By Deepjee Singhal, Manish Pipalia, Chartered Accountants
Internal Audit
Introduction :
1.1 Corporate governance, as we all know, has been under a
strong and critical public spotlight currently and in recent years, because of a
succession of blows to capital market confidence, particularly in the United
States but also echoed in India and other countries. The stakeholders’
expectations of boards and senior management, and of those charged with
providing an independent review of a company’s operations and
financial statements, have increased. To meet those expectations,
governments and regulatory authorities around the globe have initiated concerted
efforts to improve standards of corporate behaviour and transparency through :
- stress on efficacy of internal controls both in the Sarbanes-Oxley Act in the
U.S.A. and clause 49 of the listing agreement in India.
- mandatory compliance with accounting standards to ensure adequacy and
uniformity in disclosure practices — this will further get strengthened with
the adoption of IFRS in India.
- emphasis on risk assessment and risk mitigating procedures.
1.2 Clause 49 of the Listing Agreement casts an obligation on
the ‘Audit Committee’ to :
- Ensure adequacy of internal controls.
- Review internal audit reports.
- Recommend appointment and remuneration of internal auditors.
- Ensure independence of internal auditors.
Clause 49 also requires CEO and CFO to certify the
effectiveness of the internal controls in the company.
1.3 With the emphasis on the above issues internal audit has
become an integral tool of corporate governance. An internal auditor today
reviews not only accounting procedures, but also reviews and reports on the
effectiveness of manufacturing and marketing function. Hence, internal audit in
the present context is a multi-disciplinary function.
1.4 This article offers our perspective on the role of
internal audit and its structure.
The role of Internal Audit :
2.1 Paragraph 3.1 of the Preface to the Standards on Internal
Audit, issued by the Council of the Institute of Chartered Accountants of India
in 2004, describes internal audit as follows :
“Internal audit is an independent management function,
which involves a continuous and critical appraisal of the functioning of an
entity with a view to suggest improvements thereto and add value to and
strengthen the overall governance mechanism of the entity, including the
entity’s strategic risk management and internal control system.”
2.2 The definition of internal audit approved by the Board of
Directors of the Institute of Internal Auditors is :
“Internal auditing is an independent, objective assurance
and consulting activity designed to add value and improve an organisation’s
operations. It helps an organisation accomplish its objectives by bringing a
systematic, disciplined approach to evaluate and improve the effectiveness of
risk management, control, and governance processes.”
2.3 The above definitions are highly contextual as a
distinction between internal audit and risk management needs to be drawn. As
we see it, the basic function of internal audit is an independent appraisal of
an organisation’s internal controls, including controls over financial reporting
and business processes having financial ramifications. It does not stop at only
pointing out weakness, but extends to making of recommendations on internal
control and process improvements that could be made to increase efficiency of
operations.
2.4 Risk management, on the other hand, is about
identifying and assessing inherent risks in the products and activities of an
organisation, and ensuring that appropriate risk management limits, control
mechanisms and mitigation strategies are in place to contain risk within the
organisation’s risk appetite and capital adequacy. A monitoring function
(similar to internal audit) is often involved to ensure that the risk control
framework is in place and operating as intended. Internal audit plays a
facilitative role in evaluating whether the controls are practical and
functional and whether they can be circumvented. The distinction is that ‘risk
management’ team has the continuous responsibility of understanding how actual
risks facing the organisation are changing. This requires continuous review by
the management.
2.5 The function of the internal auditor in risk
management is to review and report on the adequacy of the procedures and report
on adherence to the limits prescribed by the Board or senior management. Barring
of U.K. went down because limits prescribed by senior management in London were
not adhered to by a dealer in Singapore. Recently, the century-old France Union
General — a financial institution — failed because of speculative lending where
internal control limits were not adhered to.
2.6 The above view is in line with what is prescribed in Para
15 of the Internal Audit Standard 4 dealing with ‘Reporting’ amongst other
issues includes as a function of internal audit :
‘evaluating the overall entitywide risk management and
governance framework.’
2.7 This cooperation between the internal auditor and risk management team is also recognized in an alternative definition which is given in an HA Research Foundation publication of 1999 – Competency : Best Practices and Competent Practitioners.
“Internal auditing is a process by which an organisation gains assurance that the risk exposures it faces are understood and managed appropriately in dynamically changing contexts.”
This is a functional definition and in our view a direct appreciation of the current expectations from internal audit.
Structure and resources, independence and approach:
3.1 The starting point is evaluating whether the internal audit function is in-house or outsourced, and whether this arrangement is appropriate in given circumstances. The following crucial benchmarks need to be in place for internal audit team keeping in mind the standards and professional practice advisories and guidelines of The Institute of Internal Auditors.
i) Structure and resources:
The structure of the internal audit function is established and an assessment made about the key internal audit personnel, their roles and responsibilities, skillsand experience, irrespective ofwhether the internal audit function is ‘in-house’ or ‘outsourced.’
ii) Independence:
Firstly, the company board should ensure that independence of the internal audit function is maintained. The internal auditor should not report to CFO,but should report to CEO and the audit committee or the Board of Directors.
It needs to be mentioned that managements in India have been resisting the concept of internal auditor reporting directly to the CEO or the audit committee. However, we believe it is essential to have direct reporting to ensure independence. We also believe that reporting to the CEO or the audit committee should be after discussion and having obtained response of the management, because the CEOand/ or the audit committee would callfor the response of the management on any issue reported by the internal auditor. This mode of reporting also meets with the criteria of transparency.
Secondly, the internal auditor should not be directly involved in execution of risk management or operations. The internal audit function may provide valuable input to those responsible for risk management or operations, but should not have direct risk management responsibilities. In practice, some organisations (particularly small ones) may give internal audit initial responsibility for developing a risk management programme. Where this is the case, organisations should see that the responsibility for day-to-day risk management is an independent function. We reiterate that internal auditor should in no manner be involved in operations, though the internal auditor should understand operations.
Thirdly, significant issues raised by the internal auditor even if satisfactorily resolved need to be reported to the CEO and the audit committee.
Fourthly, where the internal audit function is outsourced there should not be any conflicts of interest – for example – internal auditor should not be involved in rendering other services. The Institute of Chartered Accountants of India have recently barred an internal auditor from being appointed even as a Tax auditor.
iii) Approach:
The approach taken by internal audit should be clear. It could be :
- risk-based – the focus is on the high-risk areas of the organisation;
or
- review-based – the focus is on review of various parts of the organisation, usually chosen both at random or in line with a predetermined internal audit plan;
or
- compliance-based – the focus is on compliance with policies and procedures.
It could however be a combination of all three. Normally, it would be a combination of at least two of the above.
The board and/ or the audit committee should approve the approach. However, there should be sufficient scope to change the emphasis where necessary on an ongoing basis in order to react quickly to issues that get identified and require internal audit involvement – for example – recent losses incurred by companies in foreign exchange derivatives. In short, the internal auditor has to be agile to respond to changing environment. He should always be vigilant.
i) Establishing the authority of internal audit:
The CEO must send out a clear message that internal audit function is necessary and not a compliance gimmick. The seriousness and the attitude of the CEO is the only means of establishing internal auditor’s authority.
Internal audit must be recognised as a core part of governance and not as some form of necessary burden or add-on. On the other hand, the internal auditor by the professionalism and quality of internal audit work should show boards, management, regulators and even those whose work he reviews and comment on that the function does add value. It should be understood that the message that internal audit sends will not carry weight unless it can be demonstrated that the message is founded on both technical and commercial competence – a balancing of technique and real world experience.
In other words the internal auditor has to establish that his function goes beyond compliance. To achieve this the team skill mix needs to be broad embracing accounting, compliance checking, industry specialist, IT skills and if possible to include a strategist – CAATs. This at times can be achieved by:
- where necessary, ‘in-sourcing’ or ‘out-sourcing’ (if not already done) by having specialist skills to supplement full-time audit resources;
- ensuring that internal audit technology keeps pace with developments in the business – for example – use of Balanced Score Card, Self Assessment, CAATs; and
- demonstrating professionalism and objectivity by standing strong amidst the management and others, when this is justified in the interests of other stakeholders.
ii) Conflict situation:
Regulators can cite many examples where weak corporate governance exists because of an overbearing CEO who has undermined the financial soundness of an organisation, whether through unfocussed expansion – that is – pursuit of growth for growth’s sake, or the dominant desire to always give ‘good news’ – show growth where there is none or cover up losses. The recent Satyam fiasco is a startling example of an overbearing CEO. Internal auditor should be alert to such and similar signs of weakness and raise these issues with the Audit Committee. This kind of approach, though at times goes beyond the normal call of duty, will add immense value. Let us not forget that virtually all analysts have come to the conclusion that the current financial crisis which has gripped the world economy is because of the desire of CEOs and the corporate managements to achieve one of the two or both the objectives. Somewhere in fulfilling these objectives both the internal control procedures and risk limits have been violated. We believe that though it may be a tough call, the internal auditor will have to bite the bullet. The newspapers report that in the case of Satyam, SEBI’s investigation is being extended to Satyam’s internal auditors – Business Standard 16 Jan. 2009.
3.2 To retain his independence and effectiveness the internal auditor should also be conscious of the fact that:
- no controls are absolutely perfect and will always require improvement.
- managements are always tempted to by-pass controls, sometimes in the interest of business and at times in self-interest.
Hence, he should be aware of what is happening in the entity and should also never lose sight of ‘professional skepticism’.
3.3 Ultimately, it is the board, which has to take ownership of problems and institute appropriate remedies. The issues is :
What should the internal auditor do where the organisation is facing major problems and the management continues to ignore or take remedial action?
There is no easy answer, since each situation is unique. Nonetheless, it is surely incumbent on the internal auditor to take the right professional action and not let the situation fester. In the end, the head of internal audit or the internal auditor might have to step down and part ways gracefully if the organisation’s culture does not allow internal audit to function appropriately and serious problems are not being addressed. This is the ultimate test of the professionalism and ethics. This is a hard decision. The fact is that after any failure the internal auditor is inevitably one of the sacrificial lambs on the altar of accountability. In these difficult situations, professional standards, support from the professional body and peers and where appropriate, support of the regulators can help to strengthen the position of the internal auditor. Internationally regulators have required external auditors to whistleblow to the regulator in extreme circumstances, while granting them protection in the form of qualified privilege. We may need to consider similar protection for internal auditor in our environment.
Concluding remarks :
The ever-increasing pressure on organisations to manage their affairs and risks prudently poses considerable challenges for corporate governance structures including internal audit, a key line of defence in these structures. Every challenge, however, is an opportunity. For ‘internal audit’ as a profession, the current business environment is both an opportunity and a challenge to cement our presence in corporate India to demonstrate our skills and resolve to play a contributory role. We have full support of the regulator and the audit committees. We perceive that in addition to an opportunity and challenge the ‘internal audit profession’ has an obligation to assist in making corporate governance transparent and effective. Let us therefore “look at the right things, whilst doing the right thing”.
