ASSURANCE – THE ROLE OF INTERNAL AUDIT

The internal audit function is a fundamental element of corporate governance structures within most organisations. It operates primarily to provide assurance to executive management that the internal control structure of the organisation is effective. Internal audit assists the Audit Committee in discharging its governance responsibilities.

Internal audit has no direct involvement in the day-to-day operations of the organisation and should remain independent from management. Over the past decade the focus of internal audit has changed significantly and now concentrates on forming partnerships with line management and fostering business improvement processes. The following values provide the basis of an effective internal audit process:

• Management support: The tone at the top is most important in setting the overall organisational control environment. It signals to staff the importance attributed by management to sound control. Management support is demonstrated by:
  • The audit charter being formally approved by the chief executive, endorsed by the Audit Committee and promulgated to senior managers.
  • The head of audit having direct access to, and the confidence of, the chief executive with a clear line of responsibility to the Audit Committee.
  • Internal audit having a strong relationship with senior line management.
• Risk based approach: In order to provide a value-added service, the internal audit function should address the needs of key stakeholders – executive management and line managers. The focus of these stakeholders is on identifying and mitigating organisational business risks.

Therefore, the internal audit program should be based on the organisational risk profile. Internal audit should identify and assess business risks in consultation with senior management. By being risk-focused, internal audit can ensure that audit programs consistently address current organisational risks and priorities.

• Balanced resources: An effective internal audit function is a result of the organisation placing value on the function and assigning suitable, qualified staff to the area. Internal auditors should have a sound understanding of organisational processes and business risks. Internal audit staff with both business and public sector experience, in addition to auditing experience, will usually be effective auditors, and multi-disciplinary teams will allow a more balanced approach to auditing.

• Continuous improvement: Internal audit should aim for continuous improvement by adopting best practices in its own processes. This way the internal audit function can strengthen its position and credibility within the organisation. Continuous improvement involves assessing performance against internal and external targets and benchmarks. Establishing a set of performance indicators can be useful tool. The key success factors for an effective internal audit function are described as follows:
  • Organisational context: An organisation’s control structure comprises various elements including management attitudes, system of delegations and authorisations, staff knowledge and skills, and quality of information on operating and systems performance.

The condition of the current control structure is integral in determining the focus, depth and activities of internal audit in each area of the structure or organisation. A strong control structure may require internal audit to provide independent, expert advice, while a weak control structure may require compliance audits on controls and procedures.

Senior management need to have a sound understanding of both the present state of the control structure and of future controls and governance procedures which are to be implemented. In this way, internal audit can be allocated tasks where it can optimally utilise its resources and add value to the organisation.

• Define the role: The role of internal audit is determined by analysing the organisation, and deciding where and how the internal audit function can provide a value-added and cost effective service. Internal audit roles can be broadly categorised as:
  • Compliance-based/assurance role.
  • Independent advisory role.

The first approach concentrates on compliance audits designed to provide assurance on key controls to senior management, while the latter approach focuses on organisational efficiency and effectiveness, and seeks to improve processes. Internal audit needs to find a balance between the two methodologies and tailor its program to the specific circumstances of the organisation.

Establish the program: An effective internal audit program is one which is based on the organisational risk profile. It is recognised that this business-oriented risk approach adds greater value than the traditional ‘cyclical audit’ approach as it focuses attention on two important elements affecting organisational success: areas with the greatest potential for loss and areas where process improvement is required.

Resources: The aim of internal audit is to deliver a cost-effective service and resources should be allocated appropriately with qualified and skilled staff. Resources should be balanced with organisational needs by considering factors such as size of organisation, cost of audit function and staff turnover.

Review mechanisms: Internal audit review mechanisms should be implemented to provide:

• Accountability for the function by measuring effectiveness.
• Identification of areas for improvement, as part of the continuous improvement process of an organisation.

Review mechanisms should cover both internal audit processes and audit outputs. Additionally, performance reports should provide a balanced view by incorporating qualitative and quantitative indicators.

Review mechanisms should facilitate ongoing performance measurement. It is recommended that reviews be undertaken at the end of each internal audit project, and that the internal audit function be formally reviewed by an Audit Committee at least annually.