Internal audit is designed to provide assurance to the CEO, the board (governing body) and stakeholders, that the organisation’s operations are being conducted in a manner that is efficient, effective, and in compliance with laws and regulations. In some jurisdictions and industries, internal audit is mandated.
Therefore, internal audit is an important function within any organisation. Managed well and aligned to strategic initiatives, internal audit can be one of the organisations most valuable assets. Managed poorly, it can be a waste of money, time and valuable resources.
Many boards and CEOs value an effective internal audit function, but we cannot always say that internal audit is valued by all stakeholders. Sometimes, the relationship between the CEO, management and internal audit can come under strain due to the competing priorities of each party.
Having worked closely with boards, audit committees, CEOs, senior managers and internal auditors and having collectively performed thousands of internal audits over 20 years, the internal audit team at InConsult looked at the role of the CEO in internal audit and identified a number of strategies to guide the CEO to get more value from internal audit.
The Sources of Audit Tension
Tensions to a positive internal audit experience can come from internal audit, CEO, management and the board and can occur for many reasons.
Competing objectives and priorities
Management’s focus is primarily on achieving strategic goals and financial performance. Internal audit also interested in the organisation achieving its goal. However, if management is so focussed on the outcome that they don’t pay proper regard to the process, skimp on compliance and don’t manage risks effectively, it can lead to conflicts, disagreements and tensions between the parties.
Lack of understanding
Management may not fully understand or appreciate the purpose, value and importance of the internal audit function. They may view it as a compliance-driven activity rather than recognising its role in providing independent assurance and valuable insights to improve organisational processes and controls.
Perception of criticism
Internal audit’s role is designed to assess and evaluate the effectiveness of controls, processes, and risk management practices of management. If management perceives these assessments as personal criticisms or threats to their authority, it can strain the relationship. When internal audit identifies control weaknesses or areas for improvement, it can be perceived by the CEO as a criticism of their leadership or decision-making. This can lead to defensiveness and strained relations between the CEO and internal audit.
Ineffective communication
Effective communication is essential for a strong relationship between internal audit, the board, CEO and management. If there are communication gaps, misunderstandings can occur, leading to mistrust and strained relations. Lack of clarity in explaining audit findings and recommendations can further exacerbate these issues.
Gaps in internal audit capabilities
Poor internal audit practices or an under resourced internal audit team will compromise the quality of internal audit work. Limited staffing, budget, or access to necessary information can impact the quality and timeliness of audit work, leading to frustrations on both sides.
Lack of trust and independence
Internal audit must operate with a high degree of independence to provide unbiased assessments. Internal audit must have unfettered access to information. If management perceives internal audit as lacking independence or being influenced by external factors, it can erode trust and strain the relationship.
Resistance to audit recommendations
Internal audit often provides recommendations for improving controls, processes, and risk management. If management is not confident in internal audits capabilities, resists findings or fails to take recommendations seriously, it can create a perception that the internal audit function’s efforts are being disregarded or undervalued.
Strategies for the CEO to Establish Solid Foundations
Whilst internal audit is an independent function, the CEO is often in the drivers seat for ensuring it is effective, with some oversight from the audit committee and/or board for larger organisations. An effective internal audit function is built on a solid foundation of key principles, practices, and structures. The CEO should work with the Chief Audit Executive and support laying these foundations.
Recruit a capable audit team
Internal auditors should possess the necessary knowledge, skills, and professional qualifications/certifications. The internal audit department should also follow the standards and ethical guidelines of the profession as set out by the Institute of Internal Auditors.
Ensure adequate resourcing
For internal audit to be effective, it needs to have the appropriate resources in terms of staffing, budget, and technology. The CEO should ensure that the internal audit department is adequately resourced and has the necessary tools and technology to do its job effectively.
Use a risk-based audit approach
Due to budget and time constraints, internal audit should take a risk-based approach to its work, focusing on areas where the organisation is most at risk and providing assurance that the internal controls are designed and operating effectively to mitigate these risks.
By engaging with key stakeholders, contextualising the organisational objectives and conducting a comprehensive risk assessment (or using risk information from the risk management department), the internal audit department can identify the areas of the company where the risk of loss or failure to achieve objectives is greatest. This helps the internal audit function to focus on the areas of the company that are most at risk and provides assurance that the company’s internal controls are designed and operating effectively to mitigate these risks.
Open communication between audit and management
Establish regular communication channels between internal audit and management to enhance understanding and address any concerns or misunderstandings promptly.
Clear audit plans and reports
The internal audit function should have plans and reports in place to communicate its intentions, approach, findings and recommendations to the CEO, the board of directors, and other stakeholders. Key plans and reports include:
- Strategic Audit Plan – outlines the internal audit activities and objectives for a three-year period. It serves as a roadmap for the internal audit function, guiding its efforts in evaluating and assessing the organisation’s operations, risks, controls, and governance processes over the specified timeframe.
- Audit Engagement Plan – outlines the specific details and objectives of an upcoming audit engagement. It is a roadmap for the internal audit team, providing a structured approach to conducting the audit and ensuring that all relevant areas are addressed.
- Audit Report – summarises the audit approach, methodology, findings, observations, and recommendations resulting from an internal audit engagement. The report is a communication tool between internal audit and management, providing valuable insights and recommendations for improving processes, controls, and risk management practices.
- Quarterly Audit Report – provides an update on the progress of audit engagements completed, highlights key issues, and tracks the progress of audit recommendations to completion/closure.
Be visible
It’s important that the CEO is visible and promotes internal audit and encourages management take appropriate actions on the recommendations in a timely manner. This shows the importance placed on internal audit and helps to maintain the integrity of the internal control environment. Also, it’s important that the internal audit team is seen as approachable by any member of staff, which enhances their standing within the organisation and provides an avenue to identify issues at the coalface.
Continuous audit improvement
The internal audit function should be continuously looking for ways to improve its processes and procedures. The department should also monitor and evaluate the effectiveness of its work and the impact of its recommendations to continually improve the control environment. Every 5 years, internal audit process should undergo an external independent review.
Strategies for Optimising Internal Audit
Having the foundations in place helps to ensure that the internal audit function is able to provide the assurance that the CEO and the board of directors need, but it may not relieve all the tension. The CEO and board can expect more from internal audit. They may expect internal audit to take a more proactive approach to identifying and assessing risks, rather than just being reactive to issues that have already occurred.
Monitoring and analysis of key performance indicators
The internal audit department can use monitoring and analysis of key performance indicators (KPIs) to identify potential issues and risks before they become major problems. This could include monitoring the company’s financial performance, compliance with laws and regulations, and the effectiveness of key processes and systems.
Data analytics
Internal audit can use data analytics tools to identify patterns or anomalies in data that may indicate a potential risk or control weakness. These tools can help internal audit to uncover issues that may be hidden and would not be identified through traditional audit methods.
Continuous control monitoring
The internal audit function can be proactive by continuously looking for ways to improve its processes and procedures. This could include ongoing monitoring of the control environment.
Predictive auditing
Predictive auditing is a new way of auditing that allows internal audit to make predictions about future events, scenarios, or risks, by identifying and analysing patterns or trends, and build in assessments and controls to prevent potential events from happening.
Stay current with industry/sector developments
Internal audit can also be proactive by staying current with industry developments and emerging risks, such as regulatory changes and technological advancements, so they can identify potential risks to the organisation and take appropriate actions.
Takeaways
By addressing these ‘tension’ factors and promoting a culture of cooperation and mutual respect, the relationship between the CEO, internal audit and management can be improved, leading to more effective risk management, a stronger control environment and governance practices within the organisation.
Taking a proactive approach, an internal audit department can help the company to identify and manage potential risks before they become major issues, and provide assurance that the company’s internal controls are effective in mitigating those risks.
How we can help
InConsult is committed to helping organisations better understand the benefits and value of internal audit.
We have supported small to large organisations establish a cost effective internal audit function and to refine and optimise internal audit practices.
We have extensive experience in internal auditing, risk management, probity, fraud and corruption prevention, cyber security, crisis management, business continuity, climate risk management and pandemic planning.
If you would like to know more about our internal auditing services, contact us to discuss your needs.