Internal audit is supposed to be an invaluable ally for the audit committee. That doesn’t mean the audit committee shouldn’t try to evaluate the contributions of the function, anyway.
If internal audit doesn’t deliver value, nobody benefits. Risks can go undetected or unaddressed. Operations executives can grow exasperated with what they perceive as nit-picky auditors intruding into their domains. Above all, corporate boards could have an incomplete picture of the organization’s risks.
So when I saw The IIA’s new Internal Audit Assessment Tool for Audit Committees, I was intrigued. How have audit committees been faring at assessing the effectiveness of internal audit?
“How it’s done can vary,” says Ginger Jones, audit committee chair at global chemical company Tronox Corp. “It can be more informal than formal.” At Tronox, for example, the audit committee’s charter requires it to review internal audit annually, but doesn’t require it to use any specific tool for the task. So Jones has her own set of questions to consider, such as: How does internal audit handle tasks related to compliance with the U.S. Sarbanes-Oxley Act of 2002? How do business units view internal audit? How does internal audit develop its talent pipeline?
That’s a sensible approach. The question is whether the rest of the corporate governance world can implement an evaluation process with sufficient scope and rigor for the challenges organizations face.
Understand Your Needs
Internal audit exists to help the audit committee ensure risk management is effective. Thus, the audit committee first needs to ask: What do we want internal audit to do for us? Where is our assurance ability a bit weak?
COVID-19 reminded boards they need a lot of help with risk management, especially with understanding how emergent risks can turn traditional risks, such as security, fraud, and supply chain, upside down.
“The lack of a structured work environment can increase the risk of fraud and corruption among staff and suppliers,” says Nocwaka Oliphant, audit committee chair at the South African Council for the Architectural Profession. “A sharp internal audit function would be expected to increase its fraud identification processes in conducting its work.”
Fraud isn’t the only ground shifting underneath the board’s feet. Oliphant can rattle off a list: public health and safety, business continuity, climate change, and more. Auditors should be able to assist with those assurance challenges. But how does the audit committee know internal audit is ready?
That brings us back to The IIA’s assessment tool. The document is split into six sections, with topics such as evaluating the quality of internal audit services, assessing communication with the audit team, and gauging its independence and objectivity. Within each topic are several questions an audit committee could ask.
“A lot of audit committees don’t truly understand what the full role of internal audit can be,” says Anne Mercer, IIA director of professional practices. “Chief audit executives can use the tool to have these conversations. It’s a way to open the door.”
Assessment in Practice
The assessment tool is meant to help audit committees forge closer ties with internal audit. Indeed, this tool is modeled after another one the Center for Audit Quality developed in the 2010s to help audit committees evaluate their external auditor. “We look at our tool as a companion to that,” Mercer says.
That said, an assessment doesn’t need to follow a fixed, formal approach. “Pick the parts that are important to you,” Mercer says. “You don’t need to assess all aspects every time.”
For example, consider how your organization embraces technology. If your business is a fast-growing startup that experiments with a lot of new technologies, you’ll need an audit function comfortable with analyzing new technology, and also embracing it for its own operations. An established multinational, on the other hand, might need auditors skilled at assessing regulatory compliance, assisting with large projects like a merger, or studying megatrends like climate change.
The assessment, itself, can involve asking senior executives how they view internal audit, as well as chats with managers in first-line roles. Do they ever invite internal audit to help them with projects? (A good sign.)
The audit committee also should consult with the rest of the board. What risks do they see as the organization’s foremost challenges? Does internal audit have the leadership, expertise, and resources to help with those matters?
“When I see high-functioning internal audit teams, they’re hiring great people, developing them, and then moving them into the business,” Jones says. That’s also a sign that internal audit has won over the business units. It’s the sort of cooperation that can put an audit committee’s mind at ease.
And there’s a lot of value in that.