Guidance for Audit Committee Chairs on working with the Head of Internal Audit
The Head of Internal Audit is a rich vein of information for Audit Committee Chairs.
The Audit Committee is a key element in the governance structure of any company and operates under the delegated authority of the board. The responsibilities of the Audit Committee and its Chair are manifold, and increasingly burdensome, with the never-ending expansion of the rules and regulations governing all companies and industries (eg. FRC - UK Corporate Governance Code July 2018), but the Head of Internal Audit (HIA) is a rich vein of information that can be mined to assist in the discharge of these obligations. The HIA is sometimes referred to as the Chief Audit Executive (CAE).
At a recent ACCA roundtable with a group of Chairs of Audit Committees to discuss ways to improve the performance of HIAs the following comments stood out: “Internal Audit has an important role and any executives that do not make better use of it are missing a trick” and “NEDs do not have the resources and should consider Internal Audit their best friend”. This paper has been prepared with these comments in mind, focussing on the benefits that can be gained from leveraging the knowledge and experience of the HIA, but it is not intended to provide general guidance on the duties and responsibilities of the Chair of the Audit Committee or other non-executive directors (NEDs).
This guidance is also relevant for the Chair of Audit and Risk Committees and the Chair of Risk Committees.
Reporting lines and meetings
It is a requirement of the UK Financial Services Regulators (FCA and PRA) that the reporting line of the HIA is to the Chair of the Audit Committee and so a mutually beneficial relationship should develop. This requirement is not explicitly stated in other industries, although it should be considered by all as it would strengthen the governance of the company, the independence of internal audit and the relationship between the Chair of the Audit Committee and the HIA.
In all companies the Chair of the Audit Committee should be engaged in, and approve, the appointment of the HIA as this will underline the independence of the internal audit function. Where the HIA does not have a direct reporting line to the Chair of the Audit Committee a communication line should be established to enable prompt and open dialogue.
Meetings and conversations between the Chair of the Audit Committee and the HIA should not be limited to the Audit Committee timetable and there should be arrangements for open, but confidential, discussions to provide a conduit for the exchange of knowledge and information. This will be the opportunity for the Chair of the Audit Committee to ask about matters that may not be covered explicitly in internal audit work or reports, e.g. people, culture, indication of controls being bypassed, etc. As always, care needs to be taken to respect the confidentiality and not to disclose the source, should there be further discussions with the executive and management, as globally internal audit is striving to rid itself of the historic reputation of “bayoneting the wounded”. This will also be the opportunity to confirm that headcount, capability and reward of the internal audit staff remain appropriate.
Risk Register and the Internal Audit universe
As Chair of the Audit Committee you will be required to review and challenge (and perhaps approve) the company’s risk register. Internal Audit will have a risk assessed “audit universe”, which, unless the company operates an enterprise-wide risk management system, will be constructed independently of the risk register and by comparing and contrasting these two documents a more profound understanding of the inherent risks will be developed. The HIA will be able to provide insight on the risk register and explain any divergence between it and the audit universe.
Residual risk (i.e. when controls do not fully extinguish inherent risk) should remain within an organisation’s defined risk appetite and, as this has implications for internal audit output, this is an area that should be discussed with the HIA. This is particularly relevant if the business does not believe it necessary, or cost effective, to invest in controlling risks identified by internal audit and in these cases the Chair of the Audit Committee may wish to seek clarification from senior management.
Internal Audit plan
Discussions at the early stages of preparation of the plan are essential to make sure all matters that are of concern to the Chair of the Audit Committee are considered and captured, and guidance can be provided to the HIA on the hot topics that are on industry peers’ radars.
As the plan approaches finalisation further discussions should take place to make sure there is a good understanding of reviews that are not going to make the final cut and to confirm that there are no unjustified restrictions or limitations on the work for the period ahead.
Internal Audit as a barometer
Internal Audit should have unfettered access to all books, records, meetings and staff within the company and embraces reviews that span strategy, governance, finance and operations (if it does not then the Chair of the Audit Committee, with the HIA, should initiate action to address any gaps). Consequently Internal Audit, and the HIA, can provide the Chair of the Audit Committee (and other NEDs) with information that otherwise may not be readily available to them.
There have been cases where businesses have been sanctioned, or have failed, where the Board and the C-suite have set the tone at the top, but this has not cascaded below middle management and throughout the company. Companies will issue mission statements or policies on key matters (e.g. culture, treatment of clients, ethics, etc.), or perform staff surveys, but feedback (if there is feedback) on their correct interpretation and application, or the outcomes, may be edited before it reaches the NEDs and this is where the HIA will be able to help and join the dots.
HIA as a counsellor
An independent internal audit function has unique access to all aspects of the business, so consider having the HIA at your side in Board meetings, particularly if matters with risk and governance implications are to be discussed. The HIA can be a trusted advisor and assist you in navigating conflicting reports from executive management and other assurance functions (Risk, Compliance, etc.).
Protection for whistleblowers is essential and the Chair of the Audit Committee, or another NED, is frequently the main point of contact for such notifications, however, you may not have the resources to perform the resultant investigations.
It is probable that Internal Audit will be the best placed function to support you, due to their skills and knowledge of the business (although on rare occasions there may be restrictions due to the nature of the issue). The HIA should be involved as soon as possible so that the impact of this additional work on the delivery of the internal audit plan can be managed and minimised, and they will be able to provide insight and advice on the people or areas implicated. Internal audit resources can then be diverted or engaged, should in-house skills need to be upgraded for the investigation.
Internal Audit reports
The HIA will produce a report to each Audit Committee meeting, the template of which should be defined in collaboration with the Chairman of the Audit Committee. Invariably this report contains only summary and statistical information, but it is perfectly reasonable for the Chairman of the Audit Committee to ask for the full report of each review that internal audit completes as these will provide additional background on the company and its control environment, which otherwise may not be available.
The internal audit report to the meeting should be discussed privately between the HIA and the Chair of the Audit Committee before the meeting, so that any emphasis needed can be fully understood, particularly where outstanding audit points have not been addressed on time or if there have been any examples of misrepresentation. Also, this will be an opportunity to ask the HIA what questions should be asked of any person who may be attending the meeting. Furthermore, these discussions will help the Chair of the Audit Committee identify the well managed areas of the business so that these can be complimented.
Outsourced Internal Audit
All the matters noted above apply equally to an outsourced internal audit function, however, it is likely that the HIA (assuming that role is outsourced as well) will not have the intimate knowledge of the business and its management that an in-house person would have (to counter this there will be the potential for informal benchmarking of the business due to an increased knowledge of the risks, controls, processes, etc. in peer companies). Therefore, regular interaction outside the Audit Committee timetable remains critical to the effective functioning of the Committee and internal audit. The decision to continue to outsource Internal Audit should reviewed and confirmed regularly by the Audit Committee.