Overseeing Internal Audit

Overseeing Internal Audit

The Audit Committee has many jobs, but in this Bulletin we focus on how it works with Internal Audit. This has always been an important relationship, since it provides the board with detailed independent insight beyond the information supplied by management. However, the recently-expanded expectations of Audit Committees means it is more important than ever. And of course, besides relying on it for information and assurance, the Audit Committee must also maintain oversight of Internal Audit.

So it must keep under review the effectiveness of Internal Audit within the organisation, and challenge and approve the audit plan. Yet, it is surprising how often we see a weak relationship between the Audit Committee and Internal Audit. Here we take a look at some simple pointers which can help to improve things.

Good practices to consider…

The Head of Internal Audit (HIA) and the Audit Committee Chair (ACC) need to trust one another. That means they need to get to know each other and be able to bring issues to the other, confident of them being handled in a way that will make things better rather than worse. Trust is more likely to exist if the two have a good informal relationship, as well as the formal one.

Things to avoid…

Be wary of the HIA appearing too close to the ACC. If the HIA is seen as the ACC’s Representative On Earth, it might create conflict with management. And if he or she is too close to management, the Audit Committee won’t have complete confidence. The HIA needs to achieve a careful balance to enable them to be trusted by both sides, and this takes more than formal relationships. An experienced ACC will, at an early point, help the HIA spot if this starts getting out of kilter.

Good practices to consider…

When looking at audit findings, the Committee should ask, “Why did management need Internal Audit to tell them this?” There can be good reasons, such as lack of resource, speed of change or inadequate information for effective monitoring, but by identifying why management didn’t spot the problem, the Audit Committee can help them to address it.

Things to avoid…

Don’t allow Internal Audit and management to take the comfortable way out by supposing that process failures have their root causes at process level. In a sense they do – but equally, every process failure is to some extent a management failure. The Audit Committee is a forum for helping first-line management get better at identifying issues, learning from them and ensuring processes and controls are improved.

Good practices to consider…

Set high but realistic expectations. Of course things will sometimes slip through and the Audit Committee needs to show understanding, especially if the failures have a low impact.

Things to avoid…

Avoid thinking of the Audit Committee as a “fourth line of defence”, whose contribution can be measured in the number of things it’s picked up. Or conversely, fostering a sense that the Audit Committee is there to catch management out. The Committee needs to be assertive in getting answers but avoid becoming overly combative or superior.

Good practices to consider…

Operational leadership should routinely come to the Audit Committee to explain what they do to manage risk and control. The best way for the Committee to gain a full understanding of how management keeps control is to get key managers in front of them on a rolling programme.

Things to avoid…

Don’t let Internal Audit and Risk become the intermediaries between the Audit Committee and management – or, even less helpfully, looking to the HIA for corrective action when it’s the process or control owner who needs to find the remedy. Managers shouldn’t only be summoned to the Committee to “face the music”. The Audit Committee needs to keep encouraging management to take responsibility for identifying and mitigating risk, which means taking an interest in what they are doing to make things go right.

Good practices to consider…

Move towards an agile audit plan which is constantly evolving to meet changing risks. This is something many businesses are already doing, in various ways. One simple example is to have a twelve-month plan which is only indicative for the final nine months and is revised every quarter based on Internal Audit’s continuous monitoring of risk and control indicators across the organisation.

Things to avoid…

There is little real value in dogmatically pursuing completion of an audit plan that might have been created 18 months earlier, just so that the end-of-year report to the Audit Committee can proudly announce that 100% of plan has been achieved.

Good practices to consider…

Review the KPIs that Internal Audit reports to the Audit Committee (and, one hopes, uses for its own purposes!) to ensure that, so far as possible, they show the outcomes of Internal Audit’s work rather than the inputs. What has been the impact on the organisation?

Things to avoid…

Resist the temptation to put progress against plan as the first, and by implication the most important, KPI and letting this take up most of the discussion time. It’s more useful to look at, for example, management’s progress in fixing audit issues. Softer, but often very meaningful, indicators are the length of time needed to finalise reports and whether management responses show that root causes are being properly addressed.

Good practices to consider…

Make sure Internal Audit looks across siloes to identify problems which might be spotted and fixed in one part of the business, but surface in another. This is often achieved by “thematic” audits which look at the control of an organisation-wide risk, or at cradle-to-grave controls over a process as it crosses organisational boundaries.

Things to avoid…

Internal Audit shouldn’t follow the management structure all the time. That usually suits management well, but it’s missing a valuable opportunity to look across the organisation and understand the effect of structural disconnects.

Good practices to consider…

Use the five-yearly External Quality Assessment (EQA) to get an independent perspective on Internal Audit’s relevance to the needs of the business. Choose the reviewer with an eye on how far they will look at the more subtle elements of the relationship, as well as their knowledge of Internal Auditing (IIA) Standards.

Things to avoid…

Don’t assume that compliance with IIA Standards should be the central focus of the EQA. Internal Audit should have its own quality processes in place to ensure professional standards are maintained. It’s more useful for the EQA to look at how Internal Audit is being managed (and supported by the AC and by management) to maintain standards and keep it effective and relevant.

Good practices to consider…

Use annual reviews to make sure Internal Audit stays relevant? Ask, “What does the business need from Internal Audit?” while taking into account the scope and effectiveness of the other assurance and control systems that exist within the organisation. What assurance do the Board and executives need? Is Internal Audit delivering it? And is it properly equipped to meet the changing needs of the organisation.

Things to avoid…

Beware of falling into the lazy trap of just asking the Audit Committee and the executives if the audit reports and HIA are okay. Five years is a long time to wait for a proper review, so take the opportunity to get the views of different levels of management (including those on the receiving end of audits) as well as the Committee and Internal Audit themselves. This may uncover valuable improvements that can be made – even where things appear fine on the face of it.

Good practices to consider…

Have contact with other members of the Internal Audit team. Ask the HIA to bring some to AC meetings on rotation. And it’s very useful for the ACC (and perhaps other Committee members too) to attend Internal Audit events such as the annual conference – useful to them as well as much appreciated by the auditors.

Things to avoid…

It can be easy for the Committee to have contact only with the HIA, and – apart from the ACC – only at meetings. This is a missed chance to get to know the team and to get visibility for succession planning. And it’s good for the team’s morale if they can see that the Audit Committee members are interested in them.

Good practices to consider…

Invite the HIA to the Board once per year. This lets the Board ask them about their feelings and informal views, bringing colour to any formal opinion on the overall control and assurance environment. And it’s an opportunity for the HIA to build credibility and maintain the Board’s confidence.

Things to avoid…

It’s not particularly helpful for the HIA to take the Board through a bulleted list of “red” weaknesses that have already been considered by the Audit Committee. If you invite the HIA into the boardroom, it should be an opportunity for them to give more of a personal opinion and to answer questions from angles different to those of the Audit Committee.

Good practices to consider…

If the organisation is too small to have a secretarial function that is adequately equipped to support the Audit Committee, use someone from Internal Audit. Their quasi-independent role makes them the most credible for the job.

Things to avoid…

Avoid using someone from Finance as Audit Committee Secretary. The Audit Committee’s first responsibility is for the quality of financial reporting, so this arrangement looks odd and does not inspire confidence.

Good practices to consider…

Don’t be embarrassed about tackling succession planning with the HIA. It’s normal for them to advance in their career either by moving on to be HIA in a bigger organisation or moving to a different role in the same one. It’s not good for them to spend indefinite time in the same role, and we’re increasingly seeing a seven-year term limit becoming the norm for HIAs. So talking about the HIA’s career plans and what it means for succession should be natural.

Things to avoid…

Ignoring the matter of HIA succession and hoping it – rather than the HIA – will go away is not an option. Nor is simply treating the internal audit function as a career dead end. The Audit Committee can encourage the HIA to succeed in their career development in a way that inspires the rest of the team too.

Download This Post

To download a PDF of this post, please enter your email address into the form below and we will send it to you straight away.



Ready to speak to a board evaluation specialist?

Learn how we help boards to become more effective and have a bigger impact on strategic performance.