Institute's welcome |John Wood CEO, Chartered IIAEffective risk management is an essential part of an organisation’s corporate governance structure. Risk committees and separate risk functions are required by regulation in some sectors, such as financial services and increasingly common as good practice. Internal audit should be independent of this function and be neither responsible for, nor part of, risk management. While the Chartered Institute advocates the three lines model, for a variety of reasons risk management can sometimes fall within the duties of internal audit. Safeguards are essential which our speaker today will talk about, David Hill, CEO, SWAP. |
Chair opening comments | Piyush Fatania, Head of Audit, Risk, Assurance and Insurance at Gloucestershire County Council and Chartered IIA Council member Today’s presentation links to Standard 1112 - Chief Audit Executive Roles Beyond Internal Auditing. Where the chief audit executive (CAE) has or is expected to have roles and/or responsibilities that fall outside of internal auditing, safeguards must be in place to limit impairments to independence or objectivity. Examples include, periodically evaluating reporting lines and responsibilities and developing alternative processes to obtain assurance related to the areas of additional responsibility. From a PSIAS perspective there is specific guidance: When asked to undertake any additional roles/responsibilities outside of internal auditing, the chief audit executive must highlight to the board any potential or perceived impairment to independence and objectivity having regard to the principles contained within the Code of Ethics as well as any relevant requirements set out by other professional bodies to which the CAE may belong. The board must approve and periodically review any safeguards put in place to limit impairments to independence and objectivity (see also Standard 1000 Purpose, Authority and Responsibility). Where a joint audit and risk function reports to a joint Audit and Risk committee, CAEs should strive to ensure that the committee also understands its dual role in relation to both functions and that the committee’s Terms of Reference, membership and meetings are structured to enhance the likelihood that both parts are given the requisite focus and attention. It is also important for boards/audit committee to understand that internal audit needs to form its own view of risk, both to enable it to focus its audit plan on the higher risk areas of the organisation’s activities and to alert the board if it considers that the risk appetite and risk culture are not in line with the organisation’s strategic risk universe. This however is very different to internal audit being directly involved in the management of risk. |
Slides from the session are attached. Notes below are supplementary.
David Hill, CEO, SWAP
4 top tips
Chair closing comments Independence can be compared to the ‘greenbelt’ – we all need to be careful on the permissions allowed to infringe on it. As costs are likely to be constrained further in 2023 there will be pressure for internal audit to take on greater operational roles. Operating without safeguards is dangerous. It increases the risk that where internal audit adds value to risk management, which we do, we are then perceived to be accountable. |
Institute's closing comments | Liz Sandwith, Chief Professional Practices Advisor, Chartered IIAOur next session is 25th January 2023 when the topic is HIA Annual Opinion - Join us to consider the content of the annual HIA opinion. What should we be including in an annual opinion, particularly in these turbulent times? How does the perfect storm impact our annual opinions and what about those risks that aren't captured in a risk register? Useful reference for members that was included in the chat
Thank you everyone, have a wonderful festive break. |
The breadth of operational responsibilities that internal audit has was notable from delegates, including not only risk but counter fraud, insurance, business continuity, health and safety, freedom of information requests too.
Comment (précised) | Support the view that internal audit and risk management staff should be separated. It requires discipline to maintain the boundaries in practice; not easy.
Comment (précised) | Maintain separation between staff, frequently have to push back to stay in the amber/green of the fan’s acceptable activities.
Comment (précised) | It is virtually impossible to get staff with proper risk management experience! So internal audit do it all. We have no real second line and because I have to provide an opinion on it I paid an external provider to do a risk management maturity (extra cost which basically validated my views).
Comment (précised) | As HIA, I am the only risk resource to maintain the risk register, keep my internal audit team separate but it’s challenging. It’s a routine exercise twice a year for strategic risk but with limited input from the leadership team. Poor risk awareness and no appetite or resource to improve.
Comment (précised) | Uncomfortable situation having dual responsibility as management see it as internal audit’s job. Considerable independence challenges, including the annual assurance statement.
Comment (précised) | Advise and collate information on risk management. Limited engagement at an operational level, absence of funding and no second line monitoring.
Comment (précised) | In the main, risk management is too mechanistic, the term ‘list register’ fits well for many authorities; too many are very long, almost like procedure manuals with every control in place.