- Should the organisation perform an internal audit?
Emerging risk, new regulation and increasing corporate governance demands are continuously adding to the Board’s accountability. Independent, internal auditing can provide the insight – and oversight – a board needs to meet their governance responsibilities.
- What is the Board’s role and responsibility with regards to their Internal Audit?
The Board should approve the Internal Audit as well as appoint the Chief Audit Executive (CAE). There must be open communication, sufficient resources and clarity of expectations for the newly-appointed CAE’s mandate. A strategy must be agreed upon – and implemented – through that relationship built to ensure the Internal Audit’s function charter.
- What is the strategy and culture established by the Chief Audit Executive in their department?
Consulting with the CAE appointed to the Internal Audit is vital to developing the strong culture and strategy that is most valuable and appropriate to the organisation. A strategy made with foresight, insight and hindsight and a culture built on integrity, quality service, cost-effectiveness, risk focusing and ethical, accurate reporting.
- Is the Internal Audit being conducted independently and objectively?
The Board, CAE and external parties involved must be objective and independent of each other; from inside the team to co-sourced resources and all the other Internal Audit activities. This is crucial to completing the mandated Internal Audit function as effectively and efficiently as possible.
- What relationships exist between the Internal Audit functions and its stakeholders?
The Internal Audit needs to manage and satisfy multiple stakeholder relations that should be productive and mutually-beneficial. The (often) competing demands and expectations of the Board, Internal Audit committee and additional assurance functions, all need to be managed and met which takes planning and care.
- Who is the Internal Audit team reporting to?
An internal auditing team works, most optimally, when it functions independently and objectively of a board. However, reporting to the Board – or, a Board-appointed Internal Audit committee – is another important step for the approval of audit plans and budgets, CAE appointments and all other decisions, including the: people, processes, technology and structure of the function as well as interpreting the Audit findings.
- Is the relationship between the Board and the Chief Audit Executive optimal?
The value of an Internal Audit to the Board is directly related to the quality of their relationship with the CAE. A strong, working relationship can be fostered through training programmes, open-ended discussion and joint visits to business sites and operations – providing each other with insight and time.
The Organisational Resources and Design
- Are the Internal Audit functions agile and, continually, able to improve?
The Internal Audit functions of an organisation need to be capable of adapting to changing needs and as new information appears. The strategies of the Internal Audit should be agile; developing – or adding – staff and subject expertise as needed to evolve with the mandate.
- What characteristics and qualities should a good Chief Audit Executive possess?
A CAE must lead from the front; inspiring the same integrity, courage and drive in their team that the Board expects of them. The must have an executive presence, strong understanding of the business, effective communication and ability to manage expectations in order to achieve success.
- Are the Internal Audit functions utilising the latest capabilities and developments around the trade?
Internal audit functions are always developing, like the trends of audit-related services and technology. The Internal Audit group should utilise all new (and necessary) capabilities, such as data analytics expertise and cyber security knowledge.
- What are the top priorities for designing a good internal audit plan?
To design the best strategy for reaching a business’s objectives, the Internal Audit group must identify key risk areas. A risk-based, multi-year plan that offers risk assessment and coverage for current or emerging issues is needed to determine the best plan possible.
- How much should the Internal Audit rely on additional assurance services?
Different assurance groups, include: Health and Safety, Insurance, IT governance, Enterprise and Project Risk Management as well as others. Somewhat relying on these groups can help with efficiency, audit fatigue and risk management insights and best practices.
- Is the Internal Audit capable of anticipating – and adapting to – changing risks?
The Board needs to be confident in the ability of the Internal Audit to anticipate – and minimise – their potential risk associated with running a business and the impact on strategy, objectives, audit plans and resources. All stakeholders should be engaged with on all new developments.
- Is management being held accountable for the resolution of different Audit findings?
An internal audit is tasked with designing a programme that monitors, reports and analyses the Audit findings to turn them into actionable insights and solutions. The Board must determine if management is adequately mitigating current or emerging risk found in the Audit.
- Are issues of misconduct by management (or the Board) being appropriately dealt with by the Chief Audit Executive?
Whether notifying the Board of management misconduct, or identifying problems within the Board, itself; the CAE is responsible for coordinating any investigative activity required. Fraudulent actions are found by the CAE, leveraging information found and maintaining privilege, so as to root out the suspected activity.
The Marketing and Communication
- What should be expected of the Internal Audit’s quarterly reports?
The Internal Audit must provide all relevant information and materials in a clear and succinct manner, prioritising key strategies and risk areas. A report should include, appropriate: observations and findings, performance metrics, risk assessment, Audit plans, practice management protocols and quality assurance.
- What risk or control concerns should the Internal Audit be reporting to the Board?
The CAE and the Board establish criteria for risk exposure or control issues that are significant enough to warrant reporting. Using their judgment, they must determine what infractions are ‘Board-worthy’ concerns and which are not.
- Are the in-camera sessions being utilised effectively?
The CAE needs to decide what and how they communicate sensitive information during in-camera sessions. There may be topics missed in the prepared materials or matters of importance that must be highlighted.
Evaluating the Benefits of an Internal Audit
- How should the Board evaluate the Internal Audit function?
The Board must evaluate the performance of the Internal Audit functions to enhance the department’s potential. This should account for the perspectives of management, relevant business units as well as the CAE, themself. Recommended practices include: board-level metrics, management evaluations, internal audit self-assessment, external quality assessments and client surveys.
- Is the Internal Audit being held to industry-leading standards?
The Internal Audit’s department should be as responsive, to any internal and/or external changes, as the Board are. They should update or maintain all the skills, resources and learning required to inform and advise that organisation and its Board on an evolving basis.