Internal audit status: lessons from Carillion

Early this year the UK woke up to the news of the collapse of construction giant Carillion, an event that raised serious questions about the state and effectiveness of corporate governance in our biggest organisations.

In a country where we are meant to have rigorous requirements in place to avoid exactly this kind of disaster, how could Carillion, which was the UK’s second biggest construction firm and a major service provider for the government, go into liquidation with an insurmountable debt and pension deficit? 

It soon transpired that Carillion had outsourced both its internal and external audit functions. This naturally made people wonder whether the auditors were to blame. “Did they do a good enough job?”  I’ve been asked. “How did internal audit not see this coming?” 

While the answers to these questions are best left to the investigators, I think a pertinent question we should all ask is whether the work of the auditors was valued. The case raises important questions about whether internal audit had sufficient status and influence to question the basis (information and evidence) on which key strategic decisions were taken.

We know that before the financial crisis internal audit certainly wasn’t valued enough in the financial services sector. This led the then-titled Financial Services Authority to request we draft a Financial Services Code, which has since been effective at shaping the role of internal audit in this sector. A revised version was released in September 2017.

But have the lessons of the financial crisis been learnt in other sectors? As I mentioned in the November/December issue, it has become clear that other sectors beyond financial services could benefit from more formal guidance on internal audit. 

This is why one of our key projects at the institute this year will be to look at adapting the FS Code, or creating an entirely new one, for non-financial services organisations. We will focus on the importance of internal audit and the need for status and respect from the leadership team for internal audit to promote its independence and objectivity and do its job effectively.

As internal auditors or professionals associated with internal audit, I’m sure all readers of this magazine would agree with me that it is critical that internal audit has influence at the board and audit committee level of the organisation. 

In a best-practice environment, internal audit is a vital governance tool, helping board members to understand what’s happening on a day-to-day basis instead of them having to feel their way in the dark by relying solely on advice from senior management.

It is vitally important that heads of internal audit have a functional reporting line straight to the audit committee chair to protect internal audit’s independence and give it direct access to the board. It is then up to the board, as advised by the audit committee, to ensure that management responds to the actions it feels are necessary to improve the organisation’s risk management, controls and corporate governance. 

If the board chooses to ignore any observations coming from internal audit it feels are not significant, it is also tasked with ensuring that management acknowledges and accepts the risks associated with taking no action. 

Of course internal audit can never, and should not be expected to, offer 100 per cent guaranteed assurance. 

Given the breadth and depth of its work, this is an unrealistic expectation of internal audit professionals. Instead, it should be viewed as a critical function for mitigating, not eliminating, risk and helping to improve the overall governance of an organisation. 

This article was first published in March 2018.