To assist stakeholders in obtaining the best overview of an organisation’s health, internal audit is most suited to carrying out this vital function. More than just the financials, it can educate management on the significance of deficiencies in governance, risk management and internal control processes and the value of preventing or detecting and correcting such deficiencies before they erode organisational value.
The internal audit exists to help organisations create, preserve and sustain strategic value. However, this is not always clear to all the organisational stakeholders who should benefit from internal audit’s assurance and consulting services.
Internal auditors need to educate stakeholders about what a well-supported and effective internal audit function can do to help optimise operations; positively influence decision-making; prevent penalties from non-compliance with laws and regulations; grow market share; improve customer service delivery; enhance public relations; and even propose innovative solutions to sustain competitive advantage.
In this task, stakeholders across all levels within the organisation should be included. No single position or structure is too important or unimportant to either advance or hinder internal audit success.
As part of its governance responsibilities, the governing body is expected to steer and set strategic direction; approve policy and other strategy implementations; monitor performance; and report on the organisation’s performance. All these responsibilities require efficient and effective governance, risk management and internal control processes e.g. the governing body needs to be certain that the integrated annual reports, signed-off and published, contain credible and reliable information.
The chief audit executive can educate the governing body on the work performed by the internal audit function. This includes how to assess whether key strategic programmes are achieving pre-set objectives; well-performing projects have desired impact on targeted beneficiaries; operational and financial information reported by management is plausible and can be relied upon; and all stakeholders within the organisation have consistently upheld ethical standards set by the governing body.
Without full knowledge of what internal audit can do, most governing bodies wrongfully believe that the internal audit function exists to help the organisation obtain a positive external audit report and fail to leverage this function’s expertise on the organisation’s core business. This results in governing bodies giving more attention and financial resources to external auditors, while short-changing internal audit. This situation often leads to clean external audit reports but failure to meet operational, financial and strategic targets and goals.
Therefore, even if financial statements look good, the business activities on which financial reports are being prepared may actually be failing to live up to strategic expectations. Governing bodies must be educated more on these matters, so they can derive full benefits from the costs they incur on assurance and consulting.
The management team is mostly worried about achieving performance targets set out in the balanced scorecards for the areas they are responsible for, e.g. operations, human capital or finance. Promised incentives for good performance and fear of loss of employment may lead to executives and process owners being hostile to the internal audit function, instead of making it a vital part of the business processes.
This attitude depends on the extent to which management understands the function of internal audit. If they misconstrue internal auditors as corporate police officers, then they will try to hide as much information as possible or ensure that internal audit does not get sufficient resources or collaboration to discharge its mandate efficiently and effectively.
If internal audit can educate management on the significance of understanding deficiencies in governance, risk management and internal control processes, and the value of preventing or detecting and correcting such deficiencies before they erode organisational value, then management may react differently to an internal audit report with findings. Further, if internal audit educates management about how it can utilise its technical skills, through consulting services, to help process owners resolve critical process, risk and control problems, this may improve relations between the two parties.
Unfortunately, members who have extensive external audit background and little, if any, knowledge of internal auditing, dominate most audit committees. While almost all external auditors claim to know internal auditing, in reality, they have little understanding of the profession. For the chief audit executives, these are the people they present their reports to; who have to approve internal audit plans and budgets and, most importantly, who are tasked with protecting the independence of the internal audit function.
The challenge is that often these people want to see less coverage of core business processes in internal audit plans and more on reconciliations, ledgers and journals. If internal audit does not take the initiative to educate the audit committee that business is more than a balance sheet, then the chief audit executive must forget about realising the mission of internal auditing to ‘enhance and protect organisational value’.
Educating governing bodies that audit committees must have a balance of skills including internal audit and risk management experts, in addition to the accounting professionals, may resolve this problem.
In conclusion, chief audit executives must teach stakeholders that internal audit exists to ensure that the organisation delivers on its strategies, objectives, manages risk and capitalises on meaningful opportunities. This can be achieved through educational presentations in regular stakeholder meetings, leveraging social media and sharing thought leadership information to improve performance in specific processes, such as leading practices in supply chain processes.
Malefetsane Mohlakoana is the Associate Director of the Technical & Quality Assurance unit at SkX.