Home > Risk > How the Audit Committee Should Assess Internal Audit

How the Audit Committee Should Assess Internal Audit

Deloitte has provided us with some useful information on this topic in their latest Audit Committee Brief, Harnessing the Full Potential of Internal Audit. For example, they say:

“In many organizations, audit committees and management have differing expectations of internal audit. An optimized internal audit function can provide a balance between protecting and enhancing enterprise value by taking a holistic approach to risk management across the enterprise and providing independent and objective assurance with value-added advice”.

The paper has some useful questions for the members of the audit committee to ask the chief audit executive (CAE). I would ask these:

  • Is the internal audit function focused on the issues that matter to the organization? Are they aware of the topics of discussion at executive management and board level? Are they looking at those areas? If not, why not? Why are they looking at areas that are not on our agenda? [Note: there may be good reason for internal audit to look at other issues; the key is that they can explain why.]
  • Is internal audit satisfying our need for assurance that the people, organizations, processes, systems, and relationships within and across the extended enterprise are effectively managing the risks of significance to achieving or surpassing our objectives? Do they provide us with a formal opinion on the adequacy of risk management, governance processes, and related controls? If not, why not?
  • How much insight does internal audit provide us? How valuable is it to us? Does it help us govern the organization?
  • How valuable is internal audit to management? How often are their insight, assurance, and recommendations sought out by executive management?
  • Are we assured that we are hearing the complete, unvarnished truth from internal audit – unaffected by management influence?
  • Does internal audit have the professional, competent, and objective resources and organizational stature to be effective?
  • Do we have sufficient influence in the selection, assessment, compensation, and career of the CAE? Or, are we dependent on the CFO or other management to provide us with carefully chosen candidates to hire; do we decide how the CAE should be compensated or simply apply the stamp of approval to the CFO’s decision? Is the CAE overly influenced by the potential for a career move into management?
  • Is the CAE proactive in suggesting changes to the role of internal audit, or is he passive and reactive to our expectations?
  • Is the CAE a change agent, bringing ideas to management and the board to improve corporate effectiveness, for example by improving risk management programs or the use of radical technology?
  • Does the CAE demonstrate appropriate courage and perseverance when confronted with challenges with management? Does the CAE navigate those challenges with tact and diplomacy, achieving results without unnecessarily alienating management?
  • How does the CAE know whether internal audit provides the value to the organization it is capable of and should provide? Is he satisfied, and why?

I welcome your comments on the above. Do you like them? How would you change them?

  1. Vikram Vijh
    August 31, 2012 at 8:57 PM

    This is absolutely correct. This is what the management and internal auditors should be asking themselves. If both the parties are able to address this issue there would be tremendous improvement in quality of audit. This needs to be ciculated to all audit committees and internal auditors.

    WordPress.com

    Norman Marks posted: “Deloitte has provided us with some useful information on this topic in their latest Audit Committee Brief, Harnessing the Full Potential of Internal Audit. For example, they say:

    In many organizations, audit committees and management have differing “

  2. Confused Auditor
    September 1, 2012 at 1:18 AM

    Good points Norman.

    Might be deflecting from this post, but I am seriously hunting for answer on the “board” role in improving governance. Typically a case of those organisations which are not public accountable , but single or family ownership driven. They do exists in many parts of the world, having expanded horizontally – product wise, geography wise; but internal audit function is highly undermined. The need for this function is barely felt or if it exists it is like a watchdog in old fashion style.

    The core problem, as I have experienced lies in the business owners perspective. I have avoided using the word “board” or “audit committee” over here.

    1) The business owners take decision extensively in silos on one-to-one basis with individual business/ functional heads and not as a collective team.
    2) Despite pressing the need or conveying the importance of robust internal audit and governance structure/ control environment, the talks are brushed out.
    3) The decisions are primarily driven with time horizon of realisation of hard cash with associated activity or activity under consideration. However they don’t follow scientific working, feasibility or evaluation of the alternatives.
    4) Investment in information systems is looked upon as a waste of time and money, since loti of softwares are available at cheaper price or even open source or even off-the-shelf. This resulted in disaster of ERP implementation project in one of the business entity they run.
    5) The business owner believe multiple MIS reports which are not integrated , neither question reliability of information.
    6) Code of conduct and ethics beyond last point of agenda if it has to be. Bribing, kickbacks, canvassing etc can happen routinely. Does’nt it set wrong tone in the organisation ?
    7) Every employee has unrestricted access to the business owner, hence in a hidden way that promotes sychophancy since everyone is told something which does not necessarily match or join facts of an issue.
    8) The business owner does not see any kind of value in having all these kind of audit committees, neither audit reports, neither discuss on business plans, neither spend time on ethical values, integrity issues, personnel competence etc. and building a well integrated control environment.
    9) Performance evaluation does not carry any scientific basis and is merely driven on likings of the person and function; primarily sales and marketing as they are seen money makers of the business. That’s it.

    As a hard core functional , it does pain for things not taking shape in appropriate mode.

    If I have to join my post to yours , does it amount to failure of internal auditor for not being able to rightly convey the seriousness of internal audit, governance/ corporatisation of the business, control environment ? Or if the business owner has consciously accepted the operating style, what should internal audit function do in such case ?

    • Lalit Dua
      September 2, 2012 at 1:15 AM

      I am in agreement with almost all the points you have mentioned and you have rightly concluded also “Or if the business owner has consciously accepted the operating style, what should internal audit function do in such case?”.
      Most of us will hesitate to accept it but this is true. To business owners Profitability and Hard Cash is more important than style of governance with Corporate Values (which have been beautifully “Documented”) and effectiveness of “Control Environment”. A strange mentality prevails in NOT accepting internal auditor contribution though it might have resulted in Cost effectiveness, increased Operating Efficiency and robust Control Environment. But if a part of it has come from functional management then no limit of its recognition and acceptance by “Key management”.

      • Confused Auditor
        September 2, 2012 at 1:54 AM

        Thanks Lalit for that response. The intention of my post was just to bring some ‘real life’ issues on the fore (and not criticise just for the sake of it) and forcing myself to seek some answers, which are making me suffocated/ breathless for sometime. Seriously. As a professional I did had my own patience to watch and adjust to the situations.

        I am quite a regular follower of this particular blog and at times feel myself “unlucky” for not being associated with such kind of environment where IA is seen as a value-provider ! The wonderful plethora of knowledge would make sense for me only if I have fresh breath of air to practice and implement.

        Sometime back I came across a short and sweet article about IA. It mentioned – IA’ s success is attributable to People (right kind and amount of people), Practice (knowledge and practices deployed by the function) and the strongest pillar of this – Perception , which is nothing but how the audit committee/ board sees this. Thus, it is nothing about setting tone at the top/ control environment/ governance etc which are core at the success of IA.

        Sorry Norman, for being too elaborate on my post(s) and utilising this space to seek an answer to my situation – Am I a failed auditor or something else?

        • Lalit Dua
          September 3, 2012 at 10:54 PM

          Hi..my opinion and your points of view were matching to an extent, regarding IA contribution to any organisation and its assessment, which made me write on your post. I have worked with groups of repute, in India and other countries. In all my previous and current assignment, I had the responsibility of setting up of IA function, which is a challenge in itself. The contributions of IA function during my tenure were to the extent of making companies profitable (by suggesting areas of cutting overheads, improve processes to enhance productivity and making controls effective) to initiating and supporting Risk Assessment and Management exercise. Inspite of all these I never felt comfortable as no direct communication came from Key management acknowledging the contributions made though IA function had acceptability at all levels of management.
          The simple reasons which I can understand is that all the recommendations made, by IA in its report, are to be implemented by functional managers and positive results are connected to their efforts than to the recommendations of IA function. The role IA performed in the background is hardly noticed and appreciated by management.
          Even after making much needed contributions IA had to fight for its status which should have come in normal way as for other functions.

  3. John Mogni
    September 1, 2012 at 8:17 PM

    Mr. Marks,

    The questions seem useful for identifying key areas to focus on and for developing performance criteria. Some are thought provoking. However, the questions essentially prompt for “Yes” or “No” answers and do not ask “How” or “Why”.

    I would ask CAEs to describe the specific criteria, ranked in order of importance, that indicate the effectiveness of Internal Audit. In other words, how do they know Internal Audit works? The criteria should be specific and not abstract or vague such as “meets objectives”, “communicates risks timely”, and the like.

  4. Richard Archer
    September 2, 2012 at 2:05 PM

    Norman,

    From our past communications and from reading your blog and IIA articles, I have two impressions: (1) based on your expertise and your willingness to share it with others in the profession, you must have been a very effective CAE and (2) you seem to have worked in organizations that either expected and valued IA’s contributions or were won over to IA’s value as a result of working with you. Not everyone has been in that situation, which puts greater weight on John Mogni’s points about the How’s and Why’s not being addressed in your list.

    When assessing IA, I hope that the overall Board, or at least the Audit Committee, are independent enough of management to be able to recognize when lower than expected contribution from IA is due to CAE or Internal Audit weakness and when it is due to management intransigence.

    If management believes that IA has a purpose that benefits the organization, then IA’s work and its ability to contribute is facilitated. Any disagreements can generally be worked out.

    If management is initially reluctant to accept that IA has a purpose in the organization beyond just being one of those nuisance regulatory or listing requirements, because the executives hold to stereotypes and preconceptions about IA, the CAE would have to overcome those ideas. It would mean having to work harder in the beginning, but the CAE can build an effective working relationship over time by delivering on the kinds of issues in your list.

    For the first two situations, the points you list for assessing IA’s performance are on target.

    However, if management is adamant that they will not work with IA under any circumstances or they deliberately try to exclude and marginalize IA so that oversight of management activities is not effective, then it is unlikely that the CAE and IA will be able to deliver on many, if any, of the points in the list. In that situation, the CAE’s relationship with the AC Chairperson is critical. If the AC Chair always comes down on the side of management, the CAE is in a losing situation, no matter how effective in leading the IA activity.

    A point I would add to your list that could address the last situation is:

    What is the staff turnover rate in IA, particularly at the CAE or senior audit management level, and why?

    • Norman Marks
      September 2, 2012 at 3:11 PM

      Richard,

      I have taken over internal audit functions that were not respected or seen as adding value by management. In most cases, that opinion was justified by prior performance.

      In my experience, the right CAE can right the ship and results will change perceptions.

      If the audit committee asks the right questions and is sufficiently objective, plus willing to support the new CAE, they will see where management’s opinion is merited.

      It helps a lot when the CAE has the right attitude and confidence to match. But even if given the chance, respect has to be earned by results.

      I like your question about internal audit turnover. If high, they should ask HR whether exit interviews were performed.

  5. February 27, 2014 at 4:38 AM

    Hi there, just became alert to your blog through Google, and found that it’s truly informative. I will appreciate if you continue this in future. Numerous people will be benefited from your writing. Cheers!

  1. September 1, 2012 at 1:49 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: