The COVID-19 pandemic and a turbulent economy have affected how organizations are conducting business. From a remote working environment to ‘the great resignation’, changes to people, processes, and use of technology are affecting organizations’ risk universe and impacts to internal controls should be considered. The Audit Committee (AC) has a critical role to oversee risks to the organization, and the internal audit (IA) function can help provide insights to how those risks are managed. ACs should lean on the Chief Audit Executive (CAE) to provide understanding of risks to the Company and help answer questions such as: How do I gain comfort that the organization has considered all relevant risks? And how are we addressing those risks? Here are some ways ACs can support the CAE and improve the IA function’s success while supporting oversight.
Ø Align on expectations and set goals with your IA function. The role of IA has evolved from being just a ‘compliance function’ to acting as a catalyst for change and driving value within the organization. There should be mutual understanding between the CAE and the AC on the goals and expectations of the IA function. Everyone assesses value differently, and it is important to define what value means or looks like. This can be achieved by establishing measurable goals and KPIs that are reported on regularly. The IA plan should align with corporate strategy and initiatives, while considering risks to the organization and addressing key stakeholder needs. It is essential to have a plan that is flexible and responsive to change. Many organizations create a multi-year IA plan to align with corporate goals and strategy, which should be reviewed and approved by the AC at least annually.
Ø Build an open and trusting relationship with the IA function. The AC Chair plays a key role in supporting the CAE within the organization to be independent from management, while having a seat at the table at key management leadership meetings. At a minimum, the CAE should meet with the AC during all AC meetings. However, it is important that there is a regular cadence established between the AC Chair and CAE to promote candid, open, and timely communication absent of management. Additionally, the AC should be reviewing the IA charter annually, at a minimum, to validate agreement as to the IA responsibilities and the scope of work outlined within the IA plan. The AC Chair should also support the CAE by holding management accountable with recommended actions from IA and by periodically attending IA team meetings to further show support and encourage the importance of the IA function. By facilitating periodic conversations between the Board and CAE, it allows transparent communications and mutual understanding to help the IA function thrive and provide added value to the organization.
Ø Understand the risk assessment process. A company’s enterprise risk assessment is critical to identifying and managing risks to reduce harm to the organization and should be directly linked to overall strategy and the organization’s enterprise risk management (ERM) program. By understanding the process and how IA works with other groups to identify and assess risk, ACs can provide insight into the effectiveness of risk management and how the process can be improved.
Ø Equip IA with adequate resourcing and tools. Impactful IA functions include resources who understand the business and are competent to deliver thoughtful and valuable recommendations to audit findings. The ability of IA to bring value requires respect, trust, and support from key stakeholders in the business. With a remote working environment being embraced, finding and retaining talent can be challenging. It is important that the AC ensures there is adequate budget to compensate talented individuals and support continuing education, training, and certification pursuits. IA rotations with business personnel can be beneficial to bring technical skillsets and relatable experience into the internal audit function and vice versa in helping the business promote the value of the audit and reinforce a risk-based mindset across the business operations. Additionally, the AC should understand how IA has adopted technology and data analytics into the execution of their work. Governance, Risk and Compliance (GRC) is a coordinated approach which aligns IT with business goals while managing risks, coordinating business activities, and meeting industry and government regulations. It includes tools and data analytics software which can help drive efficiencies and provide additional insights into the organization’s risks and objectives.
Ø Promote the IA function. The AC should promote the value that IA can bring and how they can help address business concerns over risk and operational efficiency by identifying areas for improvement – people, processes, policies and systems. This includes verifying that management allocates adequate funding to this function. In organizations where IA is narrowly seen just as a compliance function, AC can educate management on how IA can add value and address stakeholder expectations. The CAE should also network with department and operational leads to understand their needs and determine how best IA can assist in the integrity of financial reporting and operational processes. When leadership and management reach out to the CAE and IA for assistance and guidance, it is a sign they consider IA a critical part of the business.
Ø Assess performance of the CAE and IA function. As part of the CAE’s quarterly report to the AC, defined performance metrics, feedback and evaluations should be communicated to help measure the effectiveness and performance of the IA department. KPIs and goals should be aligned between the CAE and the AC to measure IA progress throughout the year and help evaluate IA’s impact on the organization. “Customer surveys” by the issuer also help to provide qualitative and critical feedback back to the IA department to identify specific opportunities for improvement and communicate activities being performed well. Additionally, an external assessment performed by an independent third-party reviewer should be performed at least every five years and an annual internal IA self-assessment should be performed to comply with the International Standards for the Professional Practice of Internal Auditing Standards. The AC should ensure that these assessments are performed, review them and support actions for addressing any gaps and/or improvement opportunities for IA activities.
The aforementioned practices should be under periodic review in order to work toward continuous improvement of the organization’s IA function. By establishing these practices, the AC can support the organization’s access to the proper tools and resources to streamline processes. By doing so, the ultimate goal of creating an efficient and effective internal audit quality structure and function can protect the integrity of operations and related financial reporting.
Written[CM1] by Amy Rojik, Dawn Williford and Maegan Harmon. Copyright © 2023 BDO USA, LLP. All rights reserved. www.bdo.com