By H. A. Daruwalla, Chairperson & Managing Director Central Bank of India
Article
Corporate governance, as we all know, has been under a strong
and critical public spotlight in recent years, in the wake of a succession of
blows to market confidence and integrity, particularly in the United States, but
echoed in India and other countries as well. The community’s expectations of
Boards and senior management, and of those charged with providing an independent
review of a company’s operations and financial accounts, have been raised. To
meet those expectations, governments and regulatory authorities around the globe
have mounted a concerted campaign to improve standards of corporate behavior and
transparency through international harmonisation of accounting standards,
strengthening the principles of corporate governance, lifting the bar on the
‘fitness and propriety’ of directors and managers and introducing improved
market disclosure standards.
In this demanding environment, the Boards and senior
management need quality advice from sources that can be trusted and that can
offer an objective viewpoint. Much of the focus of Sarbanes-Oxley in the United
States and Clause 49 in India has been on the external audit function. Equally,
however, there is a need to ensure that internal audit is organised, resourced
and empowered, so that it can provide competent, impartial and fearless advice.
This article offers a perspective on the role of internal
audit. It then sets out the expectations of internal audit held by regulators at
the national level and how internal audit needs to gear up to meet these
expectations.
My comments are offered in a constructive spirit to encourage
debate within the internal audit profession.
The role of internal audit :
What better starting point for my comments than the
definition of internal audit approved by the Board of Directors of the Institute
of Internal Auditors :
“Internal auditing is an independent, objective assurance
and consulting activity designed to add value and improve an organisation’s
operations. It helps an organisation accomplish its objectives by bringing a
systematic, disciplined approach to evaluate and improve the effectiveness of
risk management, control, and governance processes.”
I remind you of this definition because I want to draw a
distinction between internal audit and risk management. As we see it, the basic
function of internal audit is independent appraisal of an institution’s internal
controls, including controls over financial reporting. Of course, a by-product
of internal audit will be recommendations on internal control and process
improvements that could be made, an important role for internal audit in large
and complex institutions in particular.
Risk management, on the other hand, is about identifying and
assessing inherent risks in the products and activities of an institution, and
ensuring that appropriate risk management limits, control mechanisms and
mitigation strategies are in place to contain risk within the institution’s risk
appetite and capital support. The distinction is that risk management has the
important and continuous responsibility of understanding how actual risk facing
the institution is changing (day by day or month by month) and assessing if the
risk limits, controls or mitigations need updating.
Of course, the institutions need to ensure cooperation
between internal audit and risk management and a clarification of roles, so that
unintended gaps do not emerge.
The expectations of Regulators :
The pivotal role of internal audit in the corporate
governance of institutions is enshrined in international standards for
regulators, though they are high-level in nature.
In banking as a case in example, the Core Principles for
Effective Banking Supervision, developed under the auspices of the Basel
Committee on Banking Supervision, specifies the principle that banks should have
in place internal controls that are adequate for the nature and scale of the
business. These should include, inter alia, appropriate independent
internal or external audit and compliance functions to test adherence to these
controls as well as applicable laws and regulations.
In assessing adherence to this principle, the Basel
Committee’s ‘essential criteria’ for the internal audit function are that it :
- has unfettered access to all the bank’s business lines and support
departments;
- has appropriate independence, including reporting lines to the Board of
Directors and status within the bank to ensure that senior management reacts
to and acts upon its recommendations;
- has sufficient resources and staff that are suitably trained and have relevant
experience, to understand and evaluate the business it is auditing; and
- employ a methodology that identifies the key risks run by the bank and
allocates its resources accordingly.
The Basel Committee also issued a paper, Internal audit in banks and the supervisor’s relationship with auditors, in August 2001 to provide more detailed guidance to bank supervisors. The paper has wider applicability and I recommend it to those who are not familiar with it. It sets out 20 separate principles for the internal audit function, dealing with such issues as continuity, professional competence, the audit charter and relationships with the external auditor.
My Assessment on Independence of the Internal Audit Function:
Our starting ‘point is determining whether the internal audit function is in-house or outsourced, and whether this arrangement is appropriate. The following crucial benchmarks need to be in place for internal audit teams.
(i) Independence:
The Board of the institution should ensure that the independence of the internal audit function is maintained. This independence may be compromised if the function is directly involved in risk management or operational processes. The internal audit function may provide valuable input to those responsible for risk management, but should not itself have direct risk management responsibilities. In practice, some institutions (particularly small ones) may give internal audit initial responsibility for developing a risk management programme. Where this is the case, institutions should see that responsibility for day-to-day risk management is transferred elsewhere in a timely manner. Where the internal audit function is outsourced there should not be any conflicts of interest – for example, internal audit should not be a source of referral business for the institution.
Some food for thought!
I would like to offer you my thoughts on some key issues:
(i) Establishing the authority of internal audit:
It must be recognised as a core part of governance and not as some form of necessary burden or add-on. Asserting the importance of authority is one thing, earning that authority is another. In the end, it is the professionalism and quality of internal audit work that will show Boards, senior management and regulators that the function does add value. Clearly, the message that internal audit wants to send will not carry weight if it cannot demonstrate that the message is founded on both technical and commercial competence – a balancing of technique and ‘real world’ skills and experience.
(ii) Transparency and independence:
The provision of independence assurance to the audit committee (or Board) is the central tenet of internal audit. The internal audit function should report directly to the audit committee of the Board, and not to management with operational responsibilities. A direct reporting line to the Board has now become international best practice.
In my view, having internal audit answer to management creates real concerns about the independence of the review function. Internal audit must be able to directly inform the audit committee (or the Board) about the adequacy or otherwise of internal controls, including those involving high-level management. Internal audit must know that the board is its master.
(iii)Audit Committees:
The effectiveness of internal audit comes down, ultimately, to the use that the audit committee and Board decide to make of it. These days, diligent and probing Board directors want a strong and active internal audit function to assist them. They rely on internal audit’s knowledge of the risks facing the institution and the control weaknesses, and its recommendations for improvement, to help them discharge their responsibilities.
(iv) Conflict situation:
Regulators can cite too many examples where weak corporate governance has undermined the financial soundness of an institution, whether through unfocussed global expansion, pursuit of growth for growth’s sake, a dominant chief executive officer or a ‘good news’ syndrome. Internal audit should be alert to such signs of weakness and raise them with the audit committee (or Board) as governance, controls or review concerns.
Concluding remarks:
The ever-increasing pressure on institutions to manage their affairs and risks prudently poses considerable challenges for corporate governance structures and for internal audit, a key line of defence in these structures. Every challenge, however, is an opportunity. For internal auditors as a profession, the current environment is an opportunity to cement your presence in corporate India where India is Rising and Shining.
The challenges and opportunities for internal audit in this risk-focussed environment can perhaps be simply summarised as ‘looking at the right things, not just doing things right’.
