IRM ERM 6.5 Role of internal audit Flashcards
Internal audit role, reporting structure, independence
Internal auditors play a vital role in evaluating risk management, improving internal controls, and collaborating with operational managers to strengthen risk management activities.
Independence from operational management is a key characteristic of internal audit, with reports typically directed to the audit committee, comprising independent non-executive directors, to ensure unbiased reporting.
The head of internal audit usually reports directly to the chair of the audit committee, maintaining a separate reporting line from line executives like the CEO or COO.
The ultimate recipients of internal audit findings are the board of directors, who rely on these assurances to understand how risks are managed within the organization.
A central feature of risk assurance
A central feature of an effective risk assurance framework is the audit activity and of course the work of external auditors in providing particularly important risk information (and assurance) for directors.
Assurance mapping, along with techniques like statistical sampling and risk prioritization, helps internal audit teams provide robust assurance by coordinating and linking various sources of assurance to organizational risks.
Assurance mapping
Assurance mapping is defined by the ICAEW as “a structured means of identifying and mapping the main sources and types of assurance in an organisation across the four lines of defence and coordinating them to best effect.”
Three “three lines of defence / assurance” model /3LOD
Additionally, there’s consideration given to external auditors and regulators, forming a potential “fourth line,” focusing on governance and control structures.
The lines of defence are based on tasks rather than specific roles in the organizational structure, allowing individuals to fill both first- and second-line roles
In this model, business management primarily implements the risk management framework (RMF), with support and challenges from an independent risk function, and independent assurance on the RMF’s robustness is provided by internal audit.
Challenges in implementing the three lines of assurance model
Challenges in implementing the three lines of assurance model stem from the assumption of distinct lines, leading to silos and overlaps in risk management and internal control assurance.
Ambiguity arises as many organizations blur the lines between first and second lines, causing confusion in roles and responsibilities.
The focus on ‘defence’ has hindered opportunities for value creation.
In the financial sector, the three lines model falls short due to lack of independence and skills gaps, prompting a suggestion for a four lines of defence model.
The IIA’s 2020 update, ‘The IIA’s Three Lines Model,’ addresses these challenges by emphasizing collaborative value creation, adopting a principles-based approach, removing rigid distinctions between lines, clarifying roles, recognizing the role of risk management in achieving objectives, and shifting focus from ‘defence’ to creation and protection of value.
Notably, regulators and external auditors are not included as a distinct fourth line in the updated model.
External assurance
External assurance traditionally focused on verifying an organization’s financial viability but has expanded to include sustainability disclosures.
Similar to financial audits, external assurance on sustainability disclosures offers independent third-party review, enhancing confidence in an organization’s reporting.
Beyond ethics and corporate social responsibility, external assurance increasingly encompasses an organization’s impact on climate change and its environmental, social, and governance (ESG) aspects.
External audit & SOX, UKCGC
Internal audit, as the third line of assurance, independently assures the board of an organization’s risk management and internal controls effectiveness.
External auditors, mandated by relevant laws, verify this internal assurance through independent examination, ensuring financial statements’ accuracy and compliance with accounting standards.
Sarbanes-Oxley Act’s Section 404 requires external auditors to attest to the accuracy of management’s declaration on internal accounting controls’ effectiveness.
The UK Corporate Governance Code mandates audit committees to oversee the external audit process, including tendering, independence review, effectiveness assessment, and policy development on non-audit services engagement.
External auditor reports, primarily aimed at shareholders and external stakeholders, enhance an organization’s financial statement credibility, fostering shareholder confidence and transparency.
Control risk self-assessment (CRSA) or risk and control self-assessment (RCSA)
Control risk self-assessment (CRSA) or risk and control self-assessment (RCSA) allows local management to certify control effectiveness regularly, often through structured surveys or workshops.
Mature organizations may use key risk indicators to assess compliance with specific risks and controls, allowing real-time identification of areas needing focused management attention.
Internal risk assurance sources
Internal risk assurance sources include
culture measurement,
audit and unit reports,
unit performance, and
documentation.
The audit committee
The audit committee, is led by a NED, but not the chair of the organisation, and is a committee of the board / a sub-committee of the board.
The audit committee is tasked with overseeing compliance and has a broader scope beyond just compliance.
Its duties, outlined by the Corporate Governance Institute, encompass oversight of the organization as a whole, including financial reporting, narrative reporting,
internal controls,
risk management systems,
internal audit, and
external audit
Organization’s viability
The primary aim of implementing risk management and internal control systems, along with various forms of assurance, is to instill confidence in both internal and external stakeholders regarding the organization’s viability.
The term used to denote this viability, typically for the next 12 months, is “going concern,” mandated by accounting standards unless liquidation or cessation of trading is imminent.
Material uncertainties affecting an organization’s ability to continue as a going concern must be disclosed in annual or half-year financial reports, with materiality defined by its potential impact on informed decision-making or the bottom line.
Beyond the going concern basis, the UK Corporate Governance Code mandates a longer-term viability statement, assessing the organization’s ability to meet liabilities over a period significantly longer than 12 months, considering factors like business nature and development stage.
Double materiality
Double materiality extends the concept of materiality to include not only financial impacts but also the societal and environmental implications of organizational decisions, recognized by financial supervisors and policymakers like the European Commission.
The system of internal control should:
The system of internal control should:
Be embedded in the operations of the company and form part of its culture.
Be capable of responding quickly to evolving risks to the business arising from factors within the company and to changes in the business environment.
Include procedures for reporting immediately, to appropriate levels of management, any significant control failings or weaknesses that are identified together with details of corrective action being undertaken.
Control environment, example of fraud
Taking the example of fraud by employees, the control environment may include the following data collection and guidance:
Data collection:
Pre-employment screening for references and criminal and personal background.
Periodic audit of finances and stock checks.
Guidance
A policy of legal prosecution against all employees found guilty of fraud (and publication of the prosecution).
Regular refresher tests for staff.
Accounting and asset protection measures to prevent fraudulent use, theft or damage. (Note that the audit data collection will also be an input to manage other risks, such as errors or misstatements).
Standard operational practice such as insisting staff take a two-week holiday per year.
Each action is carried out independently, but as long as the data collected is used and the guidance is implemented, they all work as a system towards the same aim of reducing employee fraud. If any of the data is not used or the guidance not followed, then the risk is not controlled effectively, or not controlled at all.
