The Internal Audit (IA) function, as the Third Line of Defence, has an important role to play in not only overseeing the risks and controls within the operations of an organization, but also effectively safeguard its Corporate Governance framework and meet the Board’s expectations.
The expectations of the Board and other stakeholders on the IA function have increased multi fold over the years. IA, as a function, is expected to be proactive, flexible, adaptive and capable of using analytical models to anticipate new risks and help organizations to build in business resilience. IA is looked upon as a trusted advisor and an agent of change in transforming businesses to overcome the challenges posed by the current pandemic situation and dynamic environment. Digitization and Automation are the need of the hour and the IA function should adapt to that quickly through use of new technologies, agile auditing approach and next generation audit techniques.
Some of the Board expectations could be around:
- The role of IA and how it will transform over the period.
- Nature and magnitude of risks that need to be addressed from Board’s perspective.
- How IA can help businesses to bounce back and align with Board’s strategy and expectations.
- Oversight of Board and Audit Committee on IA function under the current scenario.
Protiviti partnered with the Institute of Internal Auditors - India in organizing a series of webinars for the IA fraternity starting with “Expectations from IA– A Board Perspective” where a panel of eminent and experienced Board members from across industries shared their experiences and valuable insights on their expectations from IA including the challenges and changes internal auditors need to adopt in the current environment.
- There is a paradigm shift in the IA profession from hindsight to insight and finally towards foresight.
- IA professionals shall be required to have a laser sharp focus on risk horizon combined with business knowledge, soft skills with increased reliance on technology to add value from a foresight perspective.
- IA function will have to embrace technology and go digital in order to provide reasonable assurance to Management and the Board. With travel not being a feasible option, internal auditors should employ tools and technology to reinforce audit objectives and desired outcomes, remotely.
- Organizations will be compelled to digitize their records for functioning in order to cope up during the pandemic. IA function would be expected to partner with business functions to enable digitization.
- The need for reengineering business processes, in response to the disruption caused by the pandemic, has reinforced the concept of Three Lines of Defence (LoD) mechanism. While the risk ownership and monitoring of the new norms of the business will be the prime responsibility of the Management and the Chief Risk Officer,, the Internal Auditor will need to provide a continuous assurance on the effectiveness of the risk design to the Audit Committee and the Board.
IA function meeting the expectation of Audit Committee / Board – from the perspective of Independent Directors
The expectation from the IA function is about providing an independent assurance on the organizational effectiveness of risk management, governance and internal controls and processes. These expectations have gained higher proportions over the past decade.
The earlier perception of the IA function being a showstopper, by many people within the organization, decelerating the business and operations, has changed with time. IA has been successful in imparting a strong message that “Not only must it do the right things, but also to do it right the first time”.
For instance, in public sector banks, the whole focus has shifted towards looking at risk management as the core purpose of the board as well as management of the organization. This is also the basis on which strategic decisions are taken and IA is expected to play a key role here.
“How to solve the problem and not just to point out the problem” - Over a period of time, IA has provided value added services and insights on the operations and processes of the organisations, wherein any new processes introduced, require a concurrence by internal auditors to ensure its effectiveness. IA not only provides an objective and independent assurance but also provides critical insights to the Board.
Board’s perspective on Stature, Access and Independence of IA function to maximize its effectiveness and to discharge its responsibilities
Over a period of time, IA has received greater recognition under Companies Act and Listing Obligations and Disclosure Requirements by SEBI. However this may not be enough and a lot is desired. For e.g. Section 138 of Companies Act requires appointment of internal auditors, but states that the scope, function, approach and methodology shall be determined by Audit Committee. The realisation of the importance of IA and an objective orientation towards it is presently not visible enough across the Boards.
Internal Auditors need to raise themselves to a level where they are able to project their significance to the Board and the Organization. The stature has to be raised, law has to recognize and the Profession, itself, has to rise to the occasion.
Contrary to the belief and certain regulations, IA function should clearly communicate its role being way beyond the traditional financial accounting and safe guarding of assets. Internal auditors have a larger role with respect to risk, technology, data science, data security, business continuity etc.
Poll 1 – Ranking of the IA function in being truly independent and equipped to meet the expectations of the board (On a scale of 1 to 5 with 5 being highest).
Highlighting Management Perspectives may dilute the observations that the IA reports present to the Audit Committee
It starts with one word called “Trust”. Absence of trust will complicate relationships between the Internal Auditors, Management, Board and the Audit Committee. “We try to solve every problem of the world with Policy (Neeti) but the problem is with the Intent (Niyat)”, observed one of the panellist.
Rules and regulations cannot bind every intent and act, unless influenced by a strong cultural environment of an organization. The level of trust is built after the IA function demonstrates its contribution as a “partner in progress” rather than a “cog in the wheel”.
Organisations have progressively embarked upon various initiatives in improving their IA function, such as, recognizing its importance, involving the audit committee in goal setting process of the function for better oversight, independent meetings of auditors with audit committee members and defining three lines of defense with first layer being the business operations led by management and seeking timeline based inputs of IA to add value and share insights in refining the first line of defense.
The approach of IA has seen a change with respect to recommendations in case of a new business vis-à-vis a matured organization.
For optimizing the IA function and its continuous value creation capability, organizations need to focus on the following:
- Identification of best talent in IA and
- Empowering IA function with access to latest technology and tools and benchmarking
Focus of IA towards strategic risks and its competence to address them
The First line of defence are the Operations who are responsible for the sustenance and failure of risk management, governance and internal controls.
The Second line of defence is the business functions such as Risk Office, Information Technology, Human Resource teams, who are mandated with creating processes and activities to reinforce culture of governance, risk management and internal control.
The Third line of defence is the IA function entrusted with the responsibility of providing an independent assurance that the first and second lines of defences are operating effectively.
In large organizations, ownership of strategic risks are vested with Chief Risk Officer (CRO). In a dynamic environment, risks are being constantly analysed and monitored by the Risk Office and presented to the Board / Audit committee to identify areas of emerging risks. IA plays a supportive role in reviewing adequacy of controls.
Risk Management is considered a specialized task and ideally it should be left to the specialists. Role of IA function is to assess effectiveness of risk management by recommending improvement measures to strengthen risk framework and advice in risk monitoring.
The Audit Committee forms a view on the observations presented by internal auditors and in order to confirm, challenge and have a mitigation blueprint, the presence of management team is essential.
The Audit Committee may engage with internal auditors more frequently to gain insights on critical issues as sharing independent issues during formal audit committee meetings could be limiting in all cases.
Independence should be drawn from the premise that the law provides to internal auditors and also from the fact that the management reposes trust on them.
An Internal auditor is a partner in progress and a value creator. Simultaneously, an internal auditor is also expected to maintain its objectivity, independence and offer constructive criticism to the operational performance of the organization.
The work of IA is also relied upon by the Statutory Auditors having a link with external stakeholders. Lack of independence of IA function shall be a direct impediment on the role of statutory auditors.
Internal Audit’s role in advising Board on matters relating to governance culture (like tone at the top etc.)
Governance is a function of organisation’s leadership culture. Recommendations of internal auditors are extremely valuable if received positively by the Management or the Board. IA function has the capability and the vision to recommend the Management on structure of governance and act as a first hand advisor in maintaining the culture owing to its independence.
In certain large public sector organizations in India, the Head of IA function is equated with the senior most levels of management and this brings out the intent of such organisations to place the function at the highest levels of governance.
Poll 2 - Does organization’s IA mandate cover culture of governance? Does IA provide inputs to board on governance?
Internal Audit’s transformation in the Digital Age - Operating models of IA to embrace digitisation
It is an established fact that a Co-sourced model of IA is favoured by many organisations and is critical since the required mix of resources with the right knowledge and experience may not be available either internally or externally.
For organisations to tread towards digitisation (especially considering the current pandemic), it is essential to conduct a maturity assessment of the data. The internal auditors are also expected to actively consider digital transformation in auditing, for an enhanced assurance.
Adoption of technology is evident since past three to four years. This includes visual tools for data refinement and analytics. These technologies help the IA in determining accurate findings, root cause analysis with increased relevant recommendations to management. In the present world, there are a suite of tools available off-the-shelf relevant to IA function which the organisations may employ depending upon the requirement and horizon of implementation.
Poll 3 - Rate IA function’s maturity in terms of digital adoption?
Role of IA to assess risks, controls and processes in COVID-19 scenario
IA provides significant recommendations to number of Boards primarily focussing on Business Continuity. However, such recommendations are not primarily limited to emerging issues owing to extended business lockdowns. The current focus is on continuing business operations with safety and security.
Organizations are charting out strategies towards ‘sustenance’ from a ‘survival’ phase and IA continues to play a significant role throughout this journey.
The IA function is privy to the strength and weaknesses of the organisation. It is better placed, as an insider to the management, to recommend and guide, which can act as a pivot or fulcrums, that organisation may employ to pave out of the current pandemic.