Explaining Internal Audit to the Board and Executives
Norman Marks, CRMA, CPA, was a chief audit executive and chief risk officer at major global corporations for more than 20 years. The views expressed in this blog are his personal views and may not represent those of The IIA.
The U.K. Treasury department has published a new Internal audit customer handbook (PDF) that is interesting reading for:
- Boards and others charged with oversight of internal audit.
- Executive customers of internal audit.
- Internal audit leaders.
Although designed for the UK government agency environment, most if not all the principles presented are equally applicable to global for-profit and other organizations. (My thanks to David Griffiths for sharing the news.)
Here are excerpts of particular usefulness:
- Internal Auditing [is defined] as “an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.”
- The internal audit profession … is focused on evaluating the management of key risks to and the continuous improvement to the delivery of effective public services and is a key source of independent insight and assurance for [executives] … and boards.
- The work undertaken by internal audit culminates in the provision of “an annual internal audit opinion based on an objective assessment of the framework of governance, risk management and control” and the results of internal audit’s work should help improve management’s ability to achieve the organisation’s …. objectives, by improving the effectiveness of risk management, control and governance.
- The [head of internal audit] must report functionally to the board.
- The internal audit service should be delivered in accordance with a risk-based internal audit plan. The plan should determine the priorities of the internal audit service, consistent with the organisation’s goals. It should therefore demonstrate the extent of its alignment with the organisation’s strategic and other key risk assessments and risk register and set out the engagements to be conducted and the planned timescales, and should differentiate between assurance, consulting and if undertaken any other non-audit work.
- Where the approach to risk management is relatively mature, internal audit should use the risks and controls identified as the basis (but not sole focus) for the detailed audit work undertaken. Where the approach to risk management is immature or there is deemed to be some degree of deficiency in the approach, then internal audit should seek to understand and identify the key risks and controls pertaining to the audit area as part of the audit planning and fieldwork.
- The audit work should comprise assessment and testing of key controls in place to manage the identified risks.
- Each internal audit engagement should culminate in a conclusion/opinion on the adequacy and effectiveness of the framework of risk management control and governance.
The handbook includes some challenging questions about the effectiveness of the internal audit function, and as such make interesting reading.
What I find useful in the publication is that:
- This is a mandate to move from traditional controls-focused internal auditing to risk-based internal auditing. (See my explanation of modern risk-based auditing), and
- An annual overall opinion is required, and an opinion is also required on every assurance engagement.
I think this document should be required reading for boards and CAEs. What do you think?
Posted on Jul 31, 2013 by Norman Marks
Share This Article: