| Internal audits - a risk management tool |
Back |
| Gerry Fitzpatrick examines the findings of a recent study analysing the value of internal audits. |
Does the boardroom feel that internal audit adds value? Nearly 95 per cent of board directors recently surveyed felt that the standing of internal audit had increased in the last three years. ‘The Value Agenda’ - a study conducted by the Institute of Internal Auditors (IIA), in association with Deloitte & Touche - explored this topic, together with an analysis of the importance of linking risk management with internal audit1. The study covered 97 companies including over 60 per cent of the FTSE 100.
On a scoring system of one to ten, directors scored an average of seven for internal audit value, noting that this value had increased over the last three years.
The perceived value of internal audit was seen most strongly as:
• Assurance on major business risks
• Assurance on the internal control framework
With much less emphasis by directors on:
• Improving business performance by sharing knowledge
• Use of knowledge to tackle urgent issues
• Detection and prevention of fraud (which scored less than 30 per cent)
Interestingly, directors and internal auditors were in agreement with their assessment of the highest value factors. However, internal auditors scored the latter three much more highly than directors.
The role of the internal auditor
The survey found that the boardroom is encouraging internal audit to be more business-like, with the role and required skills of the internal auditor the subject of much recent discussion, particularly in light of recent corporate governance scandals.
The IIA has indicated that, ultimately, the audit objective is to provide management with information to mitigate the negative consequences associated with not accomplishing the organisation’s objectives. The degree of materiality of exposure can be viewed as risk not mitigated by establishing control activities.
Measuring value
The survey found that 75 per cent of heads of internal audit are not required to demonstrate formally the value they deliver. This was one of the most surprising findings of the survey.
Measurement appears to be based more on ‘general respect’ than on metrics. Without such metrics it is difficult to see how directors rated internal audit so highly. I believe that directors should request a periodic evaluation and benchmarking of their internal audit functions to help them more objectively measure these matters.
Maintaining appropriate skills
The internal audit function assesses the operational and financial controls within an organisation. It deals with the risks organisations take in the course of business and determines how knowledgeable they are about those risks. An effective internal audit function is the eyes and ears of the audit committee and senior management.
The function has changed in recent years. There’s much more at stake today. Organisations are moving faster, and accounting and control structures are more complex. The internal audit department knows the organisation, but it’s more difficult to stay on top of internal and external factors that dynamically affect risk.
Risk analysis is now hugely important in the auditor’s role. Many organisations incorrectly think ‘risk management’ means ‘how much insurance do I need?’ The term actually relates to recognising business risks-adding new systems or acquiring another business, for example-and determining what level of risk is prudent. Organisations must take risks to grow. The internal audit function considers this need with respect to the framework of controls within the organization. It examines such factors as strategic/tactical business process change and the degree to which individuals can commit the organisation’s assets.
Are there other areas of risk to consider? Yes. The quantitative side relates to business process and accounting. But there are important qualitative issues too that relate to how an organisation grows. They raise questions about exercising due diligence in managing growth. An internal audit has responsibility to protect existing assets, as well as the assets that will be put at risk in the future. As business options become more complex, the role of the internal auditor is becoming more consultative and proactive, not just reactive. The traditional blocking and tackling is important, but just isn’t enough.
This focus on risk places new skills requirements on internal audit. With a diverse range of requirements, many units find it impractical to recruit and retain a full mix of skills. Internationally, research shows that 20 per cent of private sector and 30 per cent of public sector audit work is outsourced, as the increasing focus on assessment of risk, operational and value for money audits become important elements in balancing the skills mix.
Risk management and internal audit
With so many organisations now undertaking some form of risk self assessment it is interesting to note that directors felt that a risk conscious mindset was an area where their organisations were currently performing best, a point which was not supported by the internal auditors. The survey summary notes ‘This suggests that the optimistic view of board directors may not be always borne out by the head of internal audit’s experience of what is going on at ground level’. The finding must also call into question the effectiveness of communication between directors and internal audit, which can result in such a difference of view.
There was a further difference in views relating to the experience of significant surprise with directors citing the fact that such events were primarily attributed to the risk not being identified while internal auditors highlighted both an inappropriate assessment of risk and the lack of compliance with policy as the most significant factors. This begs the question whether internal auditors are as forceful as they should be both in the identification of policy non-compliance and the lack of action on implementation of findings.
Shareholder value
With the extensive reporting of risk management processes in annual reports you might have thought that directors would be happy with the enhanced engagement with shareholders. Not so in all cases as the survey highlighted a majority view of directors were not having sufficient in-depth discussions with analysts about risk management, together with a view that analysts do not place value on the company’s approach to risk management. However, that being said, only 47 per cent of directors were in agreement that the AGM should be used as a forum to make risk management activities more visible.
The Smith Report
New developments in the UK on governance (Smith and Higgs) will serve to set new standards for audit committees in their review of internal audit activities. The Financial Reporting Council (FRC) appointed group chaired by Sir Robert Smith made some recommendation for audit committees and the internal audit process.
Recommendations
The audit committee should:
• Monitor and review internal audit activities
• Consider annually where no internal audit function exists if there is a need and make a recommendation to the board
• Explain in the annual report the reasons for the absence of an internal audit function
• Support IIA Standards - audit committee should receive reports under those standards
• Ensure that internal audit resources are in place to fulfill the internal audit mandate
• Approve appointment and termination of appointment of the head of internal audit
• Meet internal auditor without management present
• Ask internal audit to provide feedback on the conduct of the external audit
• Review the effectiveness of internal audit function in the context of the organisation’s risk management systems
The survey shows that, while directors are putting a value on internal audit, there is scope for improvement in the objectivity of that evaluation.
Value assessment - your checklist
As a non-executive director or a senior manager there are a number of issues you should be considering:
• Are you getting the control assurance you need?
• Are your systems efficient and effective?
• Are you getting best value from internal audit?
• Should your internal audit have a metric to demonstrate efficiency and value?
• When did you last benchmark the function against other internal audit functions?
• Have you ever done a comparison of an internal versus an outsourced function?
• Are the internal audit and risk management processes aligned?
• Does your internal audit have the appropriate specialised skills - risk assessment, value for money and computer audit skills?
• Have you considered co-sourcing or outsourcing your internal audit function?
We have found that these questions should be on the agenda for all boards.
1 The Value Agenda survey is available from www.iia.org.uk and www.deloitte.com/ie/risk |
Gerry Fitzpatrick, FCA and an associate member of the Institute of Internal Auditors, is a partner in Deloitte & Touche, specialising in Enterprise Risk Services, delivering risk, internal audit, computer audit and e-business security services.
|
| Article appeared in the May 2003 issue.
|
|
|
