The vital role of Internal Audit

Internal audit has come of age in recent years. Once a function that primarily focused on the testing of financial controls and the poor cousin of external audit, it has been revolutionised to take its place as a critical element of a sound system of internal control and risk management, underpinned by the requirements of the UK Corporate Governance Code and associated Financial Reporting Council Guidance for Audit Committees.

A fundamental element of the three lines model of governance and risk management, internal audit brings risk and assurance expertise to issues that are integral to the survival and prosperity of any organisation – matters such as reputation, growth, the organisation’s impact on the environment and the way it treats its employees. Internal audit should bring hindsight in learning from past experience, insight into current operations and practices, and forward-focused foresight to create a stronger and more resilient organisation.

Essentially, internal audit must provide an objective and balanced view of risks and risk management, first and foremost for the board, to enable directors to fulfil their stewardship responsibilities in the assessment of risk and associated controls. The Internal Audit Codes of Practice (the Codes), for all companies and for financial services specifically, require a primary reporting line to the Chair of the Audit Committee to anchor and underpin this independence. All organisations face risk and directors are required to be thoughtful in the amount and nature of risk they take in delivering their strategic goals and purpose. The Codes emphasise that internal audit should provide an assessment of the effectiveness of governance and controls over prioritised categories of risk – financial and non-financial – within the risk appetite levels established by the board.

While assurance over the core processes of the organisation such as finance and technology is critical, the assessment of strategic risks, culture and behaviours will drive value and insight. Experienced internal auditors will be able to take seemingly unauditable issues and evaluate the underlying processes or outcomes. This will give directors a level of assurance that their judgements and deliberations, and underlying management information, are appropriate, or show where changes need to be implemented. In doing so, the function will consider both upside and downside risk, with the Head of Internal Audit acting as a strategic adviser to the directors.

The success of internal audit is driven by what it covers and the approach, positioning, impact and influence it is able to have with management at all levels. A commonly used metaphor is that of a doctor. Internal audit cannot shy away from delivering difficult messages and being honest about the causes of the issues identified. But bedside manner is critical. Messages must be delivered with pragmatism and empathy. The Head of Internal Audit must use their judgement to evaluate which issues are most significant or material and report accordingly.

To really make a difference and create improvement, they must be aligned with the strategic purpose and commercial priorities of the organisation, and have the interpersonal qualities to influence. With the right experienced individual leading the function and positioned at the senior executive level, internal audit should be the eyes and ears of the directors and management. It should both protect and create value.

In delivering effective internal audit services, internal audit must conform with the Institute of Internal Auditors’ International Professional Practices Framework, the International Standards for the Professional Practice of Internal Auditing, and the Code of Ethics. In a similar manner to the standards set for external auditors, these include requirements that evidence professionalism and build trust, setting out specific expectations in relation to: the assessment of risk; determining the audit universe; planning the overall plan; scoping individual activities; execution of the audit work; engagement with stakeholders; reporting; and follow-up of identified actions. 

The requirements are based on principles and it is for the Head of Internal Audit to determine how to pragmatically and proportionately interpret them. These standards are augmented in the financial services sector, particularly by the requirements of the regulators. Public sector auditors must follow the Public Sector Internal Audit Standards.

In addition to the broader scope of internal audit compared with the external auditor – covering all risks, as opposed to only financial risks – internal audit differs from external audit in relation to the nature of reporting generally adopted. Internal audit will assess the effectiveness of controls in mitigating risks in accordance with risk appetite, and will identify weakness or areas for improvement in the maturity of the control environment. This will often result in a graduated outcome, usually colour coded, with red being reports that represent a significant risk to the organisation without further action, and green being those where the underlying activities are appropriately managed and controlled. Leading internal audit functions are increasingly looking to work with the first and second line in a way that delivers real-time or continuous assurance, enabling improvements to be made before they result in a specific incident or issue. The fact that internal audit sits within the organisation enables a closer relationship and familiarity with the issues than may be present with the external auditors, while the reporting line to the Audit Committee ensures that independent thinking is maintained.

A key indicator of effectiveness is the value that arises from the actions identified as a result of audit work. It is important these are specific and actionable in relation to the activities and processes that are audited but also that thematic issues and levers be identified. Internal audit has a unique ability to look across all parts of the organisation: functions; processes; management layers; divisions; products; and geographic locations. The function should be focused on the concerns most critical to management and wider stakeholders, in areas such as: the potential for fraud or security lapses; the delivery of non-financial targets, including environmental, social and governance priorities; and the performance and risk culture. It can identify systematic concerns and opportunities, and provide early-warning indicators for management, so long as they are prepared to listen and engage.

A strong internal audit function should drive success in the organisation. A Formula One racing driver will only succeed and win championships if they have complete confidence that they can push the car to its technical limits. This means, most importantly, knowing that the brakes will work when they need to. The same is true of organisational success. Organisations can innovate, learn and strive for growth if they have confidence that the underpinning foundation of controls are designed to manage risks appropriately and that they operate in line with expectations.

Internal audit can be thankless: no one notices the incidents that are avoided when operations run smoothly. The Head of Internal Audit will often be the messenger that has to relay difficult messages at the highest level, willingly exposing themselves to challenge. In driving for resilience, directors and management should look closely at often hidden assets and talents that exist within their team.

ICAEW’s Internal Audit hub provides a range of resources.