To support you and your internal audit function to meet rising expectations, the Chartered Institute of Internal Auditors (IIA) recently published a report Building effective internal audit – Putting the pieces together highlighting how, in the financial sector, firms are raising the bar for their internal audit function and harnessing its resources more effectively. These examples of good practice may also be relevant in
The changes we report on are mainly in response to the IIA Code for internal audit, Effective Internal Audit in the Financial Services Sector. Since publication last year, regulators have had a consistent benchmark against which to gauge how audit committees are harnessing, empowering and developing their internal audit functions. So what does a good internal audit function look like?
Ten ways organisations are strengthening their internal audit functions
1. Engagement between the audit committee and head of internal audit (HIA) is crucial. But while support for introducing the right structures and audit scope is important, audit committees also need to be continually engaged on issues around internal audit effectiveness. Informal sessions with the chairman and members of the audit committee
away from formal meetings can be valuable.
2. Having a functional reporting line to the audit committee chairman, supported by an administrative line to the CEO, can transform internal audit’s influence and effectiveness. The PRA and FCA regard the reporting structure as an important indicator of how independent internal audit is of the executive and therefore how effectively it can support the board’s role in challenging management.
3. Attendance at executive committee meetings by the HIA can be valuable in supporting unrestricted scope and access and allowing internal audit to play its enhanced role in supporting the challenge of strategic decisions. Just as important is advance access to documentation for the executive committee and audit committee.
4. Internal audit faces increasing challenges as it engages on strategic and other business issues in a rapidly changing environment. It is vital for internal audit to build up networks of information that enable it to understand the internal and external factors driving risk, using its own judgement.
5. The culture of an organisation is an important factor in decision-making, but there is no single answer to how internal audit should engage on it. The IIA has produced guidance on this, Culture and the role of internal audit – Looking below the surface.
6. Internal audit functions are focussing increasingly on outcomes as well as processes. This is leading to significant changes in audit tools and methods, and the requirement for different skill-sets. New specialist knowledge is also being required of internal audit teams.
7. The strategic positioning of internal audit through the Code is increasing the opportunities for rotation, secondments, “guest auditors” and graduate entry
as the profession becomes more central to good governance. But care is needed in balancing skills and internal audit experience.
8. The Code has strengthened the role of internal audit in challenging, advising on and providing assurance on strategic events, in particular in advance of decisions. This requires more extensive real-time access to information so that internal audit is fully aware of risks around strategic decisions. It should not be directly involved in making such decisions.
This is an area of particular interest to the FCA who see internal audit’s role in key corporate events as key indicator of how firms prepare effectively for strategic change.
9. The importance and scope of continuous quality assessment of the internal audit function have increased, and functions are not just being asked to measure themselves against the IIA International Standards. This is not just thanks to the IIA Code. For some, QA also includes reference to other requirements such as Basel, the Fed and OCC. The PRA stresses that QA is an important function, is not always of a sufficient quality, and needs to be taken more seriously.
10. The PRA regards the IIA Code as a benchmark, although it has said it is prepared to discuss exceptions, where firms believe an approach that is not in line with the Code is right for them. Audit committee chairs need to be prepared for a dialogue with the regulators.
1. Audit committee chairs of organisations outside the financial services sector might like to discuss with their HIA whether any of the measures taken by firms in the financial services sector can help improve internal audit’s support for their audit committee.
2. If your organisation is in a regulated sector, discuss with your regulator what their expectations are of the role and position of internal audit.
3. View our website for IIA audit committee briefings on key issues such as culture and whistleblowing at /policy/boards-audit-committees-governance/audit-committee-briefing.
4. Ensure your HIA has full access to IIA guidance and other technical support.Download PDF