By Tom McLeod – Chief Audit Executive, Owner at McLeod Governance
To honestly lay bare to the proprietors the true condition of the undertaking.
In the not well enough read Accounting Historians Journal in June 2001, Gary Spraakman, a Professor from York University in Toronto, perfectly defined internal audit and in doing so he – perhaps inadvertently – set the foundation stones of what constitutes good internal audit oversight.
Spraakman’s article sought to examine and challenge the history of internal audit. His research led him to a 1957 paper on railway auditing in the United Kingdom during the 19th century. More specifically this paper looked at the internal audit activities at the London and North Western Railway in the 1860s.
The London and North Western Railway was a British railway company that existed between 1846 and 1922. In the late 19th century the London and North Western Railway was the largest joint stock company – the modern equivalent being a corporation or a limited company – in the world. In a letter from the external auditors of the London and North Western Railway to its shareholders the external auditors noted:
That the main check, as between the Board and its numerous servants, devolves of course on the large establishment at Euston called the Audit Office, headed by a responsible Officer … The verification is therefore as between the Board and the Shareholders – its object being to ensure that the Books are kept upon correct principles, that the published accounts are in accordance therewith, and that they honestly lay bare to the proprietors the true condition of the undertaking.
To honestly lay bare. To the proprietors. The true condition of the undertaking. Auditors exist to live out the meaning of these words.
To honestly lay bare – this mandates that the auditor must provide their opinion without fear or favour; devoid of bias.
To the proprietors – the key relationship that an auditor has is with the organisation’s board for they are the proxies, at least in a large corporation, for the market participants that have invested in the organisation.
The true condition of the undertaking – the auditor needs to define the boundaries of their examination and assess the undertaking based on the evidence that they are able to examine.
Consequently when one is tasked with oversight over the internal audit function, a key responsibility is to determine whether, indeed, the function has honestly laid bare to the proprietors the true condition of the undertaking.
Before commencing assessing internal audit oversight it is necessary to determine firstly with whom does the responsibility lie. If the London and North Western Railway mandate holds true – as we believe that it does – then it should be the agents of the board that are tasked with the oversight responsibility.
In a well-structured organisation that board oversight responsibility is usually delegated to an audit committee. Equally it is important to consider what activities will be considered within the boundaries of the Board’s oversight. Unfortunately we have seen many instances where an audit function is being assessed against a definition of their work with which they do not agree.
So as to ensure consistency of expectations we have always found it wise to place reliance on the International Professional Practices Framework of the Institute of Internal Auditors (the IIA).The IIA was established in 1941 and is the internal audit profession’s global advocacy and key educator. The International Professional Practices Framework defines internal audit as “an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations”.
The Framework notes that, done well, internal audit “helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes”.
However internal audit is defined it needs to be, and be seen to be, an important element in the perpetual improvement of the organisation’s internal control environment. If the internal control environment is not improved by the existence and operation of the internal audit function one needs to ask whether – mandatory requirements aside – the resourcing of an independent assurance mechanism is worth it.
It is within that definitional and value context that that the IIA released an oversight checklist that is considered the base level of what constitutes adequate oversight of internal audit by an Audit Committee. Many of the observations regarding adequate oversight are common sense. Alas too often in organisations that view internal audit as an optional expense such common sense is lacking.
The best examples of internal audit oversight are those that find a way to review their current station against the IIA guidelines –“The audit committee engages in an open, transparent relationship with the chief audit executive (the CAE)”.
The relationship between the audit committee and the CAE is of critical importance. Operating well such a relationship will be mutually beneficial. There will be guidance sought and given in a fraternal and supportive way. It is an environment where there is mutual trust and respect for the roles that are played by each other.
When this relationship breaks down or is fractured what one tends to see is the audit committee placing conditional reliance on the work of the internal audit function. Equally the CAE may seek to withhold information from the audit committee or seek guidance from others not as suited to provide independent counsel.
An open and transparent relationship is demonstrated by regular formal and informal communication. The audit committee reviews and approves the internal audit charter annually and the internal audit charter provides the functional and organisational framework within which the internal audit function operates. This document sets out the scope and objectives, authority and accountability and role and responsibility of internal audit. In terms of objectives many charters adopt the IIA definition as the basis.
“What matters is not the discipline that they have studied at university but their ability to approach an audit with a dispassionate yet inquiring mind”
In reviewing internal audit charters we encourage organisations to benchmark their approach with other like or high profile organisations. We are partial to the internal audit charter of the Australian Securities Exchange (ASX) – the company tasked with the development of the Australia’s primary securities exchange and the facilitator since 2003 of key corporate governance principles upon which the activities of those listed on the exchange are measured.
The ASX uses the IIA definition of internal audit to define its principal objective. The ASX charter is prescriptive on the accountability and responsibility of its internal audit function by setting out expectations on reporting deliverables such as:
■ Regularly advising on progress against the internal audit plan and any significant matters impacting achievement of the annual work programme;
■ An annual fraud risk control assessment;
■ An annual assessment on the adequacy and effectiveness of the ASX’s processes for controlling its activities and managing risks;
■ Reporting on significant risk and control issues arising from the work of internal audit including potential improvements to processes and procedures;
■ Coordination with and provide oversight of other control and monitoring functions (eg risk management; compliance; security; legal and external audit).
In annually reviewing an internal audit charter the audit committee should ensure that the intent and execution of the charter remain consistent and relevant to the board’s expectations of internal audit’s strategy and objectives. Equally the audit committee should have in place a protocol as to who is empowered to approve an amendment to the internal audit charter. Best practice would dictate that it would be the audit committee itself and possibly the Chief Executive Officer.
As a result of discussions with the CAE, the audit committee has a clear understanding of the strengths and weaknesses of the organisation’s internal control and risk management systems. As we noted above, the internal audit function exists to ensure the perpetual improvement of the organisation’s internal control environment. Consistent with this therefore is that the CAE must properly and well articulate the true condition of the undertaking that it is reviewing.
If it fails to do so or deliberately seeks communicate in an ambiguous manner not only will the Audit Committee be devoid of proper knowledge of the current environment over which it seeks to govern but it will become lack the ability to properly supervise the management that should be addressing any control deficiency. The issue as to whether an internal audit function should articulate both the strengths and the weaknesses of the organisation has been debated strongly within the internal audit community.
Is it the role of internal audit to offer praise on the well operated processes and procedures of the area that it has sought to review? Or should internal audit only concern itself with where there are opportunities for improvement? This is a debate that each organisation needs to decide.
Irrespective of those deliberations, however, it is incumbent upon both the audit committee and the CAE that that the current state of the internal control and risk management systems are well articulated in a manner that is not dense on detail nor so high level that key messages are lost in translation. The internal audit activity is sufficiently resourced with competent, objective internal audit professionals to carry out the internal audit plan which has been reviewed and approved by the audit committee.
What Makes A Good Auditor
In determining whether the internal audit activity is sufficiently resourced with competent and objective professionals one needs to first define – and document – what it is that demonstrate competency and objectivity. It would be erroneous to think that an internal audit professional must be someone that has been born to the profession. Some of the best internal audit professionals that we have had the pleasure to work with are those that come from varied backgrounds such as psychology and, even, zoology.
What matters is not the discipline that they have studied at university but their ability to approach an audit with a dispassionate yet inquiring mind; to be able to articulate well yet not verbosely. Indeed to suggest that someone needs to have had advanced studies to be an internal audit professional is equally erroneous. It is that person’s ability to demonstrate the characteristics previously mentioned that is of greatest importance.
The second element here is that there needs to be an internal audit plan. That is the internal audit function needs to be methodical in the assessment of which areas that it considers – usually dictated by a risk rating – worthy of its attention.
A trap that immature internal audit functions sometimes falls into is that they consider that the internal audit plan – once approved – cannot be changed. An organisation is a living beast and so is an internal audit plan – when the organisation changes so should the internal audit plan.
A strong audit committee will acknowledge this and will facilitate regular reviews of the ongoing relevance of the internal audit plan.
The internal audit activity is empowered to be independent by its appropriate reporting relationships to executive management and the audit committee. The audit committee address with the CAE all issues related to internal audit independence and objectivity.
Without independence you do not have an effective internal audit function.
Internal audit must be, and must be seen to be, independent of the activities and processes that it appraises so as to ensure that it is capable of performing its duties in an objective manner and providing impartial advice to management and the Board.
The independence is best demonstrated by a director reporting line between the CAE and the audit committee in terms of functional audit matters. Many organisations additionally arrange that the CAE reports to a senior function for administrative purposes. Best practice is that, for administrative purposes, the CAE reports to the Chief Executive Officer.
Additionally the IIA considers it important that:
■ The internal audit activity is quality orientated and has in place a Quality Assurance and Improvement Program.
■ That Audit committee regularly communicates with the CAE about the performance and improvement of the CAE and the internal audit activity.
■ Internal audit reports are actionable, and audit recommendations and / or other improvements are satisfactorily implemented by management.
■ That Audit committee meets periodically with the CA without the presence of management.
Failing to properly oversight a function that seeks to honestly lay bare the true condition of the undertaking opens up those that seek to supervise and govern organisations that they are not doing all that they can to properly inform – and grow the wealth – of the proprietors.
What is it that you – as the proprietor or as a proxy for the proprietor – are doing to ensure that your internal audit function is worthy of its ancestral roots?
About The Author:
Tom McLeod is considered one of the world’s leading Chief Audit Executives having been the Global Head of Internal Audit for Rio Tinto, one of the world’s largest mining companies and Head of Internal Audit and Fraud at one of Asia’s largest telecommunication companies. He now operates a boutique internal audit, corporate governance and fraud prevention consultancy called McLeod Governance which advises globally with Boards, Audit Committees and Chief Audit Executives.