Domini Stuart discovers that all organisations – not just listed companies – can benefit from having an internal audit function in place.
The recently-released third edition of the ASX Corporate Governance Council’s Corporate Governance Principles and Recommendations includes new requirements concerning internal audits. All listed entities must now disclose whether they have an internal audit function and, if so, how it is structured and performs. If they do not, they need to explain what they are doing in terms of risk management and internal controls.
“Given the extent of today’s scrutiny of directors and senior officers, it’s hard to see why a board would not want a good internal audit function or, indeed, how directors can fulfil their duties without one in place,” says Peter Jones, CEO of the Institute of Internal Auditors (IIA) – Australia (Twitter @IIAAust). “Internal audit gives the board and management comfort that key risks are being managed, laws and regulations are being complied with, the right checks and balances are in place and known deficiencies are being acted on. These all go to the heart of directors’ duties in every kind of organisation.”
Understanding the scope
There is still some confusion around what the audit profession can and should do.
“Although it’s getting less common, I’ve seen organisations where even the audit committee consists of inexperienced directors who still think of it in terms of financial statements,” says Mark Harrison MAICD, managing director of risk and business consulting group Protiviti.
In fact, internal audit should add value to the organisation as a whole by driving the efficiencies and process changes that will help it achieve its strategic objectives.
“A strong, strategic internal audit function integrates compliance, controls and sophisticated risk management with an organisation’s mission and vision as well as stakeholder expectations,” says Marita Corbett, partner, risk advisory, at BDO Australia (Twitter @BDOAustralia). “It can also facilitate better communications between various business areas. Understanding the effect each team has on business performance and process is a very powerful skillset.”
Carmel Mortell, KPMG’s partner in charge of internal audit, risk and control services, believes the key role of internal audit is to inspire confidence in an organisation’s control environment. And anecdotal evidence suggests this confidence could be a market differentiator.
“When external parties such as investors, shareholders and regulators see an internal audit function they derive a degree of comfort from knowing that the company is committed to good risk management and internal controls,” says Harrison.
Internal audit can also help proxy advisers and institutional funds managers form their views on the quality of management, governance and the value of the stock.
“They have been frustrated for many years by the inability to determine from annual reports whether an internal audit function is in place and whether it is sound,” says Jones.
All kinds of organisations
Jones is surprised by the number of unlisted companies and not-for-profit organisations without an internal audit function at all or which have one that is running at an inappropriate level.
“Not having your house in order is the quickest way to destroy any organisation or its reputation,” he says. “That’s why internal audit has been mandatory for most government entities in Australia for many years.”
As Harrison points out, smaller and less mature organisations might be particularly vulnerable to risk associated with process and control failure, or even fraud. They are also likely to be very conscious of cost, though Robyn Cooper, internal audit principal of accounting group Crowe Horwath, believes that the cost should be outweighed by the savings.
“Internal audit can save organisations substantial amounts of money by helping to identify errors and recommending tailored process improvements,” she says. “It will evaluate processes associated with regulatory compliance, IT and security, business continuity and disaster recovery and other core processes to ensure risks are adequately addressed and that the organisation is sustainable, all of which will help to protect its reputation. And, external auditors can rely on testing and work performed by internal auditors, which can also streamline the process and cut this cost.”
An internal auditor does not have to be a full-time employee. “The quickest and most cost-effective way for smaller organisations to get started is through two or three targeted reviews each year performed by a firm or contractor,” says Jones. “We would suggest that audits of areas such as core financial cycles, sales, billing, procurement, payables and payroll are good places to start, along with IT and information systems. These are areas where most internal auditors have a strong track record, know where to look and are able to get a result quickly, demonstrating that this is a sound investment. They are also areas where detail counts and there is often much “low hanging fruit”. From here, core business and areas experiencing recent change in systems or personnel also provide fertile ground.”
Some organisations with common goals and interests also set up a shared service.
“This allows them to build and retain a critical mass of skills and knowledge with an in-house flavour,” says Jones. “It works particularly well for highly collegiate, non-competing organisations such as local and state government and the not-for-profit sector.”
Cooper suggests rotating employees into the internal audit function to work with dedicated specialists for a set period of time. “This could be via a co-sourced model where a consulting firm and knowledgeable staff members work together to deliver the internal audit services,” she says.
Extracting maximum value
Mortell believes that directors need to keep internal audit high on their list of priorities.
“Organisations that extract maximum value from the internal audit function have support at the highest level,” she says. “I challenge boards to lift internal audit above the details. They need to feel confident that the organisation is meeting its strategic objectives and that they have the information they need to make sound decisions.”
It is vital that the internal audit plan reflects the key risks of the organisation, not simply the experience of the internal audit team.
“As risk profiles of organisations change over time so too do the skill sets required,” says Corbett. “These gaps need to be identified and addressed on an ongoing basis. Embedding simple technology and data analysis procedures will boost the process’s efficiency and provide a better view of emerging risks, issues and trends.”
Internal audit may be used to address a business problem or an area known to be inefficient or ineffective. “Internal auditors know and understand the business, the business processes and how to drive improvement,” says Harrison. “They can and should be used as a source of organisational advice – a kind of in-house consultancy which you can call on and deploy at any time on a real-time, tailored basis.”
When smaller organisations outsource or share, they are likely to get more value from qualified internal auditors than an accountant with limited experience. And, on a practical level, it pays to have all of the information to hand and any interviews or consultations booked and confirmed. “This will enable you to make best use of an auditor’s time and should reduce the number of chargeable hours,” says Harrison.
The strength of an internal audit is its objectivity.
“On occasion, senior management can be a source of risk, so it’s essential that the internal auditors have a direct reporting line to the board,” says Harrison. “That will generally be through the chairman of the audit committee.”
Auditors must be able to work collaboratively with management, although there is always a chance that they will lose objectivity if they become too close to management and staff.
“It’s the job of good, professional, qualified internal auditors to maintain their independence,” continues Harrison. “But a good audit committee will acknowledge that risk and have conversations that test their objectivity.”
Why every company needs an internal audit
Crowe Horwath’s Robyn Cooper believes that an internal audit function can benefit every organisation in the following ways:
- It promotes a stronger governance framework by providing comfort to management, the board and other stakeholders that the control environment is effective in reducing key risks.
- It provides management and the board with oversight and advice regarding current and better practices, including the identification of common themes across the organisation.
- It is designed to add value and improve an organisation’s operations by identifying areas of weakness, inefficiency, duplication and waste.
- It promotes oversight by an independent resource supporting more structured, orderly, accurate and up-to-date practices within the business.
- It contributes to the line of defence against fraud.
- It helps to promote a culture of ethics, compliance and risk management throughout the organisation.
- It identifies errors and process weaknesses in time for management to rectify the problems before external audit or other compliance auditors arrive.
Already a member?
Login to view this content