Guidance for Heads of Internal Audit
Becoming a Head of Internal Audit represents a substantial step change.
If you want an easy life, or are looking to freewheel through your career, the role of Head of Internal Audit is not for you. While the move from a Senior Manager role to Head of Internal Audit would be considered natural progression from a career perspective, in reality it represents a substantial step change. Although you are not (and cannot be) a member of the executive management team, or board, the position should be considered at parity with those roles and your mind-set should be of operating at that level.
With the change of stakeholders comes a change in the skillset with a bias now to relationship management coupled with the need for strategic thinking. The role of Internal Audit is to support the Board by providing an independent commentary on the risks the business manages and how this is communicated and, more importantly, how it is received will depend on you. In a recent ACCA roundtable discussion with a group of Audit Committee Chairs, gravitas and credibility were flagged as essential companions and components in the attributes of a successful and respected Head of Internal Audit.
There is no magic wand that will provide you with gravitas and credibility and, to a great extent, they are accolades you will earn by demonstrating your qualities while operating at the highest level in your company. The following is not intended to be a comprehensive check-list, but points to consider, or self-assess against, as you grow in your role.
- Your spectrum of stakeholders has broadened and you need to make sure you identify and get to know all of them. It will now include the CEO, CFO, the Board, Non-executive Directors, the Chair of the Audit Committee, the head of the areas being audited, as well as the auditees, the external auditors and, depending on the industry, the regulators. If you are in Financial Services in the UK this is a regulated function, covered by the Senior Manager and Conduct Regime, and you will require approval prior to appointment to the post.
- Arrange regular meetings with your stakeholders outside the audit cycle, so that they are used to seeing you and talking with you other than in the context of an audit review.
- Using the audit universe (see below) identify all the business leaders and build a plan to meet each in as short a period of time as is practicable after taking up your appointment. Get to know them and what it is in their area that concerns them and consider whether this is reflected in the risk assessment. This is also an opportunity to ask them what they think of Internal Audit and the other assurance functions.
- Arrange regular private meetings with the Chair of the Audit Committee (via the Secretary to the Committee – another relationship to be developed) and make sure these happen. Provide the Chair with the colour that your black and white reports lack. It is unlikely that the reports include comments on the abilities of the management teams in the areas that have been reviewed, so if there is anything significant make sure the Chair knows (for example, someone who failed to cooperate, or competence – good and bad).
- Engage with industry peers - this may not be easy if they are not within a short walk, but work at it. Your external auditors are an excellent source for opening these doors, along with ACCA. You will get to know about industry hot topics and be able to consider these in your audit plans (or discard with reason) and discuss during your meetings with the Chair of the Audit Committee.
- Probably one of your first challenges will be getting to know your audit universe, and the more geographically diverse your company the more difficult this will be. However you need to be comfortable that it is complete and correctly prioritised. Look at the last review of the universe and the inputs, and in a dynamic company this will need to be continual to make sure that any new products, mergers, acquisitions, etc., are added and consequently receive timely consideration in the plan. You will need to be conversant with all elements of the universe as you will be expected to speak coherently with all stakeholders about it, so invest time getting to know it and consider whether it reconciles with the risk maps, risk registers, or other tools, used by the other assurance functions.
- The audit plan comes out of the audit universe and will be presented to the Audit Committee for approval at least annually, and the status to each meeting. Care should be taken not to be seeking approval for too many, if any, changes at each Audit Committee meeting as this may be perceived to be due to poor initial planning, or weakness if these changes emanate from business requests. A 12-month plan is the simplest, but if you have the resources a rolling plan can be more effective and should be presented on a 3 + 9, or 6 + 6, basis.
- If it is not already done, in liaison with your peers in the other assurance functions, develop an integrated plan, to provide a single view of who is doing what and when across the whole business, for presentation to the Audit Committee. Information should be provided that looks back, as well as forward, so that the Committee can be confident that all areas receive adequate coverage over a cycle without unnecessarily over-burdening any one area.
- Try to shake-up the plan to look at business units or processes from a different angle, although bear in mind the business ownership for the scope and report. Include in your universe/plan internal audits of the other assurance functions, along with governance of the business (and this will include the terms of reference and working of the Audit Committee).
- Look at your external inputs to the plans. Make sure that you are on the distribution list for reports (including ad hoc incident or loss reports) generated by the business and other control functions (Risk, Compliance, etc.). All of these are necessary for you to identify areas where controls are deteriorating, strengthening, or have been by-passed. Apart from planning purposes you want to be aware of these before discussion at the Audit Committee as it is likely that your views will be sought, and this could be particularly sensitive if the area in question has recently been reviewed by Internal Audit.
- The quality of your team and its output will determine whether you are seen as successful, so make sure all are trained and motivated; soft skills and report writing are as important as technical skills. Furthermore, you and your team need to develop and maintain industry and competitor knowledge, understand the impact of any new or proposed legislative or regulatory changes and how the economic cycle will affect the business.
- You should be prepared to comment at each Audit Committee on whether the department’s resources are adequate. Skills are as important as numbers and co-source for technical input to reviews is essential to provide a quality product and prevent false assurance.
- The technology used by your team should reflect industry best practice and facilitate standard working papers, reporting and transparent and timely audit follow-up.
- Succession planning for all key roles in the team, including your role, should be performed and kept up to date. Consider the exposure the team members have to the Chair of the Audit Committee, or how often they attend the Committee alongside you. If there has been a particularly topical piece of work, subject to approval by the Secretary and Chair, it may be apposite for the author to attend the meeting with you and answer any questions (and receive the praise in person).
Reporting, committees and boards
- Overall assessments should be included in internal audit reports as this enables the Audit Committee to compare areas across the business. However, if these assessments are being used as an input to management’s performance appraisals this could cause tension between Internal Audit and the business, and you may need to re-think and agree a way forward with the Audit Committee and Executive Management.
- The use of a self-assessment of risk form will help to build trust with the business. During the planning for any piece of work, using a template, ask the business for details of any emerging risks, and planned and completed action taken to mitigate. This should alleviate, or ameliorate, those situations where the business asserts that it already knew about a risk that Internal Audit is raising. Anything declared by the business prior to commencement should be assessed and the status compared to that declared and a comment included in the report.
- Prepare for meetings you attend. You will create a far better impression if you are not searching through documents and notes during the meeting and are able to look other attendees in the eye.
- Make sure your reports to the Audit Committee are in a consistent format meeting-to-meeting and year-on-year, and agree this with the Secretary and Chair. For example, the first heading could be reports issued since the last meeting in tabular format, showing the overall assessments and number of audit points in each category, followed by a brief resume. The second heading could be the status of work in progress and reports pending issue (perhaps highlighting where the business is not responding quickly enough). These should be followed by outstanding audit points with those past target dates highlighted; work planned up to the next meeting; the status of the audit plan (or assurance plan if an integrated document is available); proposed changes to the audit plan and reasons; and resources. Topics to be covered annually are: the proposed plan; a review of the previous year; commentary on the risk environment; confirmation of resources and budget; and the refresh of the Internal Audit Charter.
- Read through your reports prior to submission as if you were a member of the Audit Committee to anticipate the questions you will be asked. This will become easier the more Committee meetings you attend.
- At Audit Committee meetings (and other senior committees or boards) do not read your report aloud word for word. Unless there has been a delay in distribution, trust the members of the Committee to have read the documents. Invite questions and pick out the salient points from your report and the parts the Committee needs to know about, approve, or take action on, and that you want to ensure feature in the minutes – for example, changes to plan or budget; areas that are particularly poor at clearing audit issues, or not providing responses.
- Internal auditors should avoid being long-winded. If you are asked for your opinion on a matter then give it - do not be frightened to comment. Some may not agree with you but if it is your opinion then it is your view and will add to the debate. If you hear something you do not agree with - or know to be wrong - then challenge it.
- Take care not to be vague, or to give the impression that you are not sure of something. If you do not know the answer it is perfectly acceptable to say “I’m sorry I don’t have that information to hand, I will have to get back to you”, and then agree how and when you will do it and then make sure you do. This gives a far better impression than being evasive, creating confusion, or worse still, misleading your audience.
Rules and regulations
- You will be familiar with the standards and guidance published by the Chartered Association of Internal Auditors and you will need to be confident that your department follows these, or be able to explain why not. Supplementary standards are published for anyone working in internal audit in Financial Services in the UK and these are worth exploring even if you are not operating in that sector.
- Read and familiarise yourself with the last external quality assessment (EQA) that was performed on the department and be satisfied that any remedial actions have been completed and remain closed. If you are the new Head of Internal Audit and the last EQA is stale, with approval from the Chair of the Audit Committee, now may be the time to refresh it.
- Unless you are in a very small firm you will be covered by the UK Corporate Governance Code, published by the FRC in July 2018 and you should be conversant with this. Section 4 covers “Audit, Risk and Internal Control”, with Principle M relating to the “policies and procedures to ensure the independence and effectiveness of internal and external audit”.
- Each industry will have its own applicable laws and regulations and you should be familiar with these and remain up to date with current and proposed requirements. Again, an excellent, and independent, source of information will be your external auditors.