Opinion: An organisation’s internal auditing function must be independent but not isolated
By Francis Banalekaki Yiga
Keep Reading
For any business or organisation, there will always be risks that could ultimately tarnish its reputation, dampen stakeholder confidence or in worst case scenario, sink the organisation/business.
Top on any responsible entity’s agenda will therefore be managing this risk, through the internal audit function. "Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations.
It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes” according to the Institute of Internal Auditors (IIA)'s International Professional Practices Framework (IPPF).
Therefore, in carrying out their work, internal auditors must focus on three areas - Risk Management, Risk Control and Governance.
Unfortunately, in some cases, some audit functions tend to focus on controls and risk management and ignore the aspect of governance.
Yet, for an audit to conform to auditing standards, it must give assurance on all the three aspects.
Gauging the effectiveness of an internal audit function can be done using a number of yardsticks.
The auditing process must; demonstrate integrity (in words and actions), demonstrate competence and due professional care; be independent, objective and free from undue influence; align with the strategies, objectives, and risks of the organisation; be appropriately positioned and adequately resourced; demonstrate quality and continuous improvement; provide risk-based assurance; and promote organisational improvement.
This is a daunting task that essentially requires the auditor to be agile if they are to keep abreast of the issues taking place in the environment and ensure the board and other stakeholders are brought up to speed.
The role of auditors has in the past been misconceived.
Initially, the perception was that internal auditors had to be accountants.
Whereas it is true that accounting knowledge is central, accounting is not the default designation for internal auditors.
Recently, there was a directive for all Heads of Finance and Internal Audit to be Certified Public Accountants (CPAs) as per the law.
The enactors of the law did not consider that internal auditors may not necessarily be accountants. IIA clearly spells out the parameters in which the role of internal auditor falls.
Part of the auditor’s mandate is to ensure the organization’s governance has appropriate structures that facilitate accountability to stakeholders through integrity, leadership, and transparency.
The other role is ensuring the governing body puts appropriate structures and processes in place, for effective governance. The same structures must align organizational objectives and activities with the prioritized interests of stakeholders.
The auditing function also ensures the governing body delegates responsibility and provide resources to Management to achieve the objectives of the organization while ensuring legal, regulatory, and ethical expectations are met across the board.
In so doing, internal audit keeps governance effectiveness in check through the competent application of systematic and disciplined processes, expertise, and insight.
It reports its findings to Management and the governing body to promote and facilitate continuous improvement.
To successfully deliver on its function, internal audit must be independent from the responsibilities of Management. This allows for objectivity, authority, and credibility.
The auditor must have unfettered access to people, resources, and data needed to complete his/her work; and freedom from bias or interference in the planning and delivery of audit services.
However, this independence should not be construed for isolation. Internal auditors ought to have meaningful discussions with Management before subsequently reporting issues to the Board.
Since it is management that that will ultimately have to fix these issues, if any, it’s only logical to notify them first. Regular interaction between internal audit and management helps ensure the work of the former is relevant and aligned with the strategic and operational needs of the organization.
Through all its activities, internal audit builds its knowledge and understanding of the organisation, which contributes to the assurance and advice it delivers as a trusted advisor and strategic partner.
One of the issues that has tainted the image of internal audit is wearing the two ‘hats’ - of a trusted advisor and an investigator.
The other issue is that of organisations’ audit ratings and the impact these ratings may have on the appraisal of the individuals being audited. For example, an audit client may be open to the issues being raised, but the contention often emerges at the time of final rating.
In cases where internal auditors are the investigators, it may be difficult even after removing the investigator ‘hat’, to that of a business partner, for his/her colleagues to appreciate that his/her actions are in their interest. organisations may consider separating these roles where applicable.
If they are to deliver on their mandate, auditors must continuously appraise themselves with knowledge and information on the ever-changing risk landscape they are giving assurance on.
There’s a digital evolution happening world over, which requires auditors to evolve as well. Unfortunately, hackers and fraud-schemers are riding this tide. The auditors cannot afford to take a back seat.
The silver lining is, there are various data analytics tools that internal auditors can utilise to extract real time information based on the population not samples.
After all is said and done, organisations should support their auditors in acquiring the necessary knowledge and skill and demand value in return.
The author is the Head of Audit, KCB Bank Uganda
