Is the retail sector unclear about role of internal audit?

Technical blog by Liz Sandwith, chief professional practice advisor |  5 August 2016

Internal audit is seen as 'the police' in retail, a study suggests

Internal auditors are still seen as 'police' and the enemy by some in retail, a recent survey shows. That means there’s a lack of understanding of the purpose of the internal audit function, and it’s an attitude that could render the function useless.

Those are the results of a survey by Paris-based global consulting group Mazars, conducted in June with about 120 respondents. 'Regular internal audits are essential for retailers, especially those operating across multiple stores,' according to an article published July 22 in Banking & Finance News. 

It was with interest that Chartered IIA members in the retail sector read the above article about the state of internal audit in their sector. I asked colleagues from the Retail Audit Group if they thought the article made some fair points.

What do members in the sector think? 

Within any industry there will be those operating at the cutting edge and those struggling to keep pace and auditors working within the retail space are no exception. Disappointingly, perhaps due to responses or editorial the article suggested a woeful scenario which the Retail Audit Group did not entirely recognise.

The general misperception that internal controls are the responsibility of internal audit could be said of organisations anywhere. Retail members experience either managing a dynamic online presence and/or a large estate of stores means they are dependent on a plethora of interconnected processes to ensure the customer experience is a good one and the business is successful.

The controls that sit within these processes are owned very much at the first line of the organisation. A common issues that audit does encounter however, is that colleagues on the first line don’t recognise that what they are doing is 'control' or 'risk management'.

Tarnished by the association with internal fraud and theft investigation

The other key finding that audit are still viewed as 'internal police' may well be valid, depending on the responsibilities of audit. Retailers are cost effective in their organisational design and it is common to see audit teams with accountability for loss prevention/profit protection, health and safety, stock reporting, risk management, business continuity and store compliance. Where these teams are investigating fraud and theft on a regular basis there will undoubtedly and rightly be the 'internal police' association. 

In many retail organisations senior management actually prefer a 'compliance style' approach to store audit. It is usually the best way of approaching the retail estate of organisations with a significant numbers of outlets and also fits in very well with the culture of stores. Used properly it can be a very valuable aid to senior store management giving them a slightly different and independent perspective of how well a store is being operated.

Second or third line of defence?

In the retail sector, there are often store auditors and corporate auditors, sometimes part of the same function, other times with separate reporting lines. Herein lies the biggest challenge for professional auditors in the sector, the need to clearly define store auditors in either the second or third line of their organisation. 

Daniel Jacobs concluded that 'Involving the whole company in the internal auditing process not only helps the organisation achieve its goals and objectives, but also provides valuable training and feedback opportunities for store management and personnel'.

Retail sector members agree that an inclusive approach is always beneficial, however, without clear definitions of the role of audit in the retail sector the perceptions of accountability for controls and their execution will always be a grey area. For now though, there are lots of auditors out there doing a great job to ensure good controls are being designed and complied with, promoting effective risk management and educating colleagues to reduce the shades of grey.

Content reviewed: 2 October 2019