Internal audit for CIPS

Many medium and large organizations have an internal audit function. This is a requirement for companies listed on the Luxembourg Stock Exchange and for banks and other financial institutions with major fiduciary responsibilities. Other companies have an internal audit function as it is considered to be a valuable element of management control which provides assurance to the audit committee and adds to the organization’s credibility with investors and creditors.

Management is responsible for establishing and maintaining a system of internal financial controls and, in some cases, may be required by regulators to provide written certification of the adequacy of such controls. Legal and regulatory requirements are changing fast and companies must make sure they are aware of the latest rules.

In smaller organizations, managers are usually close enough to daily operations that they can effectively supervise and monitor the activities of their staff. When the volume and/or complexity of transactions becomes too great, management may need to add people whose primary role is to check the work of others and thereby strengthen internal control.

Organizations that do not have an internal audit function should give strong consideration to establishing one if their size and type of business, source of capital, and risk factors warrant it. The potential benefits of the internal audit function should be assessed and compared against the estimated costs.

Internal auditing is a valuable resource for management and the audit committee because of its objectivity, auditing skills, and in-depth knowledge of the organization. Internal audit does not perform the internal controls since this is a line management responsibility, but their role does provide another level of assurance to management and the audit committee that controls are effective. Historically, the emphasis was on compliance with company policy and the deterrence, prevention, and detection of fraud and errors—which are still important elements of the internal audit function.

Over time, many internal audit functions have addressed broader aspects of control and provide services in other areas, including:

• Reviewing controls over major projects and new systems to help anticipate problems. This can enable timely corrective action and allows for controls to be “built in” rather than retro-fitted after being detected by a subsequent audit or system failure;
• Conducting audits of the efficiency and effectiveness of operations;
• Assessing the risks related to reputation, customer service, the environment, privacy, etc.;
• Providing consultation and advisory services on enterprise risk management and control;
• Participating in the investigation of fraud.

The role of the internal audit should be formally defined in a written charter, approved by the audit committee, with annually reviewed activities outlined in an audit plan.

Internal auditors need a mandate that provides the authority they need within a structure that supports their independence and objectivity. This can best be achieved through a written charter that is aligned with an approved mandate, compatible with best current practices, and needs of the audit committee. Any restrictions by management should be disclosed to, and approved by, the audit committee.

Internal audit should not have any operational accountability or perform functions that would be subject to subsequent internal audit review. The internal audit charter is reviewed and updated regularly and includes:

• Role and responsibilities of the internal audit function;
• Functional reporting relationship to the audit committee;
• Administrative reporting relationship;
• Access to corporate employees, facilities, and records (including those of contractors);
• Any restrictions of the scope or authority of internal audit;
• Requirement that managers cooperate with internal audit and respond to reports;
• Code of ethics;
• Internal audit standards;
• Relationship with external auditors;
• Distribution of audit reports and summaries;
• Follow up of recommendations;
• Specific mention of areas such as fraud, technology, safety, environment, etc. as may be required for clarification;
• The right of the chief audit executive to attend audit committee meetings.

Internal auditing activities can be conducted by:

• In-house resources: The organization may assign responsibility for audit activities to a corporate internal audit department or include some audit activities in the responsibilities of line functions (for risks such as safety, environment, etc.). The internal audit department may include staff from other departments as part of the audit team.
• Outsourcing: The organization may fully outsource the internal audit by engaging an external firm to perform the entire function and who will then report to a designated executive.
• A combination of the above: The organization may outsource specific activities or projects to specialist firms or include one or more outside experts with internal audit staff on a project team.

The internal audit function is a major source of information and assurance to the audit committee on internal financial controls and other risk management activities. For this reason, most internal audit functions have a functional reporting relationship to the audit committee which is defined in the charter of internal audit and the audit committee. A key element of this relationship is a direct channel of communication between the chief audit executive and the audit committee. This typically includes provisions for the chief audit executive to have access to the chair of the audit committee and attend audit committee meetings to present the plan for approval and to report findings.

The CFO and chief audit executive are usually present at all audit committee meetings. Much of the work performed by the committee relates to the roles of these individuals and one or the other may take a role in supporting the committee’s planning activities. There is generally no requirement for the CEO to be present at such meetings, but in many cases he or she may attend for information purposes.

Chief audit executives do not generally attend Board meetings. At least annually, the chair of the audit committee should report to the Board, referencing internal audit’s effectiveness, capabilities, the results of its work, and any concerns.

An annual plan is the key element of the internal audit function and its ability to meet the needs and expectations of the audit committee, external auditors, and senior management. An audit plan is prepared based on a comprehensive review and analysis of the organization’s business activities and associated risks. Where an enterprise risk management process is already in place, this will provide a critical basis for developing a plan aligned with corporate priorities. It includes all projected internal audits and other activities, including reviews of the development of new systems and critical business projects. The audit plan includes the budget and staff resources required to accomplish its goals but allows flexibility to respond to unforeseen issues and events during the year. A regular review and update is essential to consider any changes.

The prevention, deterrence, and detection of fraud are the responsibility of management. The usual role of internal auditors is to develop audit programs and procedures to evaluate the internal controls that management has established in order to manage the risk of fraud. In practice, auditing sometimes deters employees from committing fraud and occasionally detects a fraud, but these are not usually the major objectives of auditors.

The term “fraud” covers a number of activities, some of which could be:

• Property fraud: The theft or misuse of assets and, sometimes, the related information;
• Financial reporting fraud: The manipulation of information to mislead or deceive stakeholders.

Internal audit may participate in the investigation of fraud and provide forensic accounting services—provided that it is cost-effective to do so. The skills to investigate fraud may be within the internal audit function, or in a separate security department.

It is critical that the internal audit staff have the diverse set of skills, industry knowledge, and experience (supplemented where necessary by external resources) to provide the control assurance and related advice that the audit committee requires.

Consideration should be given to using the expertise of other corporate staff, engaging outside experts, or outsourcing where the necessary skills do not reside within internal audit.

Internal audit periodically reports to the audit committee on its staff capabilities, including academic and professional qualifications and years of audit, industry, and organizational experience.

Audit reports and findings are in writing and include the scope and objectives of the audit, the findings, and recommendations for improving control. These reports:

• Are action-oriented and include comments and proposals for corrective action from the management of the audited business unit;
• Are balanced, reporting the positive risk and control practices as well as the weaknesses observed;
• Identify the best practices observed throughout the organization;
• Rate recommendations as high, medium, or low in order to assist management in assigning priority to the issues raised.

The chief audit executive provides summaries of audit reports to senior management and the audit committee. The level of detail depends on the size of the organization, but is sufficient to allow the audit committee to understand the types and frequency of control issues that internal audit raises and how management is responding to them.

Good internal audit functions have processes for assessing their own effectiveness. They use the results, together with feedback from the stakeholders, to monitor trends over time and achieve continuous improvement in their practices and performance. Examples of measurement techniques include customer satisfaction surveys, post audit debriefing, and internal quality assurance reviews.