Home > Risk > Getting the most out of internal audit

Getting the most out of internal audit

December 20, 2020 Leave a comment Go to comments

It is encouraging to see the public accounting firms recognize the value that an effective internal audit team can provide an organization.

Earlier this year, PwC shared their views in Getting the most out of internal audit: How can the audit committee help maximize the value of internal audit?

They make a number of good points, but miss the most important issues in my opinion.

Let’s first look at a few of their observations:

  • Maximizing the value proposition of the internal audit group is an effective way to help audit committees address their risk oversight responsibilities. But getting internal audit’s full value requires focus and attention. It requires the audit committee to reflect on what it needs and to be direct with internal audit.

Comment: Internal audit can help with more than “risk oversight.” For example, at one company where I was CAE, the board was concerned with the leadership of CEO. The board chair asked for my insights on the executive team and whether they were effective as a team. I have also helped the audit committee with their oversight of the external auditors, gathering an assessment of their performance from the global management team.

Comment: I find it frustrating to see surveys of audit committee members where they say they are disappointed in internal audit performance. They should remember that internal audit reports directly to them; they must, as PwC says, to reflect on what they need and be direct with the CAE. If he or she is not responsive and performing, they should replace him or her.

  • The audit committee needs robust and concise, yet impactful, reporting from internal audit.

Comment: Internal audit needs to provide the board and the audit committee (and others such as the governance, risk, and compliance committees) the assurance, advice, and insight they need, when they need it, in an actionable form. They need to stop giving them reports with information that doesn’t matter to the organization and the members of the board. They should respect the value of the audit committee’s time: they never have enough!

  • The audit committee can empower internal audit by providing visible support, starting with the Chief Audit Executive (CAE) as the leader of the group…. An open and trusting relationship between the audit committee and the CAE is critical to help develop the CAE into a leader who can deliver value to the organization.… Internal audit often reports to both the audit committee and management. Regardless of the organizational structure, reporting lines that promote objectivity and effectiveness are critical to a high-performing internal audit function. It’s also important that the reporting lines are clearly defined and well-known in the organization.

Comment: Yes, and easy to say. But there is much more, as I will discuss later.

  • The expertise and value of internal audit could be underutilized if its focus is not aligned to the company’s strategic objectives. Audit committees should expect internal audit to work with other risk and compliance functions in the company. Internal audit should clearly communicate how they work with these other groups to assess risk.

Comment: Yes, but PwC simply fails to understand what agile and flexible internal auditing is about. While they use those terms, they also talk about an annual audit plan and audit projects that have multiple phases.

Comment: Internal audit needs to be sufficiently agile and flexible to address the risks and opportunities of today and tomorrow. Annual audit plans are increasingly recognized as an obsolete practice. While PwC mentions rolling audit plans, this is not promoted as a necessary practice in their document.

Comment: It is management’s responsibility to identify and assess risk. It’s about time the audit firms understood this!

  • Once internal audit has completed its work in an area, it issues the report to management and sometimes to the audit committee as well. Some audit committees rely on the CAE to report to them only on significant areas or significant findings. The CAE should provide a summary of all reports issued during the period, including the scope of the audit, the findings by risk level (if used), and whether or not the findings have been resolved.

Comment: The board should be concerned when there is disagreement on the severity of issues and opportunities between internal audit and management, or on the appropriate actions to be taken. This may be why management is not implementing the recommendations; they may not be justified on business grounds. Focusing on open items is good, but first there should be a discussion of whether internal audit is working with management to come to a constructive agreement on the issues and actions – and if not, why not. If internal audit is writing a report and expecting management to follow with a response, that is an indicator of not only poor internal audit practices but also a failure of both management and internal audit to partner with each other.

Comment: Why should the audit committee need to know of ‘findings’ (such as negative word) that are less than significant? Why give them information and consume their time on trivia? It is far better to spend audit committee time on weighty matters and, if there are none, let the time be used for other reports.

Comment: The word ‘significant’ needs to be understood. It should refer to what would be significant to the audit committee members, not to the auditors or middle management.

  • The audit committee should periodically assess the performance of the internal audit function as a whole and the CAE in particular. In doing so, the committee may consult with the external auditors, management, and individuals from third parties (e.g., firms that provide internal audit services) who regularly interact with internal audit.

Comment: Yes, but while PwC has asked some good questions, they don’t ask whether the members of the audit committee feel internal audit is helping them discharge their oversight and governance responsibilities.

Comment: As I will explain momentarily, it is the assessment of the audit committee that should drive the compensation of the CAE.

PwC has shared, in the Appendix, some interesting and colorful reporting suggestions. But I wonder how much of this information the committee members need to know.

I prided myself on telling them only:

  • What they needed to know as a management oversight function
  • When they needed to know it
  • In a way that enabled them to take appropriate actions

Many of my reports to the audit committee were short (15 minutes) and to the point. They don’t really need to know all the trivia in the PwC suggested reports.

So what did PwC miss? What advice should have been clear?

  1. The CAE should report solid line to the audit committee and its members. While there is usually a dotted line to a senior member of management, this is for administrative purposes such as approval of expenses. Talking about dual reporting, even with code words like ‘functional’, waters down the fact that management should not direct the activities of the internal audit function.
  2. The audit committee should act as the direct manager and supervisor of the CAE. This means that they determine who is hired and fired, compensation, budget, and more. This they should make very clear to senior management. Talking about ‘empowering’ the CAE is weak language when strength is needed.
  3. The members should all have a personal (preferably) as well as a professional relationship with the CAE and, if possible, with his or her direct reports. This is simply what good managers do!
  4. The audit committee should take an active role in ensuring that the internal audit function addresses what matters to the success of the organization (risks and opportunities) – and especially ensure they are not wasting time on issues that would never significantly affect its success.
  5. The audit committee should encourage the CAE to share insights not only on processes but on people. The CAE is usually going to be cautious about doing this, which the members should recognize, and where needed the members must be direct in their questioning.
  6. The confidential sessions with the internal auditor, typically held after the main business of the committee is concluded, are immensely valuable. The committee should ensure that there is sufficient time, that others are excluded (except where both the members and the CAE agree they are necessary), and that anything shared is kept confidential.
  7. The audit committee should consider whether the CAE has the ability to act as a senior executive and hold him or her to that standard.

I am sure there is more – and look forward to your comments.

  1. John Fraser
    December 20, 2020 at 5:36 PM

    You are so right that it is management’s accountability to manage risk. One of the most insightful aspects of the 1992 COSO internal control framework was listing risk assessments as part of one of the five factors in a good control framework. This has been sorely neglected by internal auditors who should (have) ask(ed) for management’s risk assessments for every audit they did/do for every process, every function and every project, and if not done this should be reported and escalated up to the CEO and audit committee. Of course, a knowledgeable audit committee would ask if risk assessments are being done…..

  2. Ian Clegg
    December 21, 2020 at 6:47 AM

    Some good points Norman. Unfortunately, both management and internal audit will only deliver based on what is expected of them – I wonder how many audit committees are even capable of asking the right questions? My view is this: management should be required to express a risk-based opinion on their ability to deliver on their objectives within acceptable variances; audit should be in a position to confirm or challenge this opinion. Then you have a good basis for insight and constructive discussion at an audit committee level. My problem is that there such focus on activity and measurement of activity, that the “why” i.e. the delivery of objectives gets lost in the dust cloud. Both risk management and assurance are only tools you apply to achieve something, not ends in themselves.

  3. Simon Rose
    December 23, 2020 at 4:35 AM

    I agree with your points here Norman, however it depends on the strength, bandwidth and capability of the audit committee to be directional in this way. Strong audit committees will step up to the plate here but others will leave it to direction of management and the reporting lines will only be window dressing.

  4. Mark
    December 25, 2020 at 9:13 AM

    There’s an orange box in the article that speaks to using internal audit in out of the box ways like data and culture and third party risk. I think many of these are areas that deserve audit attention as they are critical to a company’s success and/or areas where poor controls can be highly impactful.

  1. December 21, 2020 at 10:30 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: