Appreciating the value of internal audit

0
The Institute of Internal Auditors (IIA) defines internal auditing as an independent, objective assurance and consulting activity

Internal auditors play various roles to support the success of organizations. These include evaluating their organizations’ governance, risk management, and internal controls. That is to verify if the governance follows national rules and regulations, the industry’s laws and the company’s policies and directives. They also evaluate the extent to which risks to an organization’s objectives are managed to enhance the achievement of such objectives.

The Institute of Internal Auditors (IIA) defines internal auditing as an independent, objective assurance and consulting activity designed to add value to and improve an organization’s operations. It continues by emphasizing that internal auditing helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk managementcontrol and governance processes. Internal auditing achieves this by providing insight and recommendations based on analyses and assessments of data and business processes.

The efficiency of internal auditing helps develops the work of the organization by giving recommendations on weaknesses identified during audit assignments for senior management to take corrective actions. The appropriate and timely implementation of audit recommendations agreed by senior management is an important part of realizing the full value of an audit function. Non-implementation of internal audit recommendations can lead to high risk for an organization’s success.

The primary responsibility for implementing agreed audit recommendations generally lies with senior managers in the business area of the entity that was subject to the audit, with oversight support from audit committees. However, internal auditors have a key responsibility in ensuring that they provide clear, convincing, understandable and workable recommendations to ease their implementation by senior management.

This document focuses on the roles internal auditors, senior management and audit committees can play to ensure effective implementation of audit recommendations to appreciate the value of internal audit function in an organization.

Value of Internal Audit Function

Internal auditors review how programmes are being carried out and how activities are managed within an organization. This affords internal auditors excellent opportunities to make recommendations for senior management to improve their ongoing programmes, conserve resources, provide better customer service and, ultimately, achieve the organization’s set objectives.

Internal audit units add value to their organizations when they provide objective assurance that the organization is operating as management intends; insight for improving controls, processes, procedures, performance; and objective assessments of operations.

Assurance

Internal auditors provide assurance on the organization’s governance, risk management and control processes to help the organization achieve its strategic, operational, financial, and compliance objectives. Internal auditing, as one of the four cornerstones of corporate governance (along with the governing body, executive management and external auditing), helps an organization focus on strong controls, accurate reporting, effective oversight, mitigation of risks, and protection of investments.

Insight

Internal auditors are the third line of defence for improving an organization’s effectiveness and efficiency by providing insight and recommendations based on evidence-backed findings from analyses and assessments of data and business operations. As the third line of defence for improvement, they evaluate processes, report findings and recommend appropriate courses of action; and advise on key projects/initiatives. With in-depth knowledge and understanding of the business and its objectives, internal auditors assess the efficiency and effectiveness of operations and the protection of assets.

Objectivity

Internal auditors provide value to governing bodies and senior management as an independent source of objective advice. Grounded in professionalism and integrity through professional Standards and a Code of Ethics, Internal auditors help management and governing bodies achieve their objectives.

To ensure independence, section 83 (2) of the Public Financial Management Act, 2016, Act 921 states that the chief audit executive (head of internal audit unit) shall report administratively to the principal spending officer and functionally to the audit committee of that covered entity. Internal auditors maintain objectivity by not assuming any operational responsibilities.

Audit Recommendations

Audit recommendations identify risks to the successful delivery of outcomes that are consistent with policy and legislative requirements, and highlight actions aimed at addressing those risks and opportunities for improving entity operations. Entities are responsible for the implementation of audit recommendations to which they have agreed. The timely implementation of recommendations allows entities to realize the full benefit of audit activity.

Standards 2110 and 2410 of the International Standards for the Professional Practice of Internal Auditing require that internal audit activity must assess and make appropriate and applicable recommendations to improve the organization’s governance processes for:

  • Making strategic and operational decisions.
  • Overseeing risk management and control.
  • Promoting appropriate ethics and values within the organization.
  • Ensuring effective organizational performance management and accountability.
  • Communicating risk and control information to appropriate areas of the organization.
  • Coordinating the activities of – and communicating information among – the board, external and internal auditors, other assurance providers and management.

An effective audit recommendation provides suggestions for correcting problems. It also addresses the cause of issues. Writing an effective audit recommendation involves documenting the details about fixing the current situation and addressing the root cause to minimize or eliminate future occurrences.

Professional auditors conduct audits to improve operations, validate the reliability of financial reporting and ensure compliance with laws and regulations. They also evaluate control mechanisms and make recommendations on improving the auditing infrastructure.

It is worth noting that recommendations of the auditor – though apparently to enhance the effectiveness of controls – are not mandatory for executives in their decision-making. Internal auditors must therefore ensure that the recommendations they provide are evidence-based and convincing to win senior management commitment for implementation.

Roles of Internal Auditors, Senior Management and Audit Committees

Having considered the value of internal auditing and audit recommendations, it is important to outline some of the roles internal auditors, senior management, and audit committees are expected to individually and collectively play to ensure the successful implementation of audit recommendations.

Internal Auditors

Standard 2100 states that the internal audit activity must evaluate and contribute to improvement of the organization’s governance, risk management and control processes, using a systematic, disciplined and risk-based approach. Internal audit credibility and value are enhanced when auditors are proactive, and their evaluations offer new insights and consider future impact.

The value of the internal audit function is appreciated when recommendations made by internal auditors are effectively implemented. Important measures of an internal audit unit’s effectiveness are the type of issues it tackles and the changes/improvements it brings to the organization. In addition, one of an auditor’s basic objectives is to have his or her work make a difference or have a positive impact on achievement of the organization’s objectives.

For the internal audit function to win senior management support and achieve the desired results, work of the internal auditor must conform to the internal audit standards; results of the internal audit activity must be well-communicated; and there must be a robust follow-up system to track implementation of recommendations.

Conformance with the Standards

The recommendations made by internal auditors may not be of value to the organization when they are not of quality. For the desired quality to be achieved, internal auditors are to perform their functions in accordance with the internal auditing standards.

Compliance with the professional and internal auditing standards is a contributor to the value of recommendations made by the internal auditors. It is therefore important for internal auditors to put the Standards first in the performance of their functions.

As earlier stated, audit recommendations are not mandatory for senior management to implement. It is therefore imperative for the auditor to devise measures to provide action-oriented recommendations that are convincing, appropriate and applicable to win senior management commitment for implementation.

Effective communication of audit results

Standard 2420 provides that internal audit communications must be of quality. This means that internal audit communications must be:

  • Accurate: that is, free from errors and distortions, and must be faithful to the underlying facts.
  • Objective: that is, fair, impartial and unbiased, and must be the result of a fair-minded and balanced assessment of all relevant facts and circumstances.
  • Clear: that is, easily understood and logical, avoiding unnecessary technical language and providing all significant and relevant information.
  • Concise: that is, to the point and avoids unnecessary elaboration, superfluous detail, redundancy and wordiness.
  • Constructive: that is, helpful to engagement of the client and the organization, and leads to improvements where needed.
  • Complete: that is, internal audit communications must lack nothing essential to the target audience, and include all significant and relevant information and observations to support recommendations and conclusions.
  • Timely: that is, internal audit communications must be opportune and expedient, depending on the significance of the issue, allowing management to take appropriate corrective action.

Audit results communicated following the above standard are easily understood and acted on by senior management.

Robust Follow-up system

The chief audit executive should establish a follow-up process to ensure that recommendations are implemented effectively and timeously. The follow-up system should be effective and robust to pressure senior management into implementing audit recommendations. Follow-ups show the seriousness of internal auditors and how they value their recommendations. This can be a good way to achieve senior management commitment to the implementation of audit recommendations.

Section 83 (5) (e) of the Public Financial Management Act, 2016, Act 921, requires internal auditors to perform follow-ups on the agreed audit recommendations and required corrective actions. Internal auditors are therefore expected to robustly follow up on the recommendations that they have carefully provided until they have been adequately and successfully implemented.

For effective follow-ups to be achieved, the chief audit executive should agree with senior management on every assignment, and state in the audit report the timeline for which the audit recommendations are expected to be implemented.

Senior Management

Senior management have roles in an organization which include the setting of sound internal controls to ensure that objectives of the organization are being achieved; also, they have the duty of implementing recommendations that are made by the internal auditors.

Therefore, senior management is required to support effective functioning of the internal audit units in their setups. This can be done by providing the internal audit unit with needed resources, showing commitment to implementation of audit recommendations, and also designing a measure to follow up on audit recommendations and give feedback information to the chief audit executive.

Resourcing the Internal Audit Unit

Management support is needed for the value of internal audits to be fully realized and appreciated in the organization. Sufficient resources usually need to be allocated to the internal audit unit by senior management. They should ensure that the internal audit unit has the blend of skilled staff to carry out audit assignments.

Also, adequate logistics and financial support should be given to the internal audit unit to enable it perform its functions effectively. Adequate resources put the internal auditor in a position to conduct audit assignments thoroughly, and provide appropriate suggestions for correcting identified problems.

Commitment and follow-ups

Senior management and the workforce should know the importance of the internal audit function and its value to a business environment. They should understand that auditors are not employed to look for mistakes but are there to help senior management execute their duties more effectively.

Senior management shows its commitment to internal audit recommendations by demanding immediate actions from officers responsible for the implementation of audit recommendations. The responsible officers should be clearly established at the concluding stage of every audit assignment.

This should put the officers on their toes to make sure recommendations for which they are responsible are implemented on time, to be able to respond positively to senior management. Measures should be put in place to sanction officers who deliberately fail to implement audit recommendations for reasons of personal interest.

Senior management and internal auditors should therefore work together and continuously follow up on the status of audit recommendations given.

Feedback

Not every recommendation has to be implemented, but receiving feedback from stakeholders goes a long way in establishing a mutually beneficial relationship. Senior management/responsible officers should communicate to the chief audit executive challenges faced in the implementation of audit recommendations and the reasons for not implementing audit recommendations.

They should also communicate measures taken to avert any risk to achievement of the organization’s objectives which may result from their failure to implement the audit recommendations.

Audit Committees

The primary purpose of a company’s audit committee is to provide oversight of the financial reporting process, the audit process (both internal and external), the company’s system of internal controls, and compliance with laws and regulations. The IIA positions audit committees as sub-bodies of the board of directors/governing body. Overseeing internal audit is one of the major roles of audit committees.

While internal audit reports to management (preferably the CEO) on a day-to-day basis, audit committees have a responsibility for oversight and therefore need to determine appropriate communication channels and reporting arrangements with internal audit.

Audit committees are positioned to assist senior management appreciate the value of internal audit functions by advocating for needed resources for the internal audit unit, holding regular meetings to review the work of the internal audit unit, and pursuing the implementation of audit recommendations.

An advocate for resourcing the internal audit unit

Audit committees have the responsibility to review risk-based annual plans and budgets of internal audit units. In doing so, the committees ensure that the annual plans capture (for review) pertinent areas and activities which are core to achievement of the organization’s objectives. They also ensure that management is convinced to resource the internal audit unit to carry out activities set out in the annual plans.

Holding regular/scheduled meetings

Regular meetings afford the audit committees opportunity to assess the progress of implementing the audit recommendations, placing specific emphasis on major risk and control issues and implementation backlogs. It also helps the committees to have in-depth discussions on the causes of significant backlogs. Guidelines for effective functioning of audit committees (2017) require audit committees to meet at least twice a year. It also advises that one or more special meetings may be held to review the covered entity’s financial statements and other documents necessary for achievement of the entity’s objectives.

In addition, audit committees should meet formally with internal auditors to discuss the internal audit plan and results of the internal audit work. Audit committees are encouraged to hold executive sessions with the auditors, without management present, as often as deemed necessary.

Regular meetings afford the audit committees opportunity to assess the progress of implementing audit recommendations, placing specific emphasis on major risk and control issues and implementation backlogs. It also helps the committee to have in-depth discussions on the causes of significant backlogs to resolve any challenges identified.

They should also discuss with the chief audit executive those cases where – by not acting on internal audit recommendations – the chief audit executive believes senior management has exposed the organization to a level of residual risk that may not be acceptable to the committee.

Pursuing the implementation of audit recommendations

Section 88 (1) of the PFM Act outlines, among others, the functions of an audit committee to include ensuring that the head of a covered entity, to which the Audit Committee relates, pursues the implementation of any recommendation contained in an internal audit report. The IIA guidelines for audit committees provide that the audit committee should ensure internal audit reports are actionable, and audit recommendations are implemented by management satisfactorily.

Audit committees must consider significant individual audit findings or recommendations, though it need not be concerned with more detailed findings unless the committees consider it valuable to do so. They should concentrate on gaining assurance that the organization’s risk management, control and governance arrangements are adequate and effective. For this purpose, the committees should ensure that there is an adequate system to monitor the implementation of agreed audit recommendations.

An implementation plan detailing the recommendation, the required action, priority, person responsible and timescale is a good method of fulfilling this objective. Also, they should continuously advise those charged with control (the board) of their ultimate responsibility for either ensuring that management takes prompt and effective action on those audit reports; or recognizing and accepting the risks of management, not acting.

Conclusion

Successful implementation of audit recommendations helps organizations to achieve their objectives. Internal auditors are motivated when they feel that their recommendations have contributed greatly to the achievement of objectives.

Internal auditors should therefore perform their functions in accordance with the standards. Senior management should support the internal audit function by resourcing the internal audit unit and showing commitment to the implementation of audit recommendations. Audit committees should meet regularly to review the internal audit function and also ensure senior management implements audit recommendations. These will help senior management and other stakeholders to appreciate the value-addition role of internal auditors in their organizations.

The writers are Assistant Internal Auditors, University of Cape Coast

 

Leave a Reply