In the fifth in our series of blogs about independent assurance Tony and John outline the role of Internal Audit, its scope, priorities and likely resourcing. Operational Risk Software can be key to supporting this discipline.
Taken from: Mastering Risk Management
Policy and Scope
Internal audit should operate within a clear policy statement, or charter, approved by the firm’s board and management, which outlines:
- Its objectives and the scope of the internal audit function
- Its status and position within the firm, including its relationship to the business lines and oversight functions
- Its competences, tasks and responsibilities
Its scope should be unrestricted and its responsibilities wide. According to the Chartered Institute of Internal Auditors (IIA),
‘Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.’
As a minimum, it should include within its scope the processes relevant to the following:
- Internal governance
- The information presented to the board and executive management for strategic and operational decision making
- Setting of, and adherence to, risk appetite
- The risk and control culture of the organisation
- Risks of poor customer treatment, giving rise to conduct or reputational risk
- Capital and liquidity risks
- Key corporate events
In many cases the internal audit function is responsible to the audit committee. That body is certainly responsible for financial reporting and the process relating to the company’s financial risks and internal control. But who is concerned with non-financial risks? It is important to be clear about the responsibility of internal audit’s assurance regarding non-financial risks, such as whistleblowing and exposure to fraud, almost all of which require some degree of internal audit assurance. Another responsibility to be considered is remuneration policy (including the information on which remuneration may be based), which usually resides in the remuneration committee. The important thing is to have clarity of the internal audit and how they work within the firm’s governance.
To add to the mix, internal audit has an outward-looking role. First it should protect and safeguard the reputation of a firm by ensuring that ethical and other guidelines or codes are adhered to through assurance of the process. Second, it should be able and encouraged to take a broader view of the firm and its environment and not be bogged down in the detail of process, important though that is. The board needs to be clear exactly what it wants from internal audit, but also consider internal audit’s agenda is shaped by the needs of the business and not by internal audit’s capabilities.
Planning and priorities
Having established its role, the head of internal audit can work with the board to develop and deliver the audit plan. In doing that, the head of internal audit should also listen to management on what is most important for them in the following year. Having said that, it must be flexible and adjust to changing business and risk conditions. Any organisation’s objectives evolve as the external environment changes.
The plan should be risk-based. The risk register and its control assessment should be one of the main inputs to the audit plan. Internal audit can provide assurance that the controls which management has put in place are effective.
There will be an audit cycle, so that some departments or processes are audited every year, while others may be audited only once every three years. However, it cannot be rigid. It will be influenced by such events as the arrival of a new unit head or launch of a new business process or product. The fundamental approach should be to go back to the risk and control self-assessment and identify those risks for which management considers controls to have had the greatest effect. Since the risk and control self-assessment will also encompass strategic risks, it should mean that internal audit’s plan will give equal weight to both the board’s and management’s risk assessments. The priorities of the board and internal audit should be aligned.
Status and resourcing
Audit, the third line of defence, is a critical part of a firm’s risk management framework, which should be accepted and recognised as such by everybody in the firm. That is achieved partly by the attitude of the board and partly by the behaviour of the internal auditors.
The head of internal audit should be at a senior enough level within the organisation (normally expected to be at executive committee or equivalent to give them the appropriate standing, access and authority to challenge the executive).
Internal audit must be free to obtain all the information it needs, when it needs it, and not find itself obstructed or ignored in any way. This will be less likely if it reports unequivocally to the chair of the audit committee or the senior non-executive director. If it does not, that may reflect its status within the organisation.
The board, or its audit committee, must also ensure that audit has the skills and experience, including technical subject matter expertise, commensurate with the scale of the operations and risks of the organisation. This may entail training, recruitment and secondment from other parts of the organisation or from external sources when appropriate.
Using specialists in, for example, data and technology from the first or second line for a period within internal audit can often act as a powerful catalyst for third line capability. Or co-sourcing with external parties, in particular subject matter experts in specialised areas such as cloud computing and cyber security.
Finally a word about remuneration. The chair of the audit committee should be responsible for recommending the remuneration of the head of internal audit to the remuneration committee. As with those in an oversight role, remuneration should not present the possibility of a conflict or impair their independence and objectivity and should not be directly or exclusively linked to the short-term performance of the organisation. Those in the second and third lines of defence (oversight and independent assurance) should be remunerated on the basis of achieving their own objectives, rather than have their remuneration based on the firm’s performance.
In our next blog Tony and John discuss how internal audit should handle reporting to the board and management.
Mastering Risk Management by Tony Blunden and John Thirlwell is published by FT International. Order your copy here: https://www.pearson.com/en-gb/subject-catalog/p/mastering-risk-management/P200000003761/9781292331317
For more information about how Operational Risk software can help your organisation, contact us today on firstname.lastname@example.org