What is and what should be the role of internal audit? Is its primary purpose restricted to backward-looking checks and balances, or can it add real value to the organisation? Many audit committees would argue that internal audit can fulfil a wider strategic role. Certainly they can provide a lot more than assurance over core controls. According to a recent survey of audit committee members carried out by KPMG’s Audit Committee Institute, over two thirds of those questioned (71 percent) agreed that internal audit’s responsibilities should be extended beyond its primary mission of assurance over internal controls. An example cited of where value could be added included extending the remit of internal audit to embrace elements of risk management and process improvement.
83 percent of the Audit Committee members were ‘satisfied’ or ‘very satisfied’ that their company’s internal audit function was delivering expected value to the company. 79 percent said they were satisfied or very satisfied that their company’s internal audit plan was risk-based and focused on risks that were critical to the enterprise, such as financial reporting and strategic, operational and compliance risks. However, almost 40 percent had concerns that in the current regulatory and economic climate, internal audit was not responding quickly enough to emerging risks. In effect, current audit plans were too static.
Mike Wareing, the Audit Committee Chair of three major groups, certainly agrees that internal audit could play a more expansive role. “It’s more common in the public sector to see value-added auditing,” he says, “But it’s still relatively rare in the private sector.”
Tim Copnell, Associate Partner at KPMG and founder of the UK Audit Committee Institute, believes professional identity is also a factor. “While within each organisation audit committee members should have a common understanding of what is expected of the internal audit function, ultimately there is no right or wrong answer as to what that role might be,” he says. “The spectrum can run the gamut from core assurance over compliance with controls, policies and procedures through to playing a consultancy/advisory role in relation to emerging risks, business performance and strategic decision-making, and everything in between.”
The precise role of audit within any organisation will depend on a range of factors, including the maturity of the control environment, the skills and experience within the internal audit team and, as Wareing points out, the existence of other assurance functions within the organisation. “One of my companies, for instance, is in the aerospace sector and deals with a lot of government contracts,” he says. “Because that is a critical issue for us, we have a separate compliance function.”
With this in mind, audit committee chairs such as Wareing are keen to adopt a more holistic approach to assurance across the organisation. “One of the problems I’ve seen as chair of an audit committee in the past is that the internal audit plan and external audit plan, as well as feedback from various finance functions, were all presented at different audit committee meetings,” he says. Wareing believes this is done in the mistaken belief that to present them all at once would represent information overload. But audit committees need a comprehensive picture. They need to understand where all the assurance comes from, how it all fits together, and ultimately whether appropriate levels of assurance have been received in relation to all significant risks.
Audit committee chairs are increasingly aware of the need to better coordinate the work done by both internal and external audit, and, to some extent, the finance department. “You might find, for instance, that within an organisation there are teams within the finance function that carry out independent reviews of financial controls, which might overlap with both internal and external audit,” says Wareing. “So, a particular unit of the business might have the team from the finance function visiting one week, followed by the internal audit team the following week and the external audit team the week after, all doing a lot of the same work.” Clearly, such practices are both disruptive and inefficient. This is a big issue in the current economic climate, when organisations are seeking
Better co-ordination of all assurance providers, including internal and external audit, also helps eliminate the risk of assurance blind spots, as well as highlighting operational anomalies. Wareing ensures that he sees a list of all the operating units of the business, together with the schedule for visits by internal audit, external auditors and any other assurance teams, over a three-year cycle. “Inevitably, you find that some units get audited to death,” he says. “But the worrying thing is that you might find small or remote units that don’t get an internal or external visit at all. It’s important to know that – if they have our name on the door – there is a reputational risk involved. But you have to ask yourself that if they are too small to be worth visiting, why are we running that unit at all?”
Tim Copnell makes the point that, given the challenges around getting the ‘total’ assurance model wrong, many audit committees are taking a critical look at all their assurance costs and structures with a view to identifying opportunities to improve the efficiency of the assurance they receive. “For example, some audit committees are asking whether their external auditors – in addition to the work they already perform – should extend their scope in specified areas and report on that work directly to, say, the head of internal audit and/or the audit committee,” he says. “This can allow the audit committee to get the assurance it needs while reducing duplication and the pressure placed on the business by multiple audit visits.” As Copnell explains, precious internal audit resources could be repositioned elsewhere, perhaps at the more strategic ‘value-added’ end of the spectrum of potential internal audit services.
Mike Wareing believes that the audit committee has a vital role to play in considering the organisation’s response to new and emerging risks, and adds that it is often uniquely placed to help when an organisation is undergoing strategic transformation. “Two of my companies are involved in quite significant change programmes at the moment,” he says. “In each case, we have internal audit involved, looking at ways of managing the risk of moving from one organisational structure and reporting system to another. They help identify the risks and set out a programme to address them, which is then reviewed by the audit committee.”
There appears to be potential for internal audit to play a wider strategic role, an idea at the forefront of the minds of many audit committees. “Certainly, internal audit is a very topical subject in the three companies I work with,” says Wareing. “In each company, we’re currently looking at what the scope of internal audit should be, and how wide or narrow we want its remit to be.”