Overseeing Internal Audit

Be wary of the HIA appearing too close to the ACC. If the HIA is seen as the ACC’s Representative On Earth, it might create conflict with management. And if he or she is too close to management, the Audit Committee won’t have complete confidence. The HIA needs to achieve a careful balance to enable them to be trusted by both sides, and this takes more than formal relationships. An experienced ACC will, at an early point, help the HIA spot if this starts getting out of kilter.

Don’t allow Internal Audit and management to take the comfortable way out by supposing that process failures have their root causes at process level. In a sense they do – but equally, every process failure is to some extent a management failure. The Audit Committee is a forum for helping first-line management get better at identifying issues, learning from them and ensuring processes and controls are improved.

Avoid thinking of the Audit Committee as a “fourth line of defence”, whose contribution can be measured in the number of things it’s picked up. Or conversely, fostering a sense that the Audit Committee is there to catch management out. The Committee needs to be assertive in getting answers but avoid becoming overly combative or superior.

Don’t let Internal Audit and Risk become the intermediaries between the Audit Committee and management – or, even less helpfully, looking to the HIA for corrective action when it’s the process or control owner who needs to find the remedy. Managers shouldn’t only be summoned to the Committee to “face the music”. The Audit Committee needs to keep encouraging management to take responsibility for identifying and mitigating risk, which means taking an interest in what they are doing to make things go right.

There is little real value in dogmatically pursuing completion of an audit plan that might have been created 18 months earlier, just so that the end-of-year report to the Audit Committee can proudly announce that 100% of plan has been achieved.

Resist the temptation to put progress against plan as the first, and by implication the most important, KPI and letting this take up most of the discussion time. It’s more useful to look at, for example, management’s progress in fixing audit issues. Softer, but often very meaningful, indicators are the length of time needed to finalise reports and whether management responses show that root causes are being properly addressed.

Internal Audit shouldn’t follow the management structure all the time. That usually suits management well, but it’s missing a valuable opportunity to look across the organisation and understand the effect of structural disconnects.

Don’t assume that compliance with IIA Standards should be the central focus of the EQA. Internal Audit should have its own quality processes in place to ensure professional standards are maintained. It’s more useful for the EQA to look at how Internal Audit is being managed (and supported by the AC and by management) to maintain standards and keep it effective and relevant.

Beware of falling into the lazy trap of just asking the Audit Committee and the executives if the audit reports and HIA are okay. Five years is a long time to wait for a proper review, so take the opportunity to get the views of different levels of management (including those on the receiving end of audits) as well as the Committee and Internal Audit themselves. This may uncover valuable improvements that can be made – even where things appear fine on the face of it.

It can be easy for the Committee to have contact only with the HIA, and – apart from the ACC – only at meetings. This is a missed chance to get to know the team and to get visibility for succession planning. And it’s good for the team’s morale if they can see that the Audit Committee members are interested in them.

It’s not particularly helpful for the HIA to take the Board through a bulleted list of “red” weaknesses that have already been considered by the Audit Committee. If you invite the HIA into the boardroom, it should be an opportunity for them to give more of a personal opinion and to answer questions from angles different to those of the Audit Committee.

Avoid using someone from Finance as Audit Committee Secretary. The Audit Committee’s first responsibility is for the quality of financial reporting, so this arrangement looks odd and does not inspire confidence.