In our final blog about independent assurance we discuss what makes a an effective internal auditor. Operational Risk Software can be key to supporting this discipline.
Taken from: Mastering Risk Management
Given its key role in relation to internal audit, what are the qualities an audit committee chair might look for in a new head of internal audit? Given internal audit’s position in the no man’s land between the business and the non-executive directors, it’s a role which requires both diplomacy and courage. It also finds itself in between many stakeholders; the external auditors, suppliers, customers, regulators, local and national governments and importantly internal stakeholders, whether they are committees, from the board down, to all layers of management and the staff. To be effective, it must co-operate with other functions to make sure there are no overlaps or underlaps in risk assessments throughout the organisation.
In an article in Internal Auditing, its editor Neil Baker, suggested what the person specification would have at the top of the list:
- Integrity – the highest moral and ethical standards
- Challenge – at every level
- Tenacity – ‘stick to your guns’ and stay focused
- Pragmatism – an open mind and a corporate mind
- Independence – strength of character and resilience
- Good communicator and ambassador
Those qualities should, of course, apply equally to the members of the audit team as well as its head, and are probably also valid when appointing a new CRO.
There is an obvious need to be independent and to challenge and, if necessary, keep on challenging. Inevitably, the job involves difficult and contentious issues. Handling them with candour and frankness will generate confidence in the function.
Communication is two-way. It is as important for internal audit to communicate its views effectively, as it is for the business to report to audit its concerns and problems and not wait, in a destructive game, for audit to discover them.
Internal auditing is about continuous improvement, as is suggested in the IIA definition, not merely checking that controls are working. To achieve improvement you have to be a politician and understand both the culture of the organisation and the art of the possible. You need to understand how to gain acceptance for your recommendations – and not rely on some ill-defined threat of whistle-blowing.
A key role of the head of internal audit is to build an effective audit team. Ideally, it will come from a diverse talent pool of relatively senior and experienced people. Often, though, that is not possible. Where individuals lack experience, they should be able to make up part of the deficiency through common sense and pragmatism. One of the problems for any audit team is that the people they rely on for information are also the people they are evaluating. They need the skill to ask the right questions and to develop a ‘nose’ for assessing the answers. Without those skills, the role becomes one of inquisitor rather than constructive critic.
Summary
We have previously mentioned that the speed (fast or slow) of response to audit queries is a good indicator of the quality of risk management in a firm and of its risk culture. This can also be an indicator of the level of respect for the internal audit function, and even of the quality of queries being raised. If it works well, internal audit will gain credibility and respect from the business, who will therefore listen and seek advice from the function, such as when a new project is being considered.
Much of the job is about building awareness of the value which internal audit can bring. The obvious way from a risk perspective is in providing the board and management with objective assurance that the risk governance and risk management processes are being operated appropriately and that the internal control framework is operating effectively.
But internal audit can demonstrate its value in an active as well as a passive way. We have referred to internal audit as being a catalyst for continuous improvement within the firm. In addition, people need to be made aware of what it does and how it can help.
Two of the best ways for people to see the benefits of the function are:
- To second staff to it and
- To make sure that a term in internal audit is seen as a value-adding career move which is remunerated appropriately.
Secondments are particularly useful because, when they end, the secondee will go back into the mainstream operations. That way, the organisation’s knowledge of audit is constantly refreshed and the quality of risk management and internal controls will be continuously improved. That is an excellent way for a good internal audit function to add real value.
That’s it on the topic of Independent Assurance. Our next series of blogs will be all about People Risk Management.
Mastering Risk Management by Tony Blunden and John Thirlwell is published by FT International. Order your copy here: https://www.pearson.com/en-gb/subject-catalog/p/mastering-risk-management/P200000003761/9781292331317
For more information about how Operational Risk software can help your organisation, contact us today on sales@risklogix-solutions.com w
