is proactively identifying risks and monitoring critical controls. This article explores the audit committee’s role and offers leading practices to consider in evaluating internal audit and the chief audit executive (CAE).
Aligning and measuring internal audit expectations
In many organisations, audit committees and management have differing expectations of internal audit. An optimised internal audit function can provide a balance between protecting and enhancing enterprise value by taking a holistic approach to risk management across the enterprise and providing independent and objective assurance with value added advice.
For internal audit to be successful, it is important for the CAE to clearly understand the following from the audit committee and management:
- the specific expectations for internal audit;
- the perception of the value that internal audit adds to the organisation and the audit committee, as well as how the success of internal audit activities is measured.
An effective relationship between the audit committee and internal audit is fundamental to internal audit’s success, with the audit committee clearly setting and articulating expectations of strategic focus, providing the appropriate level of support for achievement and holding internal audit accountable. Key performance measures will vary significantly depending on internal audit’s strategic emphasis, although an evaluative approach that measures quantitative and qualitative factors should be considered.
In addition to regularly reviewing performance metrics and recalibrating internal audit’s activities when appropriate, the audit committee and internal audit may consider periodically revisiting the alignment of expectations and how internal audit supports the strategic and operational objectives of the organisation. Because risks and opportunities constantly emerge, it is important for internal audit’s charter, risk assessment process and audit plan to be dynamic enough to allow internal audit to take a proactive and forward-thinking approach.
If you were to look back at your organisation’s internal audit plan from a few years ago, you would probably not find audit areas such as corporate responsibility and sustainability, cyber threat management, ethics, cloud computing or social media. The more dynamic the internal audit function and its activities, the more effectively internal audit can support the organisation in adapting to emerging issues and respond, based on a changing risk profile. It is important that the audit committee, as well as management, have full visibility into the activities of internal audit, and that it be involved in the development of the function’s objectives, audit plan and activities.
An essential component of the relationship with internal audit is the audit committee’s monitoring of the results of internal audit’s quality assurance and improvement programme. Such a programme, which includes both internal and external assessments, is required for compliance with the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing, and is designed to enable an evaluation of the internal audit function, assess its efficiency and effectiveness and identify opportunities for improvement. The results of these assessments, often referred to as a peer review, should be discussed on a timely basis with the audit committee.
Audit committees may also consider engaging an experienced external party to perform a strategic assessment of internal audit that considers areas beyond the peer review, to aid in challenging and setting internal audit’s role in the organisation. This assessment primarily focuses on optimizing internal audit to bring the most value to the company and the audit committee. It can help the audit committee answer tough questions about internal audit’s performance and practices and align internal audit’s activities with the organisation’s strategic objectives and priorities.
Securing the appropriate resources for internal audit to meet expectations.
In many organisations, the audit committee is responsible for approving the internal audit budget, and this approval is typically based on management’s recommendation. How often does the audit committee challenge there commended internal audit budget?
In some organisations, internal audit, like many other areas of the organisation, may be under pressure to contain or decrease its expenses, while responding to emerging risks and the expectations of audit committees and management to expand coverage.
There are certainly opportunities for internal audit to challenge its historical budget and do more with less. Greater use of technology, such as effectively leveraging data analytics and the utilisation of outside service providers as a cost-effective means of performing internal audit projects, are just two considerations for doing so.
While the audit committee may first consider whether internal audit is effectively using available resources, it may also want to assess whether the function is appropriately funded and staffed to meet expectations. One consideration is whether internal audit has the appropriate mix of skills and certifications to achieve strategic objectives and proactively identify and address current and emerging risks. An effective evaluation by the audit committee of the appropriateness of resources is not limited to the internal audit team, but also includes the CAE.
The reporting structure of the CAE can also be considered in evaluating the effectiveness of internal audit. In many organisations, the CAE reports functionally to the audit committee and administratively to the CFO or CEO. This dual reporting structure particularly when considered with the effects of rotational models and performance and compensation processes driven by the CFO or CEO, can present real or perceived issues in terms of independence and effectiveness.
Audit committees can help mitigate this challenge through having an open and transparent relationship with internal audit that allows the CAE to regularly and freely discuss issues and concerns outside the presence of management, and through actively participating in the CAE’s performance evaluation and compensation process. The perception of the experience and knowledge of the CAE and the internal audit team can also affect how internal audit is regarded and respected in the organisation.
If the CAE is viewed as not having the appropriate stature in the organisation, or if the CAE or the internal auditors are viewed as lacking the necessary business acumen, internal audit may not have the respect and visibility needed to be effective.
Understanding internal audit’s role in the Organisation.
In assessing the effectiveness of internal audit, it is critical that the audit committee understand how internal audit relates to, and interacts with, other risk management-related functions, such as enterprise risk management, legal, security, environmental, health and safety, loss prevention and compliance.
This includes evaluating who is doing what and whether there are any gaps or duplications between internal audit and these groups regarding the assurance being provided.
It is also important that the audit committee be cognisant of how internal audit interacts with the external audit provider. Greater efficiencies and effectiveness can be achieved if the two work together to discuss risk assessments, the scope and execution of procedures and other opportunities to coordinate effectively. In addition, the external auditor’s perception of an organisation’s internal audit function can be an important indicator to the audit committee.
Fostering a mutually beneficial relationship with internal audit
Communication is an important component in maintaining an effective relationship between the audit committee and internal audit. Clear articulation by the audit committee of its expectations regarding both formal and informal communications can help facilitate a successful relationship and support internal audit in meeting its objectives. Internal audit’s communications should be timely, actionable, and relevant, with a priority on the implementation of recommendations and resolution of issues. In some organisations, inadequate focus is placed on reporting, follow-up and resolution activities.
This can result in information not being reported timeously to the audit committee or not being presented at the appropriate level of detail. Just as importantly, known issues may not be timely or effectively addressed. In addition, it is important that the audit committee understands the depth and breadth of coverage by internal audit to avoid having a false sense of assurance regarding the scope of internal audit’s activities.
A CAE with executive presence and strong communication skills who provides ongoing communications that are direct, relevant, frequent, timely, and that demonstrate the appropriate level of rigour in confirming the resolution of audit issues, will have greater authority and credibility with both the audit committee and management.
Effective internal audit communication with the audit committee can also foster the ability of the audit committee to use the CAE as an internal source of information and insight on evolving business strengths and challenges, as well as the climate of internal controls in the organisation.
It has become increasingly important for audit committees to assess whether internal audit is performing the appropriate activities, has adequate resources and is proactively identifying risks and monitoring critical controls. The specific expectations for internal audit functions vary by organisation, but audit committees can facilitate a mutually beneficial relationship by setting high expectations, clearly communicating these expectations and holding internal audit accountable for meeting them.
By performing a periodic assessment of internal audit, audit committees can help align expectations with other key stakeholders, support the CAE in assessing the function’s ability to meet expectations and secure resources as needed. This assessment can help the audit committee to confirm that internal audit meets the needs of the organisation, both today and in the future.
George Cavaleros, CFA, CIA is Partner at Deloitte.
This article was originally published in the April 2013 issue of ASA.