In the U.K., internal auditors are represented by the
Chartered Institute of Internal Auditors (an institution that is now 60 years old, was granted a Royal Charter in 2010, and is affiliated with the Global Institute of Internal Auditors).
A committee, chaired by Roger Marshall and including audit committee chairmen, CAEs, and prominent academics (such as my good friend, Professor Andrew Chambers), has published draft recommendations to the UK Institute (C-IIA)
Effective Internal Audit in the Financial Services Sector that are open for comment. Although aimed at financial services, organizations in all industries should take note.
The committee’s recommendations are intended (in their words) to “supplement, rather than replace, the existing standards” for the professional practice of internal auditing from The IIA. However, the recommendations are more than mere explanations — I believe them to be substantial and important.
[Please note that my comments, below, are my own and intended to stimulate discussion.]
The recommendations start with a redefinition of the role and mandate of internal audit.
The primary role of Internal Audit should be to help to protect the assets, reputation, and sustainability of the organisation.
It does this by assessing whether all significant risks are identified and appropriately reported to the Board and Executive Management; assessing whether they are properly controlled; and by challenging Executive Management to improve the effectiveness of governance, risk management, and internal controls. The role of Internal Audit should be articulated in an Internal Audit Charter, which should be publicly available.
Personally, I think the role of internal audit is to provide assurance and consulting services, consistent with the
IIA’s 1999 definition of internal auditing. Those assurance and consulting services enable management and the board to “protect the assets, reputation, and sustainability of the organisation.” Only management and the board can make the necessary decisions and take the actions required. However, I can see that by providing independent and objective evaluations of “risk management, control, and governance processes,” internal audit is “helping.”
But, I like the tone and wording of the second paragraph, especially the use of the word “challenging.” It takes internal audit from the passive role of “here is my assessment, do what you will” to the more assertive “here is my assessment, now it is time for you to act.”
I don’t agree with the detail of the second recommendation. While I agree with the headline, that internal audit’s scope should be unrestricted, internal audit should assess management’s process for risk identification and assessment — and neither impose its own judgment nor duplicate management’s assessment when management’s process has been assessed as effective. In other words, the language in the recommendation that “Internal Audit should independently determine the key risks that face the organisation, including emerging and systemic risks” should only apply in the absence of an effective management process. This is explained in the "interpretation" to IIA Standard 2010: “The chief audit executive takes into account the organization’s risk management framework, including using risk appetite levels set by management for the different activities or parts of the organization. If a framework does not exist, the chief audit executive uses his/her own judgment of risks after consideration of input from senior management and the board.”
The recommendations go on to specify that a number of key areas should be included within internal audit’s scope. These include the important areas of “governance structures and processes,” “strategic and management information presented to the Board,” and “the risk and control culture of the organization.” Unfortunately, the committee has been bitten by the "risk appetite" bug, which is (in my opinion) insufficient to establish the desired levels of all types of risk, including safety, compliance, reputation, and efficiency as well as financial risks.
I like the description of risk assessment:
Internal Audit’s risk assessment should be all-encompassing, taking into account business strategy and objectives and the full range of risks that have an impact on the organisation; combine a bottom up and top down assessment of risk; and take into account potential future or emerging risks on a continuous basis.
I also like two aspects of the recommendations around reporting:
Internal Audit should be present at, and issue reports to, both the Board Audit Committee and the Board Risk Committee and any other Board Committees as appropriate.
Internal Audit’s reporting to the Audit and Risk Committees should include at least annually an assessment of the overall effectiveness of the governance, and risk and control framework of the organisation, together with an analysis of themes and trends emerging from Internal Audit work and their impact on the organisation’s risk profile.
The recommendations regarding the authority and organizational positioning of the chief audit executive (CAE) within the organization may be easier achieved for financial services than companies in other industries. However, I do agree that the ideal is that the CAE is at Executive Committee level or equivalent and has the right to attend such meetings.
One recommendation that has caught the eye of reporters is that the CAE should report to the Chairman of the Board, who may delegate that responsibility to the Chairman of the Audit Committee. If there is a need for an administrative, or secondary reporting line, it should be to the CEO.
As this is a draft and open for comments, please share your comments on the draft either here or directly with the U.K. Institute.