Internal auditing functions are mandatory for all listed companies and for all regulated financial institutions. In fact, any organisation worth its salt should have an internal auditing function. They are vital as they provide independent assurance in the important areas of governance, risk, and controls. They are the fourth pillar of corporate governance, after the board, management, and external auditors.
In an effort to elevate the practice of internal auditing, the new Global Internal Audit Standards were released on January 9, 2024. These will become effective on January 9, 2025. The Standards guide the worldwide professional practice of internal auditing and serve as a basis for evaluating and elevating the quality of the internal audit function.
The Global Internal Audit Standards provide requirements and recommendations to guide the professional practice of internal auditing and provide a basis for evaluating performance.
The Standards begin with the Purpose of Internal Auditing, which articulates the value of internal auditing to stakeholders.
Simply put, the purpose of internal auditing is to enhance an organization's success by providing the board and management with objective assurance and advice.
Effective internal auditing For an effective audit function, the audit committee must drive the internal audit function, and not be driven by it. The audit committee should not be passive but active when it comes to setting out the audit plan and considering the findings. The committee must measure the performance of the internal audit function.
Internal audits are most effective when performed by qualified internal auditors in conformance with the Global Internal Audit Standards.
The internal audit function should be independently positioned with direct accountability to the board through an audit committee.
Internal auditors should be free from bias and undue influence and committed to making objective assessments. Here, even perceptions of bias or being unduly influenced can diminish the credibility of internal auditors.
Assurance and Advisory Services
Internal auditors provide two types of services. Firstly, through assurance services, they perform objective assessments to provide statements about conditions compared to established criteria. Such statements are intended to give stakeholders confidence about an organization's governance, risk management, and control processes. Examples of assurance services include financial, performance, compliance, and technology engagements.
Secondly, they provide advisory services. These services include advisory engagements and other advisory activities typically undertaken at the request of senior management, the board, or the management of an activity. The nature and scope of advisory services are subject to agreement with the party requesting the services. Examples of advisory engagements include internal auditors providing advice on the development and implementation of new policies and the design of processes and systems. Other advisory activities include internal auditors providing facilitation and training.
Governing the Internal Audit Function
While the chief audit executive has responsibilities to communicate effectively and provide the board with information, the board also has roles and responsibilities that are key to the internal audit function's ability to fulfil the purpose of internal auditing. The Standards outline the board's responsibilities to authorize the internal audit function, ensure its independent positioning, and oversee its performance. The standards indicate the responsibilities of the chief audit executive and the board, as well as those responsibilities that are accomplished jointly.
Authorised by the Board
At all times, there must be a realisation that the audit function is authorised by the board through the audit committee. The board should establish, approve, and support the authority, role, and responsibilities of the internal audit function. The authority, role, and responsibilities of the internal audit function are defined in the internal audit mandate. The mandate empowers the internal audit function to enhance the organisation's success by providing senior management and the board with objective assurance and advice. The internal audit function carries out the mandate by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management, and control processes throughout the organization.
Board oversight of the internal audit function's effectiveness.
Board oversight is essential to ensuring the overall effectiveness of the internal audit function. Achieving this principle requires collaborative and interactive communication between the board and the chief audit executive, as well as the board's support in ensuring the internal audit function obtains sufficient resources to fulfil the internal audit mandate.
Additionally, the board receives assurance about the quality of the performance of the chief audit executive and the internal audit function through the quality assessment and improvement program, including the board's direct review of the results of the external quality assessment. Even internal auditors should be subject to audits.
There is a need for both internal auditors and board members (especially audit committee members), to become familiar with the new standards. This will elevate the performance and contributions of the fourth pillar of corporate governance—the internal audit function.
The Global Internal Audit Standards should be the standards to benchmark against and strive for.