A brief guide to standards and responsibility
Responsibility for a sound system of internal controls rests with management.
The professionalism of internal audit has evolved significantly over recent years. Whilst there is a professional body for internal auditors known as the Institute of Internal Auditors (IIA), traditionally internal auditors have been recruited from many professional disciplines and for specific skills sets which will assist the business in which they work.
Others who choose to enter internal audit at the ground level of their careers may choose to study a wider programme, which enables them to work more freely across business operations, whilst also fundamentally providing the skills they need to be effective in their internal audit role.
As a consequence, many internal auditors are in fact members of other professional bodies such as the Association of Chartered Certified Accountants (ACCA). ACCA supports its members operating as internal auditors across the private, public and third sectors. In doing so it recognises the IIA’s International Professional Practice Framework (IPPF) and all guidance provided is complementary to those international standards established, rather than overriding them in any way.
The professional responsibilities of internal auditors are set out in the IIA’s IPPF and in certain sectors are supplemented by sector specific standards which are either stand alone or annotated versions of the IPPF. One such example in the UK is the Public Sector Internal Audit Standards (PSIAS).
Definition of internal audit
From IIA IPPF 2017: 'An independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.'
The principles of independence and objectivity are equally important to both the role of the internal auditor and the more commonly understood role of the external auditor in their audit of an organisation’s financial statements.
As an internal auditor, you should have the freedom to fulfil your responsibilities as you see fit.
You must decide what subjects you audit and when, what issues you raise and what rating you give. However, in doing so you must recognise your reason for being - to assist the organisation achieve its objectives. Effective working relationships between the chief audit executive (CAE) - also commonly known as the head of internal audit - senior management and the board are crucial.
Directors and managers can influence you, but should not be able to overrule you, either directly or through indirect pressure.
The CAE should have direct, unrestricted access to the board and chief executive as and when required. Access to the board is typically via the audit committee which operates under delegated authority of the board within an organisation’s governance structure.
If the internal audit department’s independence is - or could be deemed to be - compromised, you should notify the audit committee so that it can either accept the risk or ask for it to be managed differently.
The same conclusions and opinion should be reached by any professional internal auditor reading the evidence on file. You should ensure that your objectivity is not compromised or could be challenged due to personal or business relationships.
If you believe that your objectivity is - or could be deemed to be - compromised, you should notify your manager and/or the CAE who can then decide upon the appropriate action which may include reallocation of audit assignments, increasing the oversight of an assignment or documenting and accepting the risk.
The internal audit team must collectively possess the knowledge, skills, and other competencies needed to fulfil its role effectively. Team members can demonstrate their proficiency by obtaining and maintaining their qualifications, such as that offered by ACCA.
The CAE must consider whether the team has sufficient skills and experience to perform any assignment. If there are any deficiencies identified, the CAE should consider how these are addressed including recruitment, training, out-sourcing and co-sourcing prior to acceptance.
Due professional care
As professionals, internal auditors must apply the care and skill expected of a reasonably prudent and competent individual in performing all aspects of their work. That is not to say that the work of the internal auditor is flawless, however we must be able to demonstrate suitable consideration of the risk environment, assessment of controls and evaluation.
Working within the principles of independence, objectivity and proficiency will assist the internal auditor in demonstrating due professional care.
Risk and internal control
There are many definitions of internal controls. For more details, visit either The Institute of Internal Audit (IIA) website or Committee of Sponsoring Organisations (COSO) website. he internal control environment is put in place to effectively manage risks associated with the achievement of corporate objectives.
Essentially controls are the safeguards and activities that ensure that good things happen (ie objectives are achieved) and bad things are avoided / reduced and/or their impact minimised (ie risks are managed).
Similarly, there are many definitions of risk. Risk is typically defined as something with a potentially negative outcome. Total risk is often expressed as the composite of its expected likelihood multiplied by the expected impact.
Risk appetite is the level of risk that an organisation is willing to accept. This may be set in terms of expected/unexpected losses, key risk indicators or limits. The purpose of the internal control environment is to manage risk to within risk appetite. Therefore internal audit should not be afraid to challenge instances of perceived overcontrol in a world where efficiency, effectiveness and economy are core to success.
Many elements of risk by their nature are subjective. To be effective internal auditors should establish a sound understanding of risk management principles and the specific risk management environment within their organisations.
Responsibility for a sound system of internal controls rests with management. Work performed by internal audit should not be relied upon to identify all weaknesses which exist or all improvements which may be made.
Acceptance and effective implementation of recommendations arising from the work of internal audit makes an important contribution to the maintenance of reliable systems of internal control, risk management and governance.
Internal audit will only be effective and help organisations to achieve their objectives through improvements to internal control, risk management and governance if the weaknesses identified and actions agreed with management are actually implemented.
IIA IPPF Standard 1000 – purpose, authority, and responsibility