Brought to you by
AIA
Save content
Have you found this content useful? Use the button above to save it to your profile.

CPAA Insight: Internal audit: aim high!

3rd Apr 2013
Brought to you by
AIA
Save content
Have you found this content useful? Use the button above to save it to your profile.

This article first appeared in the March 2013 edition of CPAA's membership magazine, Practising Accountant

Michael Cowan discusses the latest research on internal audit standards

TWO DOCUMENTS published in February 2013 seek to influence the standards that are applied to internal audit (IA). 

The Chartered Institute of Internal Auditors' (IIA) committee on IA guidance for financial services has issued a consultation document on recommendations for effective internal audit in the financial services sector. Meanwhile, the Financial Stability Board (FSB) published a report on risk governance.

Both concluded that IA's work should be focused at the very top. The IIA paper recommends that reporting lines should be to the board and board sub committees; scope of work should be risk focused on areas such as business strategy and culture; and IA departments should be independent of other departments.

The FSB peer review recommends reporting audit findings, significant issues and the status of remedial action directly to the board or audit committee regularly. It also suggests IA should provide an overall opinion of the design and effectiveness of the risk governance framework to the audit committee annually, assessing whether business and risk management units are operating according to the firm's risk assessment framework.

Is the work of IA focused at the appropriate level? This past year there have been two surveys on IA that when applied to the results of new policy documents provide interesting reading. These are Thomson Reuters' The State of Internal Audit Survey 2012 and Ernst & Young's The Future of Internal Audit is Now.

The surveys covered IA across a number of industries and were not confined to the UK, so the analysis cannot offer a direct comparison. However, if the trends are to be applied to financial services there is more that organisations can do to improve the effectiveness of IA.

The IIA consultation document explains that the primary role of IA should be to help to protect the assets, reputation and sustainability of the organisation. It does this by: assessing whether all significant risks are identified and appropriately reported to the board; assessing whether they are properly controlled; and challenging executive management to improve the effectiveness of governance, risk management and internal controls.

There was a general consensus on the importance of the independence of IA. There was strong support for an unrestricted scope of IA and for greater clarity and consistency of IA's role in auditing areas such as strategy, culture, risk appetite and key corporate events.

Scope & priorities

The scope of IA should be unrestricted. IA should independently determine key risks and how effectively these are being managed. The paper identifies some of the areas to be included in that scope, including governance strutures, strategic and management information and risk appetite/risk and control culture.

Prioritisation & planning

IA should take a risk-based decision on which areas it should include in the audit plan. IA should have the flexibility to deal with unplanned events to allow prioritisation of emerging risks.

Reporting

IA should present and issue reports to the board audit committee, the board risk committee and any other board committees as appropriate. IA's reporting should include:

  • a focus on significant control breakdowns, together with root cause analysis;
  • any thematic issues identified across the organisation; 
  • an independent view of management's reporting on the risk management of the organisation; and
  • an assessment, at least annually, of the overall effectiveness of the governance and risk and control framework of the organisation.

Interaction with risk management, compliance & finance

IA should not be part of, nor responsible for, risk management, compliance or finance functions. In no circumstances should IA rely exclusively on the work of risk management, compliance or finance. However, there is a need for these functions to work together for a rounded view of risk to be determined and reported to the board. 

The FSB report states that there is little supervisory guidance on the level and types of risk information firms should provide, as well as the frequency of risk reporting.

The risk management reports provided to the board should contribute to sound risk management and decision making. This requires IA, risk and compliance functions to align their responsibilities and ensure adequate coverage of the risks of an organisation.

Resource

The chief internal auditor should ensure that the audit team has the skills and experience commensurate with the risks of the organisation.

Summary of FSB peer review report on risk governance

The report gives a clear indicator of the growing regulatory focus on the operational effectiveness of internal audit functions. The sound practices identified, and against which all IA functions should assess themselves, are that the IA function meets its obligations to the board and supervisors by:

  • reporting audit findings, significant issues, and the status of remedial action directly to the board or audit committee on a regular basis;
  • providing an overall opinion of the design and effectiveness of the risk governance framework to the audit committee on an annual basis;
  • providing qualitative assessments of risks and controls as opposed to evaluating compliance with policies and procedures;
  • assessing whether business and risk management units are operating according to the RAF;
  • providing feedback on how the firm's risk governance framework and RAF compare with industry guidance and better practices as a means of influencing their evolution;
  • providing input to risk assessments and feedback on internal controls during the design and implementation processes;
  • escalating issues and concerns identified in the course of audit work or through internal whistle-blowing, complaint or other processes and situations where appropriate remedial action is not being implemented in a timely manner;
  • being aware of industry trends and best practices; and
  • meeting, at least quarterly, with the supervisor.

Edited overview of 2012 surveys from Thomson Reuters and Ernst & Young

The E&Y survey found that 80 percent of respondents felt their IA function could be improved with 70 percent believing that improvements were needed within 24 months. Only 19 percent felt that their IA function was very effective.

Both TR and E&Y reviews concluded that focusing on risks that matter was one way in which IA could improve and become more relevant. 

The E&Y survey reported that 75% of respondents felt that IA had a positive impact on their overall risk management activities. However 61% of respondents said that IA mandates were not aligned to the business' own strategy and key expectations.

The TR survey established that IA time was occupied with lower-level activities.

If the results of the IIA and FSB documents are IA's destination the evidence above suggests that we are moving towards it. There are some encouraging signs but equally some areas with work to do. 

The survey results are a little dated and do cover more than financial services, but the underlying messages are still that more needs to be done to crystallise the effectiveness of IA.

The next Thomson Reuters State of Internal Audit Survey for 2013 is due to start capturing responses in the next few weeks. It will be interesting to see if progress has been made in achieving the standards set by the IIA and the FSB.

Michael Cowan is a regulatory intelligence analyst at Compliance Complete. He has 25 years' experience and is a qualified internal auditor (CMIA). He has worked in compliance roles at UK Asset Resolution, Cattles and the FSA; the views expressed are his own.

The full version of this article first appeared on the Compliance Complete site which can be accessed from   http://accelus.thomsonreuters.com/

Tags:

You might also be interested in