The interaction of the board audit committee (BAC) with internal audit was reviewed in detail as part of the APRA Inquiry. In the case of CBA, issues were identified through ‘Red audit reports’ in 2013, and then again in 2015, noting that the issues raised two years earlier ‘have not progressed due to a lack of ownership’. APRA focused on how the BAC and management responded and challenged management in relation to these ‘Red audit reports’.
According to Institute of Internal Auditors-Australia CEO Mr Peter Jones “internal audit can be a powerful weapon in an audit committee’s armoury if there is a strong relationship with non-executive directors (usually through the BAC) and senior management”.
He said generally, management will implement agreed actions coming out of the internal audit report. However, when that fails, the Head of Internal Audit should alert the BAC when management does not follow up or is taking an unacceptable risk.
The APRA Report recommended that the BAC needs to apply rigour and urgency in holding management to account in addressing and closing out audit issues. It further recommended that the BAC increase direct engagement with the business unit and support function owners of significant issues and hold them accountable for timely and effective closure of these issues.
“But for directors to make the best decisions they need to also ask the right questions”, he adds.
Key questions for directors
Mr Jones provides the following key questions for directors to better manage the relationship with internal auditors:
- What is internal audit’s role and mandate? Is this outlined in a charter?
- Is the function independent? Is the advice given unfettered and not filtered by management?
- Is there a clear rationale for what is included and not included in the internal audit plan, given its risk-based focus?
- Does the internal auditor follow and report against international standards when conducting their audits?
- Does internal audit provide an annual report showing the value added over the year, systemic issues identified, and trends to better position the organisation in the future?
How do you maintain independence in the internal audit function?
To be effective, the internal audit function, while being part of an organisation, must be independent of management and objective in their deliberations.
Mr Jones states “the internal auditor should be able to meet privately with the chair of the audit committee and relate their opinion on matters, and only administratively to the CEO”.
Currently, the ASX Corporate Governance Council Principle 7.3 states, “If a listed entity has an internal audit function, the head of that function ideally should have a direct reporting line to the board or to the board committee to bring the requisite degree of skill and independence and objectivity to the role.”
APRA Prudential Standard 510 at paragraph 88 states “an internal auditor must have a reporting line and unfettered access to the Board Audit Committee”, and at paragraph 91 “to fulfil its functions, the internal auditor must, at all times, have unfettered access to the institution’s business lines and support functions”. ASIC Information Sheet 221 states that internal audit should be independent from management, and “should report directly to the audit committee rather than management”.
“All standards and guidance material state there must be clear reporting lines, unfettered access to all business lines and information, and the internal audit function must be resourced properly.
“Regrettably, there have been many situations where senior management has pressured internal auditors to alter their reports”, Mr Jones adds.
Under the Corporations Act 2001, an external auditor cannot be obstructed in carrying out their duties, although the same protections do not extend to internal audit.
“Internal auditors investigate all aspects of a company’s operations over the whole year and are more likely to detect wrongdoing. Therefore, it’s important that they have the support of the audit committee to tackle the tough questions without hindrance from management or other stakeholders.”
At the same time, the onus is on internal auditors to speak and be heard, and as ASX Corporate Governance Chair Elizabeth Johnstone argued at an internal auditors conference last year, “internal auditors must be bold and brave” in their communications.
The internal audit function should be structured to provide effective assurance
The operation of the internal audit function is usually structured across ‘The Three Lines of Defence’ model. This model is used by many entities to define and control the risk management environment, and to provide assurance to the Board, BAC, CEO, senior executives and stakeholders about effective governance.
Internal audit independently evaluates and gives opinion on the adequacy and effectiveness of both the first line and second line of risk management approaches. It is a form of assurance independent of management.
Mr Jones notes the growing expansion of the internal audit remit, “Modern internal audit functions can play a far greater role, and provide assurance on new and emerging risks such as cyber security, culture and data analytics”.
As noted in Managing Culture – A Good practice guide issued in December 2017 “Internal audit has a unique position – it is based within the organisation, but is also independent and objective. Its knowledge of practices across the organisation (gained through ongoing audit reviews) means that it is well-placed to provide a perspective on practices across the organisation, and also to assess risk culture, based on the practices and behaviours they observe.”
For further information
- ‘Audit Committees: A Guide to Good Practice’ (AICD, AUASB, and IIA-Australia 2017), and the
- UK’s ‘Harnessing the power of internal audit – A good corporate governance guide for audit committees and directors’ (Chartered Institute of Internal Auditors (UK) 2019).
- ‘Managing Culture – A Good practice guide’ (Governance Institute, The Ethics Centre, Chartered Accountants ANZ, and IIA – Australia 2017)