In the aftermath of prominent corporate scandals and the global financial crisis, corporate governance has received close attention from regulators and the public. Regulatory responses have focused on increasing governance requirements and disclosures and this has, in turn, driven increased awareness and demand for internal assurance within organisations. Internal audit is integral to corporate governance, and is well placed to provide this assurance. In a recent article, Dominic Soh and Nonna Martinov-Bennie used interviews with audit committee chairs and chief audit executives to investigate internal audit functions in the Australian context, and to consider how their effectiveness might be improved.
1. The scope of the internal audit function has expanded and refocused in recent years. Internal audit is increasingly involved in risk management rather than traditional “tick and flick” financial audits. There is also greater engagement in operational areas, and increased focus on performing a value-adding role, such as identifying how businesses can increase their efficiency and effectiveness. There is a clear expectation that in addition to its assurance role, this ‘value-added’ emphasis will continue.
2. The changing role of internal audit is largely due to regulatory reforms. Increased sensitivity to directors’ liabilities, particularly of those directors on the audit committee, has meant increased acceptance of the importance and value of the internal audit function as the ‘eyes and ears’ of the organisation. Some audit committee chairs described the assurance and comfort from internal audit as greater, and perhaps more valued, than from external audit.
3. The effectiveness of internal audit depends on its structure, resourcing and organisational status.
- There was a clear preference for an in-house function (or at least an internal chief audit executive), on the basis that intimate business knowledge contributes to an effective audit function and makes it better equipped to meet the audit committee’s assurance needs.
- Interviewees highlighted the importance of key competencies (audit, finance, operational, technological, and legal), but especially the capacity of the chief audit executive to ‘command the confidence and respect of the people out in the field so as to be able to gain access and cooperation’.
- Good relationships with, and support from, the audit committee and senior management were seen as critical to an effective internal audit function. For example, it is imperative that the audit committee supports and protects the status and visibility of the function e.g. by providing a platform for internal auditors to present their findings at audit committee meetings, ensuring the chief audit executive is present in operations meetings, and ensuring that management undertakes appropriate remedial action in response to audit recommendations.
4. Performance metrics have not evolved in line with internal audit’s role. Common measures of effectiveness related to the annual audit work plan and to measures of acceptance and adoption of audit recommendations. Since these measures were similar to prior surveys, it is clear that performance evaluation mechanisms have not evolved alongside the expansion and refocus of the internal audit function.
1. Internal audit cannot be evaluated in isolation. The quality and effectiveness of the internal audit function is largely dependent on other parties within the organisation, especially the audit committee and senior managers. Consequently, an ineffective internal audit function might indicate that there are broader issues in the organisation’s corporate governance.
2. Whether internal audit meets stakeholder expectations is unclear. The misalignment between the current and evolving role of internal audit and static performance measures makes it difficult to assess whether internal audit is meeting stakeholders’ expectations. Given that the internal audit function serves different stakeholders (who at times have divergent interests) within the organisation, more diverse metrics are required to measure whether internal audit is meeting the potentially different needs of stakeholders. For example, while audit committee chairs emphasised the value of assurance, chief audit executives emphasised ‘value added’ from the organisation’s perspective.
3. New performance metrics may be required. Given the increasing emphasis on the consulting and value adding role of the internal audit function, alternative metrics such as value tracking by cost savings or value creation may better measure the performance and effectiveness of the function. There is however a potential risk that such metrics would impair internal auditor’s independence and objectivity, with implications for the external auditor’s evaluation and reliance on the internal audit function.
4. The chief audit executive skills need careful assessment. The increasing involvement of internal auditors in consulting and operational areas requires staff with industry knowledge and experience. In addition to strength of character and an inquiring mind, the chief audit executive needs strong communication skills to build bridges with all business areas, and to confidently report to higher organisational levels. Developing these competencies is no mean feat, and would take considerable time. Organisations therefore need to consider how limited tenure or rotation of this role could work, if it is required or even tenable. These also have implications for what the career path of a chief audit executive would ultimately look like.