Board briefing: What every director should know 2015
Key issues for directors monitoring internal audit’s effectiveness
There are four fundamental issues that should be considered by directors in order to ensure that internal audit maximises its contribution to good governance:
• Internal audit should have a reporting line that makes it independent of the executive and able to make objective judgements, and gives it the necessary authority and standing
• Internal audit’s scope should be unrestricted
• A consistently high level of professionalism and quality must be sustained in internal audit staff’s work based on appropriate knowledge, skills and experience
• Internal audit should use a risk-based approach in developing and executing the internal audit plan, to get the maximum value from internal audit resources.
Ten essential actions to ensure that an organisation maximises the value of its internal audit and gains maximum protection and assurance from its activities
The audit committee should:
1. Take responsibility for the provision of internal audit, including whether to have it and how it is provided
The audit committee should ensure that it has final responsibility for decisions affecting internal audit’s independence and objectivity. In organisations that do not currently have an internal audit function, the audit committee should regularly review the need for establishing one. As part of its management oversight role, and based on the underlying rationale submitted by senior management, the committee should either endorse or challenge any “go/no go” decision. In cases where an organisation’s management opts fully to outsource its internal audit function, the committee should oversee the entire outsourcing process, including ensuring that formal accountability for the appropriateness and quality of the outsourced work is not devolved and that there are no conflicts of interest.
2. Assess and approve the internal audit charter (terms of reference) and review regularly
The audit committee should review and annually approve the internal audit charter to ensure that it is appropriate to the current needs of the organisation and allows the internal audit function to assume fully its responsibilities as a key assurance provider in respect of organisation-wide risk management and control, taking account of changes in the organisation and its operating environment.
3. Ensure a close working relationship with the Head of Internal Audit (HIA), promoting effective formal and informal communication
The audit committee should ensure that the HIA is accountable to its chair, with whom the HIA should enjoy direct and unrestricted communications. The HIA should have similar access to the Board chair. The committee should conduct direct discussions with the HIA at least once a year without the presence of the CEO or other senior managers. It should be informed of any significant differences of opinion that arise between senior management and the HIA on significant risk and control issues.
4. Assess the resourcing of the internal audit function
The audit committee should be directly involved in decisions regarding the functional profile of the HIA, and in respect of his/her intended appointment/ dismissal/resignation and remuneration package. The committee should challenge the CEO on these issues in cases where the HIA’s independence or objectivity could be impaired. The committee should obtain from the HIA advice on the impact of resource limitations on the internal audit plan. It should periodically obtain assurance from the HIA that the internal audit function collectively possesses – or has access to – the required skills to execute the internal audit plan effectively and to report engagement conclusions and recommendations adequately. If there are resource or skills gaps, the committee has responsibility for deciding adjustments to the internal audit function’s capacity and should formally approve any decision to omit high risk areas from internal audit scrutiny due to resource constraints.
5. Monitor the quality of internal audit work, both in-house and external
The audit committee should review the quality of the internal audit function on an annual basis, ensuring that it is free to work independently and objectively, i.e. free from the influence of those being audited. It should ensure that internal audit performs in accordance with the appropriate professional standards (the Institute of Internal Auditors’ Code of Ethics and the International Standards for the Professional Practice of Internal Auditing), including an effective quality assurance and improvement process. The chair of the audit committee should also be directly involved in the appraisal of the HIA. The committee should periodically review the required frequency for external assessments of the internal audit function, although every five years should be the minimum. It should review the qualifications and independence of the external reviewer or review team, including any potential conflicts of interest, and ensure that it is informed in a timely manner of the results and related actions for improvement, including the nature and frequency of the internal audit assessment process. The committee should effectively monitor the adequate and timely implementation of the corrective actions following the external quality assessment.
6. Evaluate, approve and regularly review the risk-based annual internal audit plan
The audit committee and the CEO should provide input to the HIA in his/her drafting of a risk-based internal audit plan. They should discuss with the HIA the content of the audit plan. Particular attention should be paid to:
– The process used by the HIA to assess areas of significant risk to the organisation, which will affect the targeting of internal audit activities;
– The extent of the internal audit universe, which will affect the potential breadth of internal audit’s activities within an organisation;
– The extent to which both design and performance of internal control systems will be considered in the course of internal audit activity;
After having reviewed and discussed the plan, and proposed changes as necessary, the committee should formally approve the internal audit plan. The committee and the CEO should discuss and approve any significant changes to the plan during the year proposed by the HIA.
7. Oversee the relationship between internal audit and centralised risk monitoring
The audit committee, working with the board and CEO, should ensure that there is appropriate task allocation and coordination between the internal audit function and the second line of defence (see below), such as risk management, financial controls and compliance. The committee should ensure that the internal audit function evaluates both first and second line of defence risk management activities as part of its internal audit plan and provides assurance on the effectiveness of the governance of risk, including how both lines of defence operate.
Internal audit’s work should encompass all elements of an institution’s risk management framework (from risk identification, risk assessment and response, to communication of risk related information) and all categories of organisational objectives: strategic, ethics / values and culture, operational, reporting and compliance. Where the role of internal audit is combined with elements from the first two lines of defence, for example facilitating risk management or managing the internal whistleblowing arrangements, the audit committee must consider potential conflicts of interest and ensure it takes measures to safeguard the objectivity of internal audit.
8. Ensure the collective assurance roles of internal audit, other internal assurance providers and external audit, are coordinated and optimised
The audit committee should ensure that there is an open communication between internal and external auditors; they should oversee the manner in which the activities of the internal audit function and those of external audit optimise the use of each other’s work and avoid any risk of duplication. The committee should also ensure that the work of all internal and external assurance providers is coordinated and optimised to ensure that there are no significant gaps and that duplication of efforts is avoided. This could be a simple mapping exercise to allow it to see who is providing assurance against each principal risk to consider and thus avoid duplication and gaps.
9. Assess internal audit findings and the breadth and depth of internal audit reports
Based on a comprehensive overview, the audit committee should periodically consider and evaluate:
– Its need for internal audit reporting, including how this should be delivered;
– The most significant findings of internal audit during the latest audit period;
– The progress and adequacy of implementation of internal audit recommendations by management;
– Progress in executing the audit plan;
– Issues of concern regarding the staffing and resources made available for the internal audit function;
– The extent to which the internal audit charter fully reflects what internal audit does.
10. Monitor management implementation of internal audit recommendations
The audit committee should assess the progress of the implementation of the audit recommendations, placing specific emphasis on major risk and control issues and implementation backlogs, and should discuss the causes of significant backlogs and follow-up with management. The committee should discuss with the HIA those cases where, by not acting on an internal audit recommendation, the HIA believes that senior management has exposed the organisation to a level of residual risk that may not be acceptable to the board.
The Three Lines of Defence model for the management of risk
To ensure the effectiveness of an organisation’s framework for managing risk, the board and senior management need to be able to rely on effective line functions – including monitoring and assurance functions – within the organisation. The IIA and the IoD endorse the “Three Lines of Defence” model as a valuable way of explaining the relationship between these functions and as a guide to how responsibilities can be effectively divided: first line operational management controls, second line the monitoring of controls and third line independent assurance, above all by internal audit.
The first line of defence, operational management, has ownership, responsibility and accountability for directly assessing, controlling and mitigating risks.
The second line of defence covers several components of internal governance (compliance, risk management, quality IT and other control departments). These monitor and facilitate the implementation of effective risk management practices by operational management, and assist the risk owners in reporting adequate risk related information up and down the organisation.
Internal audit forms the organisation’s third line of defence. An independent internal audit function will, through a risk-based approach to its work, provide assurance to the board and senior management on how effectively the organisation assesses and manages its risks, including assurance on the effectiveness of the first and second lines of defence. It encompasses all elements of an institution’s risk management framework (from risk identification, risk assessment and response, to communication of risk-related information) and all categories of organisational objectives: strategic, ethical, operational, reporting and compliance.
The use of the three lines of defence in an organisation’s risk management model should not be regarded as an automatic guarantee of success. All three lines need to work effectively with each other and with the audit committee in order to create the conditions for sound risk management.
In some organisations the role of internal audit is combined with elements from the first two lines of defence. For example some internal audit functions are asked to play a part in facilitating risk management. Where that happens, boards need to be aware of potential conflicts of interest and ensure they take measures to safeguard the objectivity of internal audit.