Internal audit – two words virtually guaranteed to leave you cold. But internal audit has come of age. The best functions now provide real value to the board and the audit committee. The question is, are you getting the best possible value from your internal audit function?
Not long ago, it wasn’t unusual for internal auditors to be viewed with trepidation across their organisation. The blurring of distinction between internal and external audit – both focused on financial control and returning to ask the same questions year after year – did little to change that perception.
But times have changed. Internal auditors are no longer stuck in the financial compliance box, having worked hard to provide value by evolving into a more business-orientated role.
A renewed focus on the whole business and an increasingly risk-based approach to their job means the internal auditor’s profile has never been higher. Some would argue they are now finally getting the recognition they deserve.
But as Spiderman once said: ‘With great power comes great responsibility’. For internal auditors, the flipside to this increase in responsibility is greater accountability and the need for greater transparency. Internal auditors face challenging times and will be in the spotlight more than ever.
So, what value does internal audit provide to an organisation? In a nutshell, it’s about doing basic assurance work. The board of any organisation requires confidence and assurance that the risk management practices of the company are sound, and that key risks are being managed to an acceptable level. There must also be effective and efficient internal controls in place and mechanisms to help meet its business objectives.
To obtain this assurance, boards and audit committees need to determine the area they want assurance on and who is best placed to provide it. They can do this by using an assurance map. But risk assurance spans many aspects of the organisation and it is important to understand that internal auditors are not the only assurance providers.
The primary source for this assurance should be line management. How do you assure yourself that the risks within your part of the organisation are being managed effectively? It is vital that every line manager understands the risk that they are responsible for managing, and monitors and tests the controls that are in place to manage those risks.
But it’s also true that boards want a second opinion on risk and control from an independent and objective source. This is where internal audit comes in. Unencumbered by line management responsibility, it is the role of the internal audit function to have a broad view of the organisation and to be able to provide this assurance.
The basic assurance role of internal audit involves three key elements. Internal audit must ‘do the right thing’, by focusing on what really matters to the business, rather than getting bogged down by the minutae. It must ‘do things right’ by using appropriate and up-to-date methodologies, such as risk-based internal auditing, and having the right people with the right skills. Finally, it must ‘tell it right’ by giving robust messages in its reports.
Internal auditors can also provide value by making the most of the skills and knowledge they have accumulated. This might include sharing of knowledge and best practices, control analysis and design and guidance in developing new systems.
Secondments, both into and out of internal audit, can provide value across the organisation. Part of this knowledge sharing initiative could include providing management with some audit interrogation software that enables them to regularly check their processes or systems.
There are those who think internal auditors are also best placed to provide a consultancy service to organisations. But if internal auditors were to do this, it is likely to impinge on their independence and objectivity and could have an impact on the value that they provide.
Recipients, or internal ‘clients’, of internal audit work should ask questions about the function and its effectiveness, but true value can only really be measured by the people receiving the assurance and reports, and those who have benefited from the skills and knowledge of internal audit in other ways. It is essential for internal auditors to gain objective feedback on the work that they carry out.
Internal auditors often talk about adding value and, indeed, these words are contained in the IIA definition of internal auditing. Yet the phrases ‘providing’ or ‘delivering’ value are much more appropriate. It is not possible to place a monetary value on the assurance that they provide to the board and the audit committee.
But, as an audit committee member myself, I feel better knowing that we have an effective internal audit function that uses its skills and knowledge to provide us with basic assurance – and that’s a benefit that money just can’t buy.
Gill Bolton chaired the recent ICAEW audit & assurance faculty’s working party on internal audit.
Two new audit partners have been appointed at the firm BDO in its audit practice following continued growth and investment
Investment in people, tech and businesses impacts on EY's profit per partner figure
If businesses do not take cyber security seriously in their business planning regulators may do it for them, the ICAEW has warned
Dr Richard Willis provides a several thousand-year history lesson of the profession, from origin to modern-day