Internal Audit — Your Eyes and Ears

The board governance landscape continues to evolve around us, making the role of internal audit more important than ever. As a board director, whether the organization you serve is a large for-profit corporation or a local non-profit, internal audit’s insight and assurance is an indispensable resource to help you fulfill your role.

Essentially, internal audit serves as the board’s eyes and ears. It answers the key oversight question, “How do we know?” by providing an independent, objective assessment of the organization’s operations, risk management, and internal controls. When internal audit is working effectively, it’s not a ‘Gotcha’ exercise, nor is it about ticking boxes — it’s about collaborating with the board and management to drive progress.

In the face of changing regulatory requirements and emerging threats, a modern internal audit function adds value by identifying potential risks and preventing costly mistakes. Beyond that, it spurs continuous improvement in operational processes and procedures.

In this week’s blog, we’ll explore some basic questions about how internal audit helps the board navigate its governance role.

What is Internal Audit?

Internal auditing is an independent, objective assurance and advisory service designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve governance, risk management, and internal controls.

Don’t confuse internal audit with external audit. The main difference between the two is focus and scope. Internal auditors are employees who focus on addressing internal controls and evaluating risk management. External audit is a review of financial statements and operations by an independent third party, with the goal of providing an opinion on the accuracy and reliability of the financial statements.

Internal auditors are professionals who bring to their work an in-depth understanding of business systems and processes. They act as objective evaluators, providing assurance to the board and management on elements that are crucial for good governance, such as:

• Effective risk management processes.
• Adequate internal controls such as authorizations, approvals, access controls, and documentation.
• Compliance with laws, regulations, and internal policies.
• Reliable and accurate financial and operational information.
• Effective governance processes.
• Recommendations for improvements to operations.
• Investigation into allegations of fraud or misconduct.
• Implementation of previous audit recommendations.

In short, internal audit protects the organization’s assets, contributes to improved performance, helps management run operations efficiently, and assists the board in fulfilling its oversight responsibilities.

What Makes Internal Audit Effective?

Independence and objectivity are cornerstone principles for any effective internal audit function. It’s important for the board to ensure that internal audit is independent from management, with accountability to the board, typically through the audit committee.

Independence helps protect internal audit from undue influence, so it can be objective, unbiased, and free from conflicts of interest. Independence also builds trust and enhances credibility.

In addition to independence and objectivity, an effective internal audit function has characteristics such as:

• Competence. Possessing the necessary skills, knowledge, and experience.
• Integrity. Upholding the highest ethical standards and adhering to professional standards.
• Proactive approach. Forward-thinking, anticipating emerging risks, and staying relevant.
• Effective communication. Maintaining clear and transparent communication channels with the board and management.
• Adequate resources. Having the budget, staff, and technology to perform its role effectively.
• Risk-based approach. Focusing on areas of highest risk to the organization.
• Clear charter. Having a clear charter and scope of work aligned with the organization's objectives and risk management strategy.
• Collaboration. Working with external auditors and compliance officers to ensure the organization's needs are met without duplication of effort.

As a director, if you’re trying to satisfy yourself as to the effectiveness of internal audit, you could ask questions like these:

• How is internal audit staffed and resourced?
• What qualifications and experience do internal auditors have?
• How is their independence and objectivity maintained?
• How is their performance evaluated?
• What professional development is available?
• What additional support or resources could internal audit benefit from?

How Does Internal Audit Add Value?

Internal audit adds value to the organization by identifying areas for improvement and helping to ensure that risks are managed effectively. The value added by internal audit isn’t just theoretical. There are many real-life examples where internal audit added value to an organization. Here are just a few.

• Identifying weaknesses in procurement led to a process redesign that resulted in significant cost savings.
• Identifying a significant risk related to offshore outsourcing led to changes in policies and procedures.
• Identifying weaknesses in inventory management led to a process redesign that resulted in improved accuracy and reduced costs.
• Identifying weaknesses in cybersecurity controls led to improved practices that helped mitigate the risk of cyberattacks and protect the company's sensitive information.

On the other side of the coin, internal audit failures have contributed to several well-known corporate scandals. Factors contributing to these failures include:

• An internal audit team that wasn’t sufficiently independent from management, so that senior executives exerted significant influence over the internal audit function, compromising its ability to operate objectively.
• An internal audit team that didn’t have direct access to the board of directors or the audit committee, allowing management to manipulate financial statements without effective checks and balances.
• A culture of intimidation, causing internal auditors to be reluctant to report issues due to fear of retaliation or dismissal.

How Does the Board Work with Internal Audit?

Board oversight of internal audit is typically delegated to the audit committee, which is responsible for ensuring that it operates effectively and provides the necessary level of assurance. The committee ensures that internal audit has the resources needed, or that budget is available to engage outside resources if needed.

Collaboration with the committee is critical for optimizing internal audit’s contribution to good governance. This collaboration involves timely communication, direct access without management intervention, and alignment with the board's priorities.

The audit committee:

• Reviews and approves the annual audit plan to ensure it’s aligned with the board’s specific priorities and concerns and that it’s focused on the right risks.
• Reviews audit findings, recommendations, and areas of concern, and may request additional information or follow-up audits.
• Discusses risk management practices with internal audit, including the identification, assessment, and management of risks.
• Reviews the effectiveness of the internal audit function, including staffing, resources, and performance.
• Oversees collaboration with external auditors to ensure needs are being met without duplication of effort.

Committee members have the opportunity to set a positive tone around internal audit. Avoid pointing fingers and assigning blame. Instead, focus on audit recommendations with questions like these:

• What would be the impact of implementing your recommendations?
• Might there be unintended consequences?
• Can you provide more context such as benchmarking or comparative data?
• Are there any areas that should receive more attention or scrutiny in future audits?
• Are there any regulatory implications of your recommendations?

Audit committee meetings should incorporate In Camera sessions with the head of internal audit without management present. This practice helps ensure uninhibited communication between the committee and internal audit, including a discussion of management’s responses to audit findings. A good working relationship is further enhanced by open communication between the committee chair and the head of internal audit between meetings.

Questions for the In Camera session might include:

• Do you have any insights for us that you couldn’t share with management present?
• Are there areas where you feel management isn’t adequately addressing your recommendations?
• Are there areas where the audit committee could provide support or guidance to management in addressing the recommendations?

Who Needs Internal Audit?

Internal audit plays a crucial role across all sectors and types of organizations. Still, the heightened risks and regulatory requirements faced by certain industries make a robust internal audit function particularly critical. Regulators can be quite insistent about having an internal audit function that is independent from management.

• Financial Services: Banks, insurance companies, and other financial institutions are heavily regulated and face significant risks related to fraud, compliance, and financial reporting.
• Healthcare: Hospitals, clinics, and other healthcare providers must comply with stringent regulations related to patient care, data privacy, and billing practices.
• Manufacturing: This industry faces risks related to supply chain management, product quality, and safety standards.
• Technology: Tech companies must navigate rapidly changing regulations, cybersecurity threats, and intellectual property risks.
• Energy and Utilities: Companies in this sector face significant regulatory scrutiny, environmental concerns, and operational risks.
• Non-Profits: Non-profit organizations must ensure transparency and accountability in their operations to maintain donor trust and comply with regulatory requirements.

Many Savvy Director readers serve on boards of organizations that are too small or don't have the budget for their own internal audit function. If this blog has convinced you of the value that internal audit can bring, you might want to consider outsourcing internal audit services to an external provider. This can be more cost-effective than maintaining an in-house department as well as provide access to specialized expertise.

If selecting an external provider, look for someone with a proven track record in your industry and experience in auditing the functions and processes relevant to your organization. Research their reputation and check their credentials, certifications, and past client references. Make sure that they can be objective and unbiased in their work, and that they’re able to customize their audit plan to your needs.

External providers are also a good option to explore if you have an internal audit function but it lacks the specific knowledge or expertise to conduct a particular audit. This is often the case with audits of specialized, technical, and new functions.

If your board is wondering whether or not to go ahead and establish an internal audit function, here are some questions to consider:

• What is the rationale for adding an internal audit function?
• What are the expected benefits?
• What regulatory requirements need to be addressed?
• What are the expected costs and resources?
• What are the potential downsides or risks? How would these be addressed?
• What would be the scope and responsibilities?
• How would independence and objectivity be maintained?
• How would it interact with the board, the audit committee, and management?
• What would be the reporting lines?

How is Internal Audit Changing?

The role of internal audit is continuously evolving. Some key trends shaping the future of internal audit include:

• Focus on emerging risks such as cybersecurity, digital transformation, and climate change.
• Leveraging data analytics tools and techniques to identify patterns and trends.
• Adopting agile methodologies such as continuous auditing and real-time risk monitoring.
• Using automation tools to streamline audit processes and reduce manual effort.
• Collaborating with other assurance functions, such as compliance and risk management, to provide a more integrated view of the organization.
• Focusing on sustainability risks and opportunities and assessing the organization's impact on society and the environment.

Your takeaways:

• Think of internal audit as the board’s eyes and ears, providing an objective assessment of the organization’s operations, risk management, and internal controls.
• It’s important for the board to ensure that internal audit is independent from management, with accountability to the board, typically through the audit committee.
• The audit committee can set a positive tone by focusing on recommendations instead of assigning blame.
• Internal audit plays an important role across all sectors, but it’s particularly critical in financial services, healthcare, manufacturing, technology, utilities, and non-profits.
• If your organization doesn't have the budget for its own internal audit function, consider outsourcing internal audit services to an external provider.

Resources:

• Five Things Directors Should Know When Working with the Internal Audit Function. Anthony J. Pugliese. National Association of Corporate Directors (NACD). May 2024.
• The Role of Internal Audit in Ensuring Strong Corporate Governance. Ray Wizbowski. Diligent. March 2024.
• How should Internal Auditors work with The Board of Directors? Paul Radziwill. LinkedIn. February 2023.
• Are Internal Auditors to Blame When Boards Are in the Dark? Richard Chambers. Audit Beacon. January 2023.
• Internal Auditing: Adding Value Across the Board. The Institute of Internal Auditors (IIA).

Thank you.

Scott

Scott Baldwin is a certified corporate director (ICD.D) and co-founder of DirectorPrep.com – an online membership with practical tools for board directors who choose a growth mindset.

We Value Your Feedback: Share your suggestions for future Savvy Director topics.