Improve your organisation's level of assurance
ICAEW’s Internal Audit Panel has identified eight risk areas where boards and audit committees should be asking themselves whether they are receiving the objective assurance they need amid increased public scrutiny.
Where boards and audit committees are not able to provide a positive response, we recommend that internal audit should evaluate these areas. Internal audit may not be providing this objective assurance because they have not been asked to do so, or because it has not featured as part of their traditional work.
Below, we set out some of the questions that internal audit will need to address for each of these eight risk areas.
1. How effective is our organisation's governance of key areas?
A lot of senior management’s time may be spent looking at the structure and form of governance, which in practice does not always equate to effective governance.
- Does senior management really understand what effective governance and oversight looks like?
- Are the three lines of defence well-defined, understood and effective across our organisation?
- Do all employees understand their role and responsibilities?
2. Is information presented to the board accurate, adequate and timely?
The board is presented with a significant amount of information, but very little of it is subject to specific assurances from anyone other than senior management. When that information concerns critical issues or decisions, such as mergers and acquisitions, the board needs specific assurance.
- Is the board receiving quality information?
- Is the board receiving all the information it needs without being overloaded?
3. Is a strong risk management culture promoted in our organisation?
The effectiveness of any system of risk management or internal control depends as much upon the culture of the organisation as it does upon the design of the system. Culture encompasses not only the values promoted by management, but also the behaviours and attitudes at every level of the organisation.
- How is risk managed in our organisation?
- Do employees live the values of our organisation, and what evidence do we have to support that?
4. How does our organisation measure up to its environmental and social commitments?
Organisations are increasingly expected to report on their environmental and social policies. These policies can range from reducing carbon emissions to diversity and fair treatment of workers, and often include promises or commitments.
- What assurance does our board have that the company’s promises and commitments on environmental and social issues are being met?
- Do our public statements accurately reflect what our organisation does?
5. Will decisions about executive compensation stand up to public scrutiny?
Executive compensation attracts a lot of external scrutiny. Boards need to be confident in explaining executive pay, and consider whether it will be seen as excessive.
- Do executive performance appraisals reflect the effectiveness of our organisation’s risk management and internal controls?
- Do executives display the values and behaviours expected and is this mirrored in their performance appraisals?
6. Are specific business activities in our organisation receiving special treatment?
Organisations sometimes create “protected domains”. These are parts of the business that are given special treatment, for example, because they are considered “proprietary” and competitively sensitive, or extremely successful and profitable. In some cases, internal audit’s access to these areas is limited or restricted, possibly without the board and audit committee being aware.
- Is internal audit excluded from any business activities?
- Has our organisation properly explained to the board why internal audit is being prevented from looking at these areas?
7. Has the quality and scope of work provided by external specialists been properly assessed?
Organisations will need to use specialists for certain types of assurance, such as environmental assessments.
- Are external specialists well-chosen and properly briefed, and is the board receiving objective assurance about the adequacy of their work?
Some organisations may rely on external auditors to perform all the objective assurance they need around their finance functions. It is unlikely the scope of external auditors’ work will be sufficiently broad to justify this reliance.
- How much objective assurance is already provided by internal audit on the adequacy of risk management and internal controls over the finance function?
- How much internal audit time is being spent supporting external auditors and is this the best use of their resources?
8. How prepared is our organisation for changing risks?
Unforeseen factors, such as natural disasters, financial problems or labour disputes in the supply chain, could cause disruption or damage to an organisation. Having a contingency plan in place could be critical for its survival.
- Is our organisation able to evaluate emerging risks?
- How prepared, resilient and agile is our organisation when responding to disruption?
- Which areas of our business are most vulnerable to disruption?
Is your organisation receiving the assurance it needs? Take our short survey.
To understand what level of assurance is provided in the areas identified above, we are inviting board and audit committee members and heads of internal audit to complete a quick survey. This will help us identify where further best practice guidance is needed so that internal audit can provide the objective assurance that boards and audit committees require.