Introduction

Over the years I have observed a number of department managers, including departments which are part of finance directorates, react unfavourably when they discover that they are on the internal audit schedule – quite often they view this as an unnecessary distraction, or maybe it’s just a natural consequence of many people not liking the idea of facing a form of challenge. But should they react this way? In this short article I provide a short introduction to internal audit and explain why it should be embraced by department managers.

What is internal audit?

Internal audit is a discipline which, on behalf of management & the board, works to improve & add value to an organisation’s risk exposure, control systems and governance procedures. The official definition is along the lines of: internal audit is the independent assurance and consulting activity designed to add value and improve an organisations’ operations. Internal audit does this by deploying objective audit experts to bring a systematic, disciplined approach to evaluating and improving the effectiveness of risk management, control and governance processes. The aim of internal audit is to reduce risk and improve governance.

Those officers responsible for leading departments often do not like the idea of having a ‘non-service-expert’ provide suggestions of how they should improve their activities. But in reality, everybody can benefit from some independent advice. Many of us will have experienced those moments where a ‘non-expert’ has asked a simple question which has made us think about something we had not thought about before regarding our own areas of work. Many of us who have been recruited to manage large departments have also experienced inheriting systems & processes which we just continue maintaining because the day job often does not allow you to set aside sufficient time to review everything. And if it has been working well why rush to think about making changes?

Some activities when conducting internal audit

Once auditors establish the formal objectives of the internal audit engagement: they gather data which they analyse & interpret; they evaluate the sufficiency of the evidence provided; they document & report conclusions to key stakeholders. Gathering evidence normally includes interviews, review of policies and sample testing.

Types of control and management control techniques

The term ‘control’ is used to describe any action taken by management to manage risk and increase the likelihood of achieving established objectives & goals. The term ‘control environment’ is used to describe the attitude & actions of the board & management regarding the importance of control within the organisation, providing the necessary discipline & structure.

There are many different types of control available to department managers and auditors. Some of these are:

• Management can build controls into computer systems – this is ‘application control’. If we are talking about system access rights types of control this can also be called ‘technical control’;
• Management can develop systems which detect undesirable events after they have occurred – this is ‘detective control’;
• Management can develop organisation-wide policies which aim to establish culture & expectations across the organisation – this is ‘governance controls’;
• Management can be proactive in areas such as training, guidelines and incentives – this is ‘directive control’;

There are many more types & forms of control. The key consideration for management is whether or not the controls in place are adequate enough to provide reasonable assurance that organisational risks are being managed effectively.

Communication to staff

I think it is ok to accept that considering we’re speaking about large organisations who often employ thousands of members of staff, and considering human beings make mistakes, it is unlikely to achieve 100% protection from the sorts of risks identified.

There are likely to always be opportunities for fraud and it is important for organisations to have systems in place that at least can detect this even if it cannot be prevented.

For other human mistakes which can mean that controls are ineffective, these can be reduced with effective communication to staff. It is important to communicate control objectives to employees otherwise they may see controls as a waste of time. If they understand the objectives behind the controls, that increased awareness could mean that they not only identify ways to improve controls but also that they do not act in ways where the outcome is one which the control was trying to avoid.

The role of the FD in internal audit

Finance directors should really assume ultimate responsibility for internal controls and the control environment affecting resources and financial management. We often speak about the role of the board, and the role of the chief audit executive, but the reality is that if the FD does not assume that active day-to-day responsibility the organisation is a lot weaker when it comes to risk management and effective business processes.

The FD should ensure that the rest of the executive team buy-in to the importance of risks, controls and internal audit. The FD should ensure that the executive team are very active when it comes to establishing the proper environment across the organisation. The FD should promote, across the organisation, a more positive attitude towards business process improvement.

Conclusion

An organisation’s success will often depend on how well they manage their risks so an evaluation of how this is happening will be key and is fundamental to the role of internal auditors – but it should also be of significant importance to all department managers!

Some definitions of terms commonly used in internal audit

‘Assurance services’ is when internal auditors undertake objective examination of evidence for the purposes of providing an independent assessment on risk management, control, or governance process.

The term ‘audit charter’ refers to a formal document outlining the purpose, authority & responsibility of the internal audit team.

The CAE (Chief Audit Executive) is the top position in the organisation responsible for internal audit activities.

Compliance is the conformity & adherence to policies, plans, procedures, laws, contracts and any other requirements.

Conflict of interest is any relationship that appears to not be in the best interests of the organisation and could prejudice am individuals ability to perform his or her duties and responsibilities objectively.

Consulting is advisory client service activities, the nature and scope of which are agreed with the client – intended to add value without the auditor assuming responsibility.

The term ‘engagement’ is used to describe a specific internal audit assignment, task, or review activity.

Engagement objectives are broad statements that define the intended accomplishments.

Governance is the combination of processes & structures implemented by the board to inform, direct, manage, and monitor the activities of the organisation towards the achievement of objectives.

Risk is the possibility of an event occurring that will have an impact on the achievement of objectives, measured in terms of impact & likelihood.