The role of the internal audit
February 2016 | FEATURE | BOARDROOM INTELLIGENCE
Financier Worldwide Magazine
In an increasingly connected and complex business environment, the internal audit is becoming one of the most important means of establishing and delivering value. Though it may not be the most glamorous corporate function, without it, many organisations would fall foul of their numerous regulatory and compliance obligations. Indeed, internal audit plays an integral role in helping companies to establish and maintain solid cultures of compliance up and down the corporate structure.
Given the increasing focus on achieving regulatory compliance that companies, particularly those in the financial services sector, face today, the importance of internal audit cannot be overstated. The process can and should act as the launching pad for overhauling and improving an organisation’s governance, risk management and management controls. Failure to conduct effective internal auditing can expose firms to a number of risks and potential sanctions.
In recent years, scandal after scandal has eroded public confidence in the financial services sector. Since the onset of the financial crisis, there have been calls for a rethink of the values and culture of firms operating within the space. Attempts to regulate the financial services sector in this regard are increasingly stringent as regulators apply sanctions to firms and individual actors for non-compliance. Given the number and scope of recent cyber security breaches, and the burgeoning threat of global terrorism, regulators are looking at sanctions within the financial services sector with renewed vigour.
As companies look to rebuild trust in their operations, one of the most powerful and important weapons in their arsenal is the internal audit.
Primarily, the role of the internal audit is to offer an independent, objective assurance and consulting process which helps to add value to, as well as improve, an organisation’s operations. In order to do so, the internal audit department should provide the company’s management team with vital information, as well as appraisals, recommendations and counsel regarding the activities they have observed, and any other issues which may have arisen.
This function is a vital tool for companies, as Andrew Cox, manager of quality services for the Institute of Internal Auditors in Australia explains. “The internal audit is a cornerstone of good corporate governance in companies and can play an important role in improving both financial and non-financial management and accountability,” he says. “As shown in the ‘three lines of defence’ model, internal audit is a key component in an organisation’s assurance structure. While all assurance mechanisms are important, coordination of various assurance activities will provide a more holistic assurance environment in which internal audit features prominently. Internal audit can be a pivotal activity to provide assurance to the board of directors, audit committee, CEOs, senior executives and stakeholders about the governance of a company.”
Given that it is the board of director’s responsibility to define an organisation’s appetite for risk, and it is the role of senior management to take ownership and responsibility for operating risk management and control, an organisation’s management should control the company’s overall approach to risk. To ensure the effectiveness of the organisation’s risk management framework, many organisations rely on the three lines of defence model. The first line of defence sees operational management take responsibility for assessing, controlling and mitigating risk. The second line is broken down into activities managed by different internal departments. These departments are able to manage the implementation of robust risk management techniques across the breadth of the organisation. The third line predominantly revolves around the role of the internal audit. The auditing process provides quality assurance to the company’s board of directors and c-suite. This helps to determine the effectiveness of the company’s first two lines of defence, and how the organisation identifies, responds and communicates risk based information.
This process is integral to the success of a modern financial services firm, particularly given the interconnected nature of the global economy. With competition almost as big a challenge to companies as risk management, organisations must get their houses in order. “The key to an organisation’s success is to manage risks effectively – more effectively than competitors and as effectively as stakeholders demand,” says Chris Baker, a technical manager at the Institute of Internal Auditors. “By providing an independent and objective perspective on how the organisation operates and how it manages risk, internal audit can challenge current practice, champion best practice and be a catalyst for improvement. This ability to stand back from day to day activities and view them with an unbiased attitude enables internal audit to consider whether things are working in the way they should be and if not, why not. The wider knowledge and understanding of the organisation also enables internal audit to identify and understand how issues are connected and the overall impact these will have on strategic objectives. With a remit to test critical controls, discuss, analyse and assess performance with line managers internal audit can provide a unique assessment of strengths, weaknesses and vulnerabilities to senior managers and the audit committee.”
In light of the importance placed on internal audit, it is imperative that companies and audit teams track developments in the regulatory space. Though this can be an arduous task given the regulatory compliance obligations faced by financial services firms today, organisations must keep themselves abreast of all developments. Indeed, the diverse nature of regulations means companies must take frequent action. “For internal audit to perform regulatory reviews we need to understand the regulatory environment in which the organisation operates. We need to know the full extent of regulation and the impacts of non-compliance in order to provide a credible opinion that the board can rely on. This places a heavy burden on internal audit departments to keep up to date with regulatory requirements, but it is worth the effort in order to provide the answers that the board needs,” says Aidan Allcock, head of internal audit at Equitable Life Assurance Society.
The financial crisis, though its influence is fading in many respects as we move into the second half of the decade, has clearly had a transformative effect on risk management and the role of internal audit. “The financial crisis has undoubtedly raised the profile of internal audit, not just in financial services but across industry and all parts of the public sector. This has raised the expectations of internal audit’s stakeholders and placed pressure upon internal auditors to be more involved in the things that matter to the organisation, including key risks, major changes and developments,” notes Mr Baker.
Arguably, the internal audit process is more important today than it ever has been. “Internal audit has more knowledge of and influence over an organisation’s strategy and operations than ever before,” says Mr Allcock. “We have a seat at the table and a scope of internal audit activity that is unrestricted. Organisations want flexibility and adaptability from internal audit, to be able to react quickly to changing needs and not be anchored to a static audit cycle. The most effective way to provide this is through applying a range of models for the delivery of internal audit services. Sometimes the most effective way is to deploy an ‘in-house’ team, for knowledge of an organisation’s risks and controls and for cost effectiveness. Other times the best approach is to buy-in third party internal audit services. This approach is effective where specialist skills or a larger resource pool is needed at short notice. Having the flexibility and authority to apply the internal audit budget to either model, or a hybrid of the two is vital to providing effective internal audit services in the future,” he adds. Determining the best method of conducting an internal audit is an important decision and is one which should be taken by an experienced and knowledgeable internal audit team.
The audit committee can play an integral role in helping to establish a company’s defences against risk. Internal audit teams, in the wake of their investigations, should report their findings through the appropriate governance body, be it an audit committee or a board risk committee. “Audit committees are a cornerstone of good governance,” says Mr Baker. “They are responsible for providing oversight of risk management, internal control, compliance, ethics, financial statements, internal audit and external audit. In many cases this includes preparing an annual statement upon the effectiveness of governance, risk management and control. As the eyes and ears of the audit committee internal audit is able to provide objective opinions, information and support.”
The most effective audit committees are aware of their wider responsibilities within an organisation. They enable companies to improve their internal controls, improve their financial management, help to make the internal auditing process more cost effective and clarify the roles and responsibilities of the company’s board of directors. “A supportive audit committee is vital”, agrees Mr Allcock. “Internal audit needs to remain independent from senior management to be the effective and credible voice that financial services organisations need. It is through the head of internal audit maintaining a strong relationship with the audit committee, and reporting to the chair of the committee that its independence is maintained. The audit committee needs to monitor and confirm that internal audit has adequate resources, skills and influence to perform its role. That’s the key.”
Good corporate governance in a modern financial institution relies predominantly on communication and understanding between different elements of an organisation. From the boardroom down to regular employees, communication of risk management culture is required.
It is the responsibility of internal auditors to give the company’s management what they really require out of the auditing process. It is not enough for auditors to simply illuminate deficiencies in the company’s risk management structures and policies. The internal audit team should provide sensible, workable, value generating solutions. “Many internal auditors believe their job is to tell management what is wrong without delivering insightful commentary on how issues could be addressed; more enlightened internal auditors have worked out what management is really seeking,” says Mr Cox. “It is not difficult to take a compliance or financial audit and turn it into an operational audit. The aim of operational auditing is to find out whether business operations are being managed in an efficient, effective, economic and ethical manner and where improvements can be made. This is where internal audit can really deliver value. Internal audit should focus on becoming a value-adding business partner to senior management. This can be achieved by a broader range of internal audit services such as operational auditing, project assurance, on-demand work in response to management requests, and so on.”
Historically, the internal audit has focused primarily on just financial and compliance areas. However, more and more organisations are beginning to see the strategic and operational benefits of utilising internal auditing from an enterprise risk focus. Ensuring that internal audit teams have the right resources and that they are utilising those resources effectively can help companies to increase value. This is particularly pertinent as financial organisations are facing challenges from established as well as emerging threats. Compliance with ever increasing financial regulations obviously remains a core focus for internal audit teams, however increases in social media usage as well as the recent explosion in cyber crime, developments in the technological space and regular tax reviews, are posing more issues for internal auditors and compliance professionals to address.
As internal audit encapsulates a variety of business areas, boards, senior executives and auditors are becoming increasingly aware of how companies can leverage risk management and help utilise it to deliver value. Internal audit can be a strategic business adviser, but it is up to companies to find the right balance.
© Financier Worldwide