Cart

The role of internal auditors & the IIA review of Global Standards

The role of Internal Auditing – summary of the IoD’s submission to the Institute of Internal Auditors (IIA) Global Internal Audit Standards survey.  

type
Article
author
By Governance Leadership Centre, IoD
date
30 Jun 2023
read time
6 min to read
black building

In April we highlighted the Institute of Internal Auditors (IIA) review of its’ core International Professional Practices Framework (IPPF) and accompanying International Standards for the Professional Practice of Internal Auditing (Standards). 

The IIA is the global professional association and standard-setting body for internal auditors. Its’ proposed new Global Internal Audit Standards™ were open for public comment until 30 May 2023. While the period for commenting has closed, the attached link has details of the IIA’s next steps in developing the new Standards, which they are aiming to implment before the end of 2023.

As indicated in our April article, the IoD made a submission on the proposed new IIA Standards. We focussed on two areas:

  1. Domain I – The Purpose of Internal Auditing
  2. Domain III – Governing the Internal Audit Function

The essential elements of our submission were:

  • It was helpful for boards, management and internal auditors to be clear what internal auditing is intended to do and how it differs from external auditing
  • A common understanding of the role that boards, board audit/ risk/ finance committees, management and the internal audit function should play was useful
  • The proposed standard needs to be clear that it is only mandatory for internal auditors under the auspices of the global Institute of Internal Auditor and local members.  It can only guide board practice.
  • A strong emphasis on ethics and professionalism for internal auditors matched similar obligations and duties for directors and boards.

The IoD submission on the proposed standards reflected views from IoD member directors. These were captured, in part, in a 2022 webcast with IoD Chartered Fellows Mary-Jane Daly and Jonathan Mason (see two clips that illustrate these perspectives).

1. Domain I – The purpose of internal auditing

We agreed with this proposed new Purpose statement that for the first time addresses how internal auditing helps any organisation serve the public interest. This articulation helps a wider audience to understand what internal audit is, and the outcomes it contributes to.

We noted that this new purpose statement aligns with the IoD’s governance best-practice guidance, notably in our description of what internal audit is and how boards should get the most out of internal audit.

Internal audit - Four Pillars section 3.5

  • Internal audit supports the board and management with objective assurance about internal controls and risk management, and helps underpin strong corporate governance.
  • It is a valuable resource for directors having to deal with multiple forms of risk.

Getting the most out of internal audit - Four Pillars section 3.5.2

Boards and audit committees can ask the following questions to get the most out of internal audit:

  • Is internal audit focused on the areas that matter most to the board?
  • Do we regularly review the work plan?
  • Are we proactively assessing future areas of risk?
  • Are we getting the right information from internal audit?
  • Are reports simple, succinct and significant?
  •  Is management implementing change resulting from recommendations?
  • Is internal audit set up to work with management and provide impartial advice?
  • Are we getting insight beyond reporting?
  • Are reporting and accountability lines clear and do they support ongoing objectivity?
  • Does internal audit have the right skills and experience?
  • Are we resourcing and developing to ensure it is fit for current and future purpose?

Role of Internal Audit - Four Pillars section 4.9.4

  • “Internal audit supports the board to accomplish its purposes through an organised approach to evaluating the efficacy of internal controls, risk management and corporate governance”
  • “It is best practice for an internal audit function to report directly to the audit committee of the board to ensure independence”.
  • “It is important to have clear lines of communication between the audit committee chair and the internal audit function manager”.
  •  “An audit committee often monitors management’s implementation of internal audit report recommendations”.

2. Domain III. Governing the internal audit function

  • Principle 6 - Authorised by the Board

We submitted that boards in all of their forms have a role in drawing on services provided by internal audit and, therefore, need to authorise the approach and mandate. We agreed that boards have the responsibility to approve the internal audit mandate, to define the internal audit function’s authority, role, and responsibilities and specifying the scope and types of internal audit services. Management has a role in ensuring adequate resources are appropriate resources for this function.

  • Standard 6.1 Internal Audit Mandate

We agreed with the proposed requirement in the standard that the board must consider information provided by the chief audit executive (who might also be the chief risk officer of similar), to understand and support a mandate that establishes the basis for an effective internal audit function.

We also submitted in agreement with this proposal that it is important that the board should;

  • at least annually review the internal audit mandate;
  • consider changes affecting the organisation, such as the employment of a new chief audit executive, or;
  • changes in the type, severity, and interdependencies of risks to the organisation.

In relation to joint responsibilities, we supported the proposition that the board or the chair of the audit, risk or finance committee and the chief audit executive must discuss and agree upon the internal audit function’s mandate, and that the board approves this agreed mandate. And that it would be good practice for the board/ audit committee chair and chief audit executive to at least annually discuss the mandate and the charter to assess whether the authority, role, and responsibilities continue to enable the internal audit function to accomplish its objectives.

The chief audit executive must document any changes in a revised internal audit charter. We agreed to the proposals that the chief audit executive be responsible for documenting any changes in a revised audit charter, and that the board must approve changes to the mandate and the charter. We supported these proposals on the basis they represent good governance practice, and will reinforce the benefits outlined in the Domain 1 “Purpose Statement”.

  • Standard 6.2 Board Support

We submitted that the IoD agreed with the proposed Requirements & Board Responsibilities Standard, namely that the board should support the internal audit function, ensuring its recognition throughout the organisation. We agreed that:

The board must ensure the internal audit function has unrestricted access to the data, records, and other information as well as the personnel and physical properties necessary to fulfill the internal audit mandate

The board must support the chief audit executive through regular, direct communications.

The board demonstrates its support by:

  • establishing and approving the internal audit mandate.
  • ensuring the chief audit executive reports to a level within the organisation that allows the internal audit function to fulfil the internal audit mandate.
  • approving the internal audit charter, internal audit plan, budget, and resource plan.
  • making appropriate inquiries of senior management and the chief audit executive to determine whether any restrictions on the internal audit function’s scope, access, authority, or resources limit the function’s ability to carry out its responsibilities effectively.
  • meeting as necessary with the chief audit executive in sessions without senior management present
  • Principle 7 - Positioned Independently

We supported the concept of the independence of the internal audit function reporting to the board, while recognising that may create tensions within organisations. Internal auditors need to exercise care within the mandate from the board, in conjunction with the board and senior management, to ensure that the internal audit role is understood across the organisation and that the benefits for the organisation as a whole are clearly outlined and understood.

  • Principle 8 - Overseen by the Board

In the IoD’s submission, we stated that board oversight was essential to ensure the overall effectiveness of the internal audit function.

Achieving this principle requires collaborative and interactive communication between the board and the chief audit executive as well as the board’s support in ensuring the internal audit function obtains sufficient resources to fulfil the internal audit mandate.

Additionally, the board receives assurance about the quality of the performance of the chief audit executive and the internal audit function through the quality assessment and improvement program, including the board’s direct review of the results of the external quality assessment.

Finally, on this topic, we submitted that it is vital to be clear that the new proposed Standards apply only to the internal auditors (i.e. members of IIIA) and not to boards. While boards will benefit from advice from internal auditors about how best to structure, oversee and use an internal audit function, ultimately this remains a governance decision. Internal auditors should not attempt to dictate terms to the board, based on the new Standards once they are finalised. In essence, this comes down to respecting the role of governance as outlined in these proposed standards, with the board supporting internal auditors to carry out their important role in organisations, and internal auditors supporting the board.

3. Domain II. Ethics and professionalism

In addition to the two main areas outlined above, we also submitted our support for the proposed new Domain II, Ethics and Professionalism. We noted that ethics and integrity are essential in all aspects of governance and this extends to those that support governance. These ethics and professionalism provisions are vital, and need to be seen in the context of the purpose of internal audit outlined earlier in the Standards. Boards should expect and need high levels of professionalism from internal auditors, who in turn support the board to accomplish its purposes.

For further discussion on internal audit please view these segments from a recent webcast hosted by IoD on the subject of internal audit. 

The link between internal and external audit

Advice on setting up internal audit in different business contexts

Related content