Internal Audit in the eyes of the Board
The ugly truth
“An independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes”.
That is the Institute of Internal Audit’s (IIA) definition of the internal audit function.
In the following few paragraphs we shall explore how many organizations boards perceive internal audit in comparison with the definition and how that impacts the effectiveness of the function; further we shall discuss how to better position internal audit in an organization.
Is independence an illusion?
By definition, internal audit should be an independent function, hence it should have the backing and support of the board of directors/owners and need to be positioned lateral to executive management, whilst administratively reporting to the CEO but not functionally.
When conducting our interviews with some board chairpersons and members, it was quite alarming to notice that even in listed companies that are subject to UAE regulators, the view was that internal audit should be a function managed by the CEO with no reporting lines to the board. Whether that misconception was due to ignorance with better governance practices or was intentional for any other purposes, such practices conducted by the body that is supposed to be responsible to manage organizational risks is extremely alarming and jeopardizes the interest of the shareholders.
An assurance and consulting activity!
Management are tasked to do what the Board sets and approves as policies; however, that does not warrant that management have effectively complied with those policies. Here comes the role of internal audit as an independent assurance party.
Boards in our discussions, seem to be of the belief that internal audit is the tool to detect and investigate fraud, and should be management’s striking force in case of suspicion of fraud, which is totally flawed.
Evaluate and improve the effectiveness of risk management, control, and governance processes.
Internal audit is not responsible for risk management. It is the responsibility of management and ultimately the board.
Yet to our surprise management and boards attempt to allocate the task to internal audit which is extremely alarming, especially in listed companies where it is a regulatory requirement to maintain solid risk management processes.
Raising the board’s awareness and knowledge of proper governance practices is crucial to enhance the transparency and the effectiveness of internal audit functions.
What Risktal can do to help you?
We can facilitate board awareness sessions and introduce them with governance better practices, in addition to developing the governance framework for their organizations.
Contact us on Link.