UK_Com_PW_A

This article was first published in the March 2016 UK edition of Accounting and Business magazine.

Internal audit (IA) is one of the most effective governance weapons at an organisation’s disposal. What a shame, then, that it still lurks in the shadows. Directors – especially non-executives – may at times feel they don’t know what is going on beneath them, that they don’t really understand the entity for which they carry so much responsibility. But an IA function that is well resourced and well directed can provide assurance if it is allowed to enter every part of the business and report on what is really going on. And while IA is often effective, it’s not terribly dynamic.

At the end of 2015, BDO published an analysis of audit committee reporting at UK quoted companies. The title, Gathering Storm – which is the title of Winston Churchill’s first book on the Second World War – referred to the regulatory changes gathering on the horizon. The report said audit committee reporting had improved, with three exceptions: reports were backward-looking; language was generic; and the material on the work and the effectiveness of the internal auditor was sketchy. 

IA has become an important line of defence for companies in an increasingly complex and competitive world. Audit committees should work closely with IA and, given that, BDO notes: ‘It was surprising to find that, although there has been some improvement in this area of disclosure, audit committee reports continue to score low marks in their description of the focus of the IA function, its relationship with the audit committee and external auditors, and the testing of its effectiveness’. Indeed, one in 10 of the FTSE All Share don’t have an IA function. Those that do either don’t mention in the annual report what the IA does or make disclosures of the motherhood and apple pie type: ‘Our internal audit focuses on areas of high risk.’ Well done. 

BDO makes the point that without a more specific description of the most significant areas addressed in the year, it is difficult to form a judgment on the appropriateness of the IA function’s focus compared with the shareholders’ perception of parts of the business with the greatest risk. 

Another mystery is the interaction, if any, between internal and external audit. The survey could not find one company that even alluded to the fact that external audit plans had been discussed or co-ordinated with IA. Do internal and external audit not talk to each other? 

It is also unclear whether companies know how effective the IA function is. BDO says few audit committees declared whether or not they had completed an assessment, which is surprising given such a review is required under the corporate governance code. 

But maybe this shadowy existence is set to end. Last month, the Institute of Internal Auditors put forward proposals to update its standards to meet what it labels ‘evolving business challenges’. Open to consultation for three months, the proposals seek to align existing standards with core principles that were adopted in 2015, strengthen IA’s objectivity, and enhance quality assurance and communication. Communication is key to giving IA the profile that is required. 

When reporting to the board or senior management, IIA is proposing that the internal auditor include information about risk accepted by management that may be unacceptable to the organisation and report the conclusions of the audit, along with information that supports the opinion. The point is, all stakeholders need to rely on the work of IA: it is too important to be allowed to lurk any longer. 

Peter Williams is an accountant and journalist