Internal audits

An internal audit is a function of management that cuts across all areas of risk in the whole business. It provides comfort and assurance relating to risks and controls and enables good governance. It also offers a greater opportunity for an organisation to achieve its objectives.

An internal company audit function can contribute to good governance by providing an organisation's directors and audit committee with independent reviews of and suggestions to improve the design and operation of the organisation’s:

• financial and non-financial control environment

• processes for identifying and monitoring risks

• governance processes

Internal auditing can be an important element in the control environment of organisations and can contribute to more effective risk management.

The ASX Corporate Governance Principles and Recommendations (ASX Recommendations) state that if a listed entity does not have an internal audit function, they need to explain a reason. Additionally, they should explain how risk management and internal control processes are managed, evaluated and continually improved in the absence of an internal audit function.

The Hayne Royal Commission and the Commonwealth Bank inquiry (APRA’s Prudential Inquiry into the Commonwealth Bank of Australia) switched the spotlight onto internal audit, highlighting the important role the function can play in the governance structure of an entity.

How can internal audit be independent?

In order to ensure an independent internal audit function: the internal audit function should report directly to the audit committee, rather than management the internal audit charter and plan should be reviewed and approved by the audit committee, which should also receive and review reports on internal audit engagements and monitor the performance and independence of the internal audit function while the internal audit budget may be set with the CEO, the appropriateness of the budget should be reviewed by the audit committee Internal audit services may be provided by employees, external service providers or a combination of the two. However, the external auditor should generally not also provide internal audit services to the same organisation.

Internal audit function in corporate governance

Internal audit in Australia should maintain a quality assurance and improvement program, including workpaper reviews and performance evaluations. Periodic external reviews of internal audit may also be appropriate.

To be effective, the internal audit function, while being part of an organisation, must be independent of management and objective in its deliberations.

According to Institute of Internal Auditors-Australia CEO Peter Jones, “the internal auditor should be able to meet privately with the chair of the audit committee and relate their opinion on matters, and only administratively to the CEO”.

Currently, the ASX Corporate Governance Council Principle 7.3 states, “If a listed entity has an internal audit function, the head of that function ideally should have a direct reporting line to the board or to the board committee to bring the requisite degree of skill and independence and objectivity to the role.”

APRA Prudential Standard 510 at paragraph 88 states, “an internal auditor must have a reporting line and unfettered access to the Board Audit Committee”, and at paragraph 91 “to fulfil its functions, the internal auditor must, at all times, have unfettered access to the institution’s business lines and support functions”. ASIC Information Sheet 221 states that internal audit should be independent from management, and “should report directly to the audit committee rather than management”.

“All standards and guidance material state there must be clear reporting lines, unfettered access to all business lines and information, and the internal audit function must be resourced properly.”

Under the Corporations Act 2001, an external auditor cannot be obstructed in carrying out their duties, although the same protections do not extend to internal audit.

The internal audit function should provide effective assurance

The operation of the internal audit procedure is usually structured across ‘The Three Lines of Defence’ model. This model is used by many entities to define and control the risk management environment, and to provide assurance to the Board, Board Audit Committee (BAC), CEO, senior executives and stakeholders about effective governance.

Internal audit independently evaluates and gives opinion on the adequacy and effectiveness of both the first line and second line of risk management approaches. It is a form of assurance independent of management. However, the internal audit remit is growing. Modern internal audit functions can play a far greater role, and provide assurance on new and emerging risks such as cyber security, culture and data analytics.

As noted in Managing Culture: A Good Practice Guide, issued in December 2017, “Internal audit has a unique position – it is based within the organisation, but is also independent and objective. Its knowledge of practices across the organisation (gained through ongoing audit reviews) means that it is well-placed to provide a perspective on practices across the organisation, and also to assess risk culture, based on the practices and behaviours they observe.”

Role of the Audit Committee

An independent audit committee is a fundamental component of good corporate governance.

The audit committee is usually established by the board as a sub-committee and its powers are delegated by the board. The board retains responsibility for decisions, performance and outcomes of the audit committee and should therefore continually monitor the audit committees' activities. It is good practice for audit committee minutes to be circulated to all board members, once approved by the audit committee chair. The audit committee should report to the board on a regular basis.

The roles, composition and necessary powers and responsibilities of the audit committee would be set out in its charter. This is one of the recommendations in the ASX Recommendations. The charter should be evaluated annually to ensure that it is operating effectively and fulfilling its functions. Revisions to the charter, or further training and development for committee members may be necessary as a result of the evaluation.

The audit committee plays a key role in assisting the board to fulfill oversight responsibilities in areas such as an entity’s financial reporting, internal control systems, risk management systems and internal and external audit functions.

Internal audit can be a powerful weapon in an audit committee’s armoury if there is a strong relationship with non-executive directors (usually through the BAC) and senior management.

Generally, management will implement agreed actions coming out of the internal audit report. However, when that fails, the Head of Internal Audit should alert the BAC when management does not follow up or is taking an unacceptable risk.

Key questions for directors

The Institute of Internal Auditors-Australia provides the following key questions as part of an internal audit plan checklist for directors to better manage the relationship with internal auditors:

• What is internal audit’s role and mandate? Is this outlined in a charter?
• Is the function independent? Is the advice given unfettered and not filtered by management?
• Is there a clear rationale for what is included and not included in the internal audit plan, given its risk-based focus?
• Does the internal auditor follow and report against international standards when conducting their audits?
• Does internal audit provide an annual report showing the value added over the year, systemic issues identified, and trends to better position the organisation in the future?
  

What are the objectives of an audit committee?

The main objectives of an appropriately established and effective audit committee may include assisting the board to discharge its responsibility to exercise due care, diligence and skill in relation to the following areas:

• Reporting of financial information to users of financial reports;
• Application of accounting policies;
• Financial management;
• Internal control system;
• Risk management system;
• Business policies and practices;
• Protection of an entity’s assets;
• Compliance with applicable laws, regulations, standards and best practice guidelines;
• Providing a formal forum for communication between the board of directors and senior financial management;
• Facilitating communication between the board of directors and the internal and external auditors;
• Facilitating the maintenance of the independence of the external auditor;
• Providing a structured reporting line for internal audit procedure and facilitating the independence of the internal auditor (if the entity has an internal audit function);
• Making a recommendation to the board regarding whether to extend the rotation of the external audit engagement partner, in accordance with section 324DAA of the Corporations Act 2001 (this only applies to listed entities); and
• Considering significant matters raised during the internal audit process.

Is an audit committee mandatory?

ASX Listing Rule 12.7specifies that an entity that was included in the S&P All Ordinaries Index (the 500 largest entities by market capitalisation) at the beginning of its financial year must have an audit committee during that year. There are further requirements if an entity was also included in the S&P/ASX 300 Index at the beginning of its financial year. In this case, the entity must also comply with best practice recommendations set out by the ASX Recommendations, in relation to the composition, operation and responsibility of the audit committee. Other listed entities are required to disclose whether they have an audit committee, on an “if not, why not” basis, in accordance with the ASX Recommendations.

Who should be members of the audit committee?

The audit committee should be of sufficient size and its members should be independent and have technical expertise to ensure that it is able to discharge its mandate effectively.

The ASX Recommendations state that an audit committee role should be structured so that it consists of:

• At least three members; and
• All members should be non-executive directors.

The majority of the members should also be independent directors.

The committee should be chaired by an independent director who is not the chair of the board. Audit committee members may be appointed for specific terms and need to have an appropriate mix of skills, experience and expertise. The members of the committee should have a mix of accounting and financial expertise, as well as industry knowledge.

What is the relationship between an audit committee, an external auditor and an internal auditor?

External auditors perform an audit to form an opinion about whether annual and half yearly financial reports comply with the requirements of the Corporations Act 2001 [particularly sec 307-309] and accounting standards and give a true and fair view of the entity’s financial affairs. Because the independence of the external auditor is critical, auditors are generally nominated by the audit committee and approved by the board and not by management. The formal nomination then goes to shareholders to vote for their election.

The audit committee reviews the scope of the audit and oversees relationships with auditors.

Are you seeking further information about audit and tax matters?

Read our AICD article on How to ensure your companys tax-governance framework is in good working order.