In the past week I participated in a Keynote Panel Discussion for the Annual Public Sector Internal Audit Conference in Canberra, run by the Institute of Internal Auditors.
The subject for the panel discussion was ‘Establishing Risk Tolerance – The Audit Committee Perspective’. During discussion I was asked what it is I seek from internal audit, in my capacity as an independent member on audit and risk management committees. I responded that there are many things, but three stand out in particular. I look to internal audit to:
- be the eyes and ears for the audit committee;
- be active in design of the annual audit program; and
- provide assurance that matters considered by the audit committee are brought to a satisfactory conclusion.
The eyes and ears for the Audit Committee
As an independent member of audit committees and external to the organisation it is not possible for me to see deeply into the way the organisation is working and what issues might be arising. Internal audit on the other hand is closely engaged in the working of the organisation. As either direct employees and/or as contracted providers of internal audit review services, members of internal audit have the opportunity to be across issues in a way that audit committee members and particularly external members cannot be. I gave the example that when I provide management consulting services within agencies I commonly find instances of poor record keeping or poor governance. Internal audit is well placed to identify these, or other areas of risk as part of its review activities and bring them to the audit committee’s attention.
Be active in the design of the Audit Program
There is scope for internal audit to be more active in identifying and recommending areas for inclusion in, or exclusion from, the annual audit program. This is partly because of the first point above, they are better placed to identify areas of control weakness. Internal audit also has more resources and capacity to monitor and identify matters arising out of external audit activities across the public sector. In relation to this second point I see a strong need for internal audit in individual agencies to network with their colleagues in other agencies to identify issues arising more widely that might have relevance to their agency. Internal audit functions that use external service providers should be really well placed to draw on the expertise and experience gained by the external provider from its audit activities across multiple agencies. Internal audit need to be the professional leaders in advising on what should be in, or out of the audit program.
I have often observed that systems for tracking audit recommendations and the subsequent actioning of recommendations are less robust than they should be. This is a significant risk exposure particularly if audit recommendations and management responses endorsed by the audit committee are not properly acquitted within the agreed timeframes. I look to internal audit to manage the tracking systems which will ensure the audit committee has sight of all accepted recommendations, until agreed actions have been completed. I also look to internal audit to ensure proper sign-off processes are followed to say that agreed actions have been completed. This is not to say, I expect internal audit to be the ones to confirm appropriate action has been taken, they will not always have the skills to assess this adequately. What I do look for is internal audit to ensure the accountable senior officer responsible for actioning a recommendation has signed it off appropriately.
One final aspect on the assurance process is, the importance of ensuring that when a management response to an audit recommendation has been accepted by the audit committee:
- the responsibility for ensuring completion is assigned to a particular senior officer; and
- an agreed deadline for action is established and monitored.
I will cover a couple of other areas from the Internal Audit Conference in Blog Posts in the near future.
(If you would like to receive notification of future blog posts please send an email, at the link on the contact page, with the word ‘Subscribe’ in the message field.)