The internal audit function for boards continues to grow in importance as rising regulatory risk increases pressure on directors to dig even deeper into internal controls.
A junior employee in the accounts department knows the company is struggling to pay its bills but how long will it take for that information to reach the board?
In some cases – if the executive decides to buy some time, for example – it could be months.
“Being dependent on the information someone else chooses to provide introduces a lot of personal risk for directors,” says Carl Dumbrell MAICD, partner at accounting and business advisory firm DFK ANZ. “I would never consider a seat on the board of an ASX-listed company that did not have an independent and effective internal audit process in place.”
Internal audit acts as the eyes and ears of the board, validating the information it receives and ensuring that the right checks and balances are in place. It also helps to communicate to the market, stakeholders and potential investors that a company is well-governed.“A lot of companies outside the S&P/ASX 300 struggle to raise money for the simple reason that they lack internal governance,” says Dumbrell.
Peter Jones, chief executive officer at the Institute of Internal Auditors – Australia, describes a good internal audit process as a “no brainer” for companies thinking about listing, particularly if they are aspiring to blue chip status.
“Internal audit can also help organisations to manage strategic risk and risk culture,” he says. “This is crucial within financial institutions; the Australian Prudential Regulation Authority (APRA) insists that boards understand the appetite for risk at all levels of the organisation.”
The need for independence
Internal audit has traditionally been an in-house function and remains so in many large organisations. However, as independence is internal audit’s greatest strength, it can only be effective if it is structurally independent and immune to coercion by management.
“When you’re working within an organisation there’s a chance of forming relationships that could compromise your impartiality,” says Robin Rajadhyaksha, partner, risk consulting at accounting and consulting firm Crowe Horwath. “It is vital that there is a direct connection between internal audit and the board, which is why most companies have their head of internal audit report directly to the chairman of the audit and risk committee.”
Many smaller companies appoint an external team but, again, the board must be able to trust its independence. “If the same company sends in the same people year after year they could start to build the friendships an external team has the potential to avoid,” says Dumbrell. “I feel strongly that there is a need for rotation in both the internal and external audit processes and for more transparency in this area.”
The latest version of the ASX Corporate Governance Council’s Corporate Governance Principles and Recommendations requires companies to disclose whether they have an internal audit function, how it is structured and the role it performs. Companies with no internal audit function must explain how they evaluate and improve the effectiveness of their risk management and internal control processes. But is this enough to satisfy the market – and to protect the board?
“The problem with this approach is that it assumes that management has the time, discipline, independence and motivation to deal with this matter fully, objectively and frankly,” says Jones. “In our view, there is no credible alternative to an internal audit function.” Once again it is a matter of independence. “A company might claim it doesn’t need internal audit because it has a chief financial officer, accounting controls and a compliance department, but these are not independent of management,” says Rodney Clarke, consultant at DFK ANZ.
“The board needs the assurance of an independent view. If fraud is exposed in a company without internal audit, or the company gets into financial trouble, the investor community will be very critical of directors who allowed it to be explained away,” Clarke says.
The vast majority of ASX 200 companies have mature internal audit functions and processes in place but the ASX revisions underline the importance of internal audit in organisations of all types and sizes.
“Internal audit is not just for the big end of town, it is essential for any institution that manages other people’s money,” says Jones. “Most of our government entities are required to have an internal audit function and the rest generally do so as a matter of good practice. Internal audit is also becoming the norm across the not-for-profit sector, particularly among well-known charities with large commercial activities.”
Directors of small companies have the same responsibilities as directors of large organisations but might be less focused on managing internal risk. “Smaller companies, and particularly high-growth organisations, are often led by entrepreneurs who are naturally willing to accept a relatively high level of risk, so internal audit may not be on their radar,” says Rajadhyaksha.
Cost is also bound to be a concern. “No company welcomes a new expense but you only have to look at the very small government agencies with internal audit to see how much can be gained with even a limited budget,” says Todd Davies MAICD, founder of internal audit, risk and assurance firm Todd Davies & Associates and chairman of Resilient Futures.
“These days, providers offer a range of options which can be sliced and diced into the most cost-effective approach for your organisation. Having someone to help you get this absolutely right can make the difference between a mundane process and one which provides invaluable insights.”
Value for the board
Effective internal audit gives directors the confidence to delegate to management and the security of knowing their decisions are based on fact.
“A rolling internal audit program that regularly touches on matters of reasonable concern for the board also allow directors to spend less time on due diligence and more time creating value,” says Jones. “Internal audit constantly evolves to meet expectations, so they should hire the best team they can and set the bar high.”
Davies agrees that boards need to look beyond the traditional functions of internal audit. “Directors should think carefully about their own specific needs and what hypotheses they want clarified and then expect their internal audit team to step up to the challenge,” he says.
Historically, internal audit has moved in, checked that systems and processes are working effectively, given a view and walked away. Now it is often asked to play a more proactive role. “Companies are being driven to innovate and keep on reinventing themselves so they are operating in a much more complex environment,” says Rajadhyaksha. “They want a perspective from internal audit when they’re making decisions or embarking on a project or a transaction. In order to remain relevant, internal audit needs to understand the new challenges and the risks that go with them.”
He believes that the most important thing for directors, and particularly the chair of the audit and risk committee, is the quality of the conversation between the board, management and internal audit. “The more open and frank the discussion the better consideration there will be of governance arrangements and risk, and the more likely it is that important issues and new ideas will rise to the surface,” he says.
He recommends that internal audit is present at every audit and risk committee meeting. “I always request that and it is the case with nearly every client I work with,” he continues. “I believe I need to be at the table whether or not I am reporting on a particular piece of work. This enables me to gain an understanding of what is happening more broadly in the organisation and what is in the minds of members of the audit and risk committee and the executive so that I can give relevant advice.
“But an increased level of engagement does bring the challenge of how to maintain the delicate balance between providing advice and remaining independent and objective,” he adds.
Where is internal audit heading?
Rodney Clarke: We have already seen a number of corporate collapses where there were clear weaknesses in internal control. As the Australian economy heads into a number of head winds we expect companies to pay a lot more attention to internal audit in order to protect shareholder value and provide support for the board.
Carl Dumbrell: The use of internal auditors with IT experience will continue to increase as many controls are now embedded in IT systems.
Robin Rajadhyaksha: In the past, internal audit was largely a matter of junior staff performing checks at a granular level. Increasingly, boards and management expect to engage with senior people who are prepared to be part of the review process, give advice and provide access to specialist capability where it is needed.
Peter Jones: For mature internal audit functions the areas of greatest focus in recent years have been using data analytics to gain far wider coverage and new insights, and the use of assurance mapping to bring together the previously disparate work of various assurance providers into an integrated whole.
Todd Davies: There was a time when the lines were blurred between risk management and internal audit. These days internal audit is focusing on coaching, strengthening and pushing risk management responsibility back into the organisation and confirming that this is working well.
Internal audit and fraud
The Australian Institute of Criminology reports that corporate fraud costs Australia some $8.5 billion a year and that the incidence is on the rise. Fraud can undermine the performance of an organisation and damage the reputation of both the company and its directors, and it is up to the board to satisfy itself that internal audit is managing the risk in an effective way. Geoff Peck, managing director, forensic accounting and advisory at FTI Consulting, suggests that directors need the answers to five key questions.
1. Does the internal audit team have appropriate experience? People who perpetrate fraud have often had years of practice. Internal audit should include specialists with the expertise to spot red flags when they are examining transactions or staff behaviour.
2. Does the team undertake fraud-specific controls testing? An accompanied “walk-through” of higher risk activities by the internal audit team can detect weaknesses in fraud control that sample testing of transactions and reviews of data may not. For example, sitting with an accounts payable clerk as he or she works can uncover opportunities for fraud.
3. Does the team have the appropriate level of maturity? Directors should be mindful of any limitations. For example, they might need to engage external help to assess strategic risks associated with a new venture or objective, or to review the control environment of a particular line of business.
4. Does the team have a post-event review plan? If a fraud event is detected, internal audit should conduct a review to search out any weaknesses in control that may have contributed to the incident.
5. Does internal audit communicate directly to the audit and risk committee? It is imperative that bad news is escalated quickly and without interference from management.
Already a member?
Login to view this content