By Jackie Cain, Policy Director, Institute of Internal Auditors - UK and Ireland (IIA)

The economic environment in which all organisations are now operating has created a new emphasis on the need for better risk management. A report late last year, by Ernst and Young, showed that 96 per cent of the chief executives surveyed across the globe considered that their risk management programmes could be improved. Improving the management of risk also featured heavily on the Audit Committee ‘To Do’ list for 2010, suggested by KPMG’s Audit Committee Institute. The effective management of risk is a key feature of good corporate governance.

The role of internal audit

The role of internal audit is to provide those responsible for governance with objective and independent assurance on the effectiveness of governance processes. Fundamentally, this includes evaluating the effectiveness of controls on the whole range of risks that the organisation faces. This breadth of coverage enables internal audit to provide boards and audit committees with the information they need to satisfy themselves that all key risks are being effectively managed. For this reason, the Institute of Internal Auditors – UK and Ireland (IIA) defines internal audit as one of the four cornerstones of good governance, along with external audit, the board and management. Internal audit is sometimes confused with external audit and seen as part of the accountancy profession.

But internal audit today is a distinct, independent profession with its own skill set, professional practices and ethical code. This was acknowledged recently when the IIA announced its achievement of chartered status. This marquee of quality for the profession signals its maturity and importance in its own right. In some organisations, internal auditors spend as much as 75 per cent of their time evaluating and reporting on non-financial areas. This is a good indicator of modern internal audit’s breadth of scope. The head of internal audit will work not only with the finance director, but also with other functional heads. Internal audit provides assurance on aspects of the business as diverse as, for example, exposure to financial and non-financial fraud, data security risks, business continuity risks, risks to reputation and risks related to supply chains or acquisition strategy. Internal auditors also proactively look for ways that business processes can be improved to help the organisation achieve its objectives. When internal audit is engaged with all parts of the organisation and focused on all types of risks, it is uniquely placed to provide professional judgment on the current and future effectiveness of risk management and internal control across the whole organisation.

As risk management takes centre stage, internal audit’s unique perspective is becoming ever more valuable. As boards strive to ensure that their risk management processes are properly integrated with no gaps in controls, internal audit is the only management function which can provide an overall view on an organisation’s total risk management effectiveness. Boards, audit committees and executive management derive different benefits from the core functions of internal audit. They all want their organisation to be more effective at delivering on its objectives for all its stakeholders. But each has a different perspective and as a result, the value they each extract from internal audit differs too. Let’s look at each of these components of the organization to highlight the value they each derive from internal audit.

The audit committee

This is often primarily focused on external financial reporting. But this emphasis is fast changing and the audit committee needs assurance about risk management and non-financial internal control as well as their need for external audit assurance about financial risks and controls. The value which internal auditors bring here is enhanced by their detailed knowledge of the organisation. They know the systems, the procedures and they understand the risks. They also know the people and the business environment in which the organisation is operating. The internal auditor has greater independence than any other manager. This independence enables the internal auditor to be more objective in evaluating controls and reporting on their effectiveness. They can do this because they are not absorbed in the day-to-day detail of the business and can bring a fresh view to risks and controls. So, the value of internal audit to the audit committee is, increasingly, its independent and expert judgment on the effectiveness of risk management and internal control.

Figure 1: Internal audit is one of the four cornerstones of
good governance

 

The board

The board’s perspective is broader than that of the audit committee but it is increasingly concerned about risk management and internal control. It is ultimately responsible for directing and controlling the organisation. It needs to know that there is confidence in the risk management process; confidence in management’s assurances about risk management and internal control; and confidence that regulators, standard setters and others who monitor the organisation will be satisfied with the organisation’s performance and governance. For both the executive and non-executive board member, internal audit’s value is in providing that confidence.

Executive management

Managers need to be able to demonstrate to their boards that they are in control of the organisation and anticipating its future needs in terms of risk management and internal control systems. They want to know that their area of the organization is being run the way they need it to be run. They therefore value the unbiased eye of the internal auditor in helping them to do this. They want internal audit’s opinion and assurance that things are working well. But, more importantly, they want early warnings when things need improvement. There is some debate within the profession about the best way to achieve improvements. Line managers know their departments and requirements best.

So, some internal auditors make recommendations and agree them with managers; others involve managers earlier by discussing the problem and working together to identify an effective and practical solution; and there are further variations on these approaches. Whatever the method, a key part of the internal auditor’s role is to help their organisation to achieve its objectives by ensuring that risks are managed as effectively as possible.

By assessing and reporting on the effectiveness of the organisation’s response to risks, internal auditors can highlight to management where changing circumstances have altered the nature of risks. This then allows them to highlight how controls need to change in response to the new threats. During the current recession, many organisations are identifying increased risks caused by staffing reductions or changes to recruitment policies, outsourcing of services and supplier changes, for example. In such cases, the controls in these areas may need to change too.

Internal audit’s breadth of scope and its increasing engagement at each of these three levels — the board, audit committee and executive management — means that the nature of the relationship between the finance director and the head of internal audit has been changing. Heads of internal audit increasingly have a second reporting line to the Audit Committee and sometimes have no formal link to finance. However, finance directors tell us that the coming of age of internal audit has brought both operational and strategic benefits to them.

The benefits of internal audit

Strategically, finance directors can look upon the head of internal audit as someone he or she can work with on an equal basis to ensure that the business is achieving its objectives, operating in a cost effective way and maximising its return on investments while at the same time managing risks effectively. If internal audit is proactively looking for ways that business processes can be improved, while at the same time improving the effectiveness of controls, this can have a positive impact on the bottom line. All of this work supports the finance director because it is helping to link strategic risks to budgets and to the setting of objectives. The head of internal audit can now be the finance director’s best friend in achieving their strategic, financial and operational objectives. The internal audit profession is looking  to the finance director to support them in achieving this potential. The head of internal audit’s relationship with the finance director is one of many which must be built — up, down, and across, the organisation. Building such relationships inspires confidence in internal audit and enhances its influence. And internal audit’s influence can be instrumental in creating an organisational culture which encourages continuous improvement in the management of risks. The nature of those risks is changing more quickly than ever during this challenging economic period. Internal audit’s role in enabling better risk management strengthens corporate governance. A well-resourced internal audit function can therefore play a vital role in supporting organisations to achieve their strategic objectives. Enabling this role requires the right reporting lines, strong internal relationships and the support of a responsive board.
 

Jackie Cain

Jackie Cain is Policy Director at the IIA -  UK and Ireland.Jackie studied economics at Newnham College, Cambridge, trained as an accountant and then moved into internal audit with a UK plc. She has worked as a computer auditor and head of internal audit, as well as in strategic management and programme management, in the UK, Europe, the US and Asia. She is active in the development of the profession internationally. 

This article appeared in Finance Director published by CCH (www.cch.co.uk), a Wolters Kluwer business.