Primary navigation:

QFINANCE Quick Links
QFINANCE Topics
QFINANCE Reference

Home > Corporate Governance Best Practice > The Role of Internal Auditing at Board Committee Level

Corporate Governance Best Practice

The Role of Internal Auditing at Board Committee Level

by Sridhar Ramamoorti

Executive Summary

  • Boards of directors and their committees, despite receiving extremely summarized and condensed information, now have a well-established responsibility for managing the overall organizational risk.

  • The effective management of risk is a prerequisite for ensuring good corporate governance.

  • Because governance seems to be so intertwined with risk, one strategy might be to leverage the internal audit function to work with different board committees and provide risk-relevant information.

  • The independent audit committee fulfills a vital role in corporate governance. The audit committee can be a critical component in ensuring quality reporting and controls, as well as the proper identification and management of risk.

  • A summary of internal audit-audit committee interactions is provided through the perspective of 20 Questions Directors Should Ask of Internal Audit.

  • The internal audit function has long been serving as the “eyes and ears” as well as the “arms and legs” of the audit committee of the board.

  • Internal audit role plays a critical role in keeping the audit committee abreast of the latest developments and goings-on of the company, and without such assistance, the audit committee cannot realistically fulfill its risk oversight responsibilities.

Introduction

In the aftermath of the Wall Street financial crisis, one of the major areas that has been identified as needing improvement is corporate governance. Boards of directors and their committees, despite receiving extremely summarized and condensed information, now have a well-established responsibility for managing the overall organizational risk (Kolb and Schwartz, 2010). A critically important element that was lacking before and during the financial crisis was relevant risk intelligence—most boards were caught off-guard and were truly surprised by the turn of events. Recent guidance from the Information Systems Audit and Control Association (ISACA, 2010) highlights the importance of risk monitoring by noting that “better monitoring means fewer surprises.”

The effective management of risk is a prerequisite for ensuring good corporate governance. Organizations exist to achieve their goals and objectives; however, because these goals and objectives have to be achieved in the context or environment of risk, they are not always assured (McNamee and Selim, 1998). Although the practice of risk management, on an enterprise-wide basis, is fundamentally the responsibility of executive management, the internal auditing function is typically charged with examining and reporting on risk exposures, as well as on the quality of the organization’s risk management efforts. The board has oversight responsibility with respect to management and, by extension, has responsibility for both effective risk management and governance.

It is evident that organizations worldwide need to strengthen their governance mechanisms. Nevertheless, placing the governance burden in its entirety on the board of directors is an unrealistic position to advocate, given the infrequency of meetings and their limited knowledge of business operations on a day-to-day basis. Because governance seems to be so intertwined with risk, one strategy might be to leverage the internal audit function to work with different board committees and provide risk-relevant information. In this article we will focus on the internal audit function supporting the audit committee with respect to enterprise risk management.

Internal Audit–Audit Committee Interactions

Treating the internal audit function as one of the cornerstones of corporate governance, Swanson (2010) says that “internal auditing can provide strategic, operational and tactical value to an organization’s operations.” He proceeds to emphasize that audit committee members should not only empower the internal audit function by providing it with resources and encouraging it to take on a leadership role, but that they should also actively oversee its performance. To help formulate the right perspective and ensure that these interactions are ideal, he usefully refers to a publication by the Canadian Institute of Chartered Accountants, 20 Questions Directors Should Ask of Internal Audit (Fraser and Lindsay, 2008). It is worthwhile to excerpt these 20 questions across six categories, viz.

  1. Internal audit’s role and mandate

    1. Should we have an internal audit function?

    2. What should our internal audit function do?

    3. What should be the mandate of the internal audit function?

  2. Internal audit relationships

    1. What is the relationship between internal auditing and the audit committee?

    2. To whom does internal auditing report administratively?

  3. Internal audit resources

    1. How is the internal audit function staffed?

    2. How does internal auditing get and maintain the expertise it needs to conduct its assignments?

    3. Are the activities of internal auditing appropriately coordinated with those of the external auditors?

  4. Internal audit process

    1. How is the internal audit plan developed?

    2. What does the internal audit plan not cover?

    3. How are internal audit findings reported?

    4. How are corporate mangers required to respond to internal audit findings and recommendations?

    5. What services does internal audit provide in connection with fraud?

    6. How do you assess the effectiveness of your internal audit function?

  5. Closing questions

    1. Does internal auditing have sufficient resources?

    2. Does the internal audit function get appropriate support from the CEO and senior management team?

    3. Are you satisfied that this organization has adequate internal controls over its major risks?

    4. Are there any other matters that you wish to bring to the audit committee’s attention?

    5. Are there other ways in which internal auditing and the audit committees could support each other?

  6. Audit committee overall assessment

    1. Are we (the audit committee) satisfied with our internal audit function?

(Item 5(c) above has been bolded to indicate that in a very significant way enterprise risk management does pertain to the audit committee, and this is the focus of the next section of this article).

Back to Table of contents

Further reading

Books:

  • Braiotta, Louis, Jr, R. Trent Gazzaway, Robert Colson, and Sridhar Ramamoorti. The Audit Committee Handbook. 5th ed. Hoboken, NJ: Wiley, 2010.
  • Information Systems Audit and Control Association (ISACA). Monitoring Internal Control Systems and IT: A Primer for Business Executives, Managers and Auditors on How to Embrace and Advance Best Practices. Rolling Meadows, IL: ISACA, 2010.
  • Institute of Internal Auditors (IIA). International Professional Practices Framework. Altamonte Springs, FL: IIA Research Foundation, 2011a.
  • Kolb, Robert W., and Donald Schwartz (eds). Corporate Boards: Managers of Risk, Sources of Risk. Chichester, UK: Wiley, 2010.
  • McNamee, David, and Georges M. Selim. Risk Management: Changing the Internal Auditor’s Paradigm. Altamonte Springs, FL: Institute of Internal Auditors Research Foundation, 1998.
  • National Association of Corporate Directors (NACD). Report of the NACD Blue Ribbon Commission on Audit Committees. Washington, DC: NACD, 2000.
  • Swanson, Dan. Swanson on Internal Auditing: Raising the Bar. Ely, UK: IT Governance Publishing, 2010.

Articles:

  • Bromark, Ray, and Ralph Hoffman. “An audit committee for dynamic times.” Directors and Boards 16:3 (Spring 1992). Online at: tinyurl.com/65txg4o
  • Orsini, Basil. “Auditing governance: The Canadian government offers an audit tool for addressing the risks in implementing management reform.” Internal Auditor (June 2004). Online at: tinyurl.com/6xaagbv

Reports:

  • Committee of Sponsoring Organizations of the Treadway Commission (COSO). “Enterprise risk management—Integrated framework.” September 2004.
  • Committee of Sponsoring Organizations of the Treadway Commission (COSO). “Guidance on monitoring internal control systems.” February 2009.
  • Fraser, John, and Hugh Lindsay. “20 questions directors should ask about internal audit.” 2nd ed. Canadian Institute of Chartered Accountants, 2008. Online at: www.theiia.org/download.cfm?file=2927 [PDF].

Standards:

  • IIA. “International standards for the professional practice of internal auditing (Standards).” Rev. ed. Altamonte Springs, FL: IIA, 2011b. Online at: tinyurl.com/42kad8u

Back to top

Share this page

  • Facebook
  • Twitter
  • LinkedIn
  • Bookmark and Share