Spotting internal audit risk areas

ICAEW’s Internal Audit Panel has identified eight risk areas where boards and audit committees should be asking themselves whether they are receiving the objective assurance they need amid increased public scrutiny.

January 2020

Where boards and audit committees are not able to provide a positive response, ICAEW recommends that internal audit should evaluate these areas. Internal audit may not be providing this objective assurance because they have not been asked to do so, or because it has not featured as part of their traditional work.

Below are some of the questions that internal audit will need to address for each of these eight risk areas.

1. How effective is our organisation’s governance of key areas?

• Does senior management really understand what effective governance and oversight looks like?
• Are the three lines of defence well-defined, understood and effective across our organisation?
• Do all employees understand their role and responsibilities?

2. Is information presented to the board accurate, adequate and timely? 

• Is the board receiving quality information?
• Is the board receiving all the information it needs without being overloaded?

3. Is a strong risk management culture promoted in our organisation?

• How is risk managed in our organisation?
• Do employees live the values of our organisation, and what evidence do we have to support that?

4. How does our organisation measure up to its environmental and social commitments?

• What assurance does our board have that the company’s promises and commitments on environmental and social issues are being met?
• Do our public statements accurately reflect what our organisation does?

5. Will decisions about executive compensation stand up to public scrutiny?

• Do executive performance appraisals reflect the effectiveness of our organisation’s risk management and internal controls?
• Do executives display the values and behaviours expected and is this mirrored in their performance appraisals?

6. Are specific business activities in our organisation receiving special treatment?

• Is internal audit excluded from any business activities?
• Has our organisation properly explained to the board why internal audit is being prevented from looking at these areas?

7. Has the quality and scope of work provided by external specialists been properly assessed?

• Are external specialists well-chosen and properly briefed, and is the board receiving objective assurance about the adequacy of their work?
• How much objective assurance is already provided by internal audit on the adequacy of risk management and internal controls over the finance function?
• How much internal audit time is being spent supporting external auditors and is this the best use of their resources?

8. How prepared is our organisation for changing risks?

• Is our organisation able to evaluate emerging risks?
• How prepared, resilient and agile is our organisation when responding to disruption?
• Which areas of our business are most vulnerable to disruption?

To understand what level of assurance is provided in eight risk areas, ICAEW is inviting board and audit committee members and heads of internal audit to complete a quick survey.

Take the internal audit survey 

Liked this? Read these:

• ICAEW sets out auditor reform position
• When changing the system becomes the new inertia
• Going concern: challenge of multiple uncertainties