Internal auditors to the rescue

IF THE EVENTS OF THE YEAR so far have taught us anything it is the importance for businesses to manage different kinds of risk.

From the very start of 2011, the almost Biblical succession of snow, tsunami, nuclear meltdown, revolution in the Middle East, phone hacking, the sovereign debt crisis and rioting across the UK, brought into even sharper focus the myriad of different forms risk can take.

The issue was already high on the corporate agenda as the full financial impact of the credit crisis hit home. That increased concern was reflected in an update to the FRC’s UK Corporate Governance Code, to clarify boards’ responsibility for managing risk.

The problems of the year have highlighted the value of an internal audit in providing assurance that a business knows how to respond in unexpected circumstances and has sufficiently strong internal controls to avoid crises of its own making.

It’s good to talk

Many boards and finance directors are expected to increase their focus on how they manage risk and corporate reputation. A good relationship between the audit committee, finance director and head of internal audit is crucial to ensuring risk is managed well.

Internal auditors are in a unique position of sitting within an organisation’s executive, but being independent of it. A typical structure is for the head of internal audit to report directly to the audit committee, with the FD overseeing “pay and rations” for the team. But how can such an unusual relationship be made to work?

The first step of a successful relationship between FD, audit committee and internal auditor (IA) is a clear understanding of what the auditor is there to achieve.

An internal audit is one of the four cornerstones of good governance – along with external audit, executive management and non-executive management. Its role is to provide those responsible for governance with objective and independent assurance on the effectiveness of governance processes, especially the controls in place to manage future and current risks. This is a very different function to the annual financial health check provided by the external auditor’s report.

While providing assurance on financial controls is now only part of the internal auditor’s remit, it is still core. Many FDs report their external auditors rely on this assurance work, with one FTSE250 FD claiming it helped halve external auditors’ fees over two years.

Even in cases where the head of internal audit reports to them, FDs now recognise that they can be a strategic partner in the wider drive to reduce costs and increase efficiency, while at the same time ensuring control is effective.

This means the focus of an internal auditor’s work is across the whole organisation. Frequently, the FD can act as internal audit’s champion, helping them to get under the skin of the business, its people, its processes and policies, its markets and of course its appetite for risk.


The result of the last year’s events and its changed emphasis on the internal auditor’s importance is that they are no longer seen as outsiders with clipboards ticking boxes. Their line of sight across the whole organisation is being harnessed by FDs to examine crucial business initiatives, on what one former FTSE 250 head of internal audit describes as ‘almost a consultancy basis’.

This means that heads of internal audit can help ensure new acquisitions are being integrated into the business as smoothly as possible, new operations are managed effectively, lessons are learnt and applied. Increasingly, internal audit provides the same sort of insight management consultancies might once have been drafted in for.

Audit committee chairs are approving of the FDs’ increasing confidence in their heads of internal audit. One FTSE100 CFO turned audit committee chair sees it as crucial that the head of internal audit operates at the kind of level that allows him to act as a sounding board for both CEO and CFO.

After all, the head of internal audit is there to act as the board’s eyes and ears within the business. If their ability to manage and highlight risks is limited to their conversations with the audit committee, it limits their effectiveness.

Clearly, heads of internal audit need to be regarded as partners to the FD and other senior managers. Getting to that position requires IAs to be able to give advice and make recommendations without compromising their objectivity; to go beyond simply identifying internal control issues to providing insight and answers. They need to understand the expectations of both FD and audit committee and, in turn, ensure they understand what internal audit is capable of delivering.

By developing their relationships with both the FD and the board, internal audit can play a huge role in supporting the management of risk across the whole business and giving it the attention it deserves. The dramatic events of this year should help make the need for this process that much easier.

Nicola Rimmer is on the council of the Chartered Institute of Internal Auditors

Related reading