Many audit committees are ratcheting up their expectations for the internal audit function. In fact, a recent ACI/NACD survey found that only 46 percent of audit committee members were very satisfied with the effectiveness of their company’s internal audit function.
With initial 404 compliance activities now completed, many companies and their audit committees are asking how internal audit can deliver long-term value to the business.
Increasingly, internal audit is being called on to support improvements in a number of strategic areas such as risk management; that is, managing risk across the enterprise, and developing a consolidated, “single view” of risk so that risks are identified, measured, and monitored uniformly throughout the organization and across departments. Internal audit is also often expected to be a leader in linking risk monitoring, compliance activities, continuing regulatory changes, and the C-level agenda. And even more may be expected.
As companies attempt to clarify and define the role of internal audit in the organization, we offer the following suggestions to audit committees.
- Ensure that internal audit remains focused on the most significant risks to the business. While this will require finding new ways for internal audit to deploy its risk and control-based skills to help the organization achieve its strategic objectives, internal audit must nonetheless continue to focus on its primary mission—assessment of internal controls. This includes not only evaluating whether controls are functioning around key risks, but that they are the right controls (automated vs. manual, preventative vs. detective). An important role for audit committees is to help ensure that internal audit remains focused on its primary mission, and that audit plans adequately address the most significant risks facing the company.
- Consider whether the internal auditor, CEO, CFO, and audit committee have a clear, shared vision of the role of internal audit in the organization. The competing demands—of the CEO, CFO, business unit leaders, risk and IT officers, and others—may, without proper planning, pose significant risks: internal audit may lose focus, the quality of its work may suffer, and its resource and skill-set requirements may be poorly defined. To minimize these risks, it is critical that there is a clear company-wide understanding of the role of internal audit.
- Make sure internal audit has the necessary skills. With its increased focus on value creation, internal audit will need to acquire new skills by training, hiring new talent, or sourcing from outside service providers. New skills that may be required include strategic operational knowledge (supply chain, shared services, outsourcing), cross-cultural training for global organizations, knowledge of emerging markets, risk management and evaluation, data analytics, fraud, and more.
In addition to making sure that internal audit is developing the skills it needs to carry out its evolving role and responsibilities, the audit committee should continue to monitor the adequacy of internal audit’s resources and skills devoted to the assessment of internal controls.
- Reinforce internal audit’s independence and accountability to the audit committee. As internal audit becomes more involved in helping the organization manage risk, improve processes, achieve other strategic objectives, and add value, there is a greater need for the audit committee to help ensure internal audit’s “objectivity.” Direct and open lines of communication between the audit committee and the chief audit executive become more important, and here the audit committee chair plays the key role.
Michael J. Nolan (left) is global partner in charge of internal audit services and Edward F. Smith is executive director of the Audit Committee Institute at KPMG.
