You are here
Internal audit mindset should be part of corporate culture
THE requirements for internal audit were previously fully embedded in the Singapore Code of Corporate Governance. Companies listed on the Singapore Exchange (SGX) could either comply or explain why they did not need an internal audit function. The recent 2018 revisions to the Code do not affect the importance and requirements for internal audit.
More significantly, the SGX Listing Rules have now been amended in tandem with the Code's revisions to say that "an issuer must establish and maintain, on an ongoing basis, an effective internal audit function that is adequately resourced and independent of the activities it audits".
There is no ambiguity over "must establish" - there must be an internal audit function in every listed company. What is needed is clarity and guidance for issuers on what is meant by effective, adequately resourced and independent.
This commentary will discuss these three critical pillars of an internal audit function and provide practical advice for listed companies to have a truly great internal audit function.
Being effective means to be "successful in producing desired or intended results". An easy enough definition to understand, it would seem, until you add the rejoinder "for whom".
Internal audit is not an end in itself, and this is made clear by the Code - internal audit reports directly to the Audit Committee. To be effective, internal audit needs to be successful in producing results expected by the Audit Committee.
What should be within the expectations of the Audit Committee? This begins with the internal audit charter, which is the raison d'etre, the purpose of internal audit for the organisation. Although there are standard definitions of what is auditing, it is a different thing altogether for internal audit.
Through the internal audit charter and the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing, the Audit Committee needs to define the role of internal audit and its reporting line, scope of work and deliverables such as types of reports.
It should also decide if its role is to be focused either on assurance - as being a "policeman" and an advocate for internal controls, or on a wider role as an adviser and consultant to the organisation. All these determine how successful internal audit will be, and these measures will also determine the effectiveness of internal audit.
Defining the expectations for internal audit is not a trivial exercise, even where an internal audit function is outsourced. Although the Audit Committee is the primary stakeholder for internal audit, there will be secondary stakeholders such as management, regulators, suppliers and even the public who will have their expectations of what they want of the internal audit function.
To be adequately resourced, internal audit needs to have not only the required number of auditors, but also the right mix of skills within the team to fulfil the expected roles (as determined in the audit charter) and remain relevant with constant changes in the internal and external environment affecting the organisation.
Business models of companies are complex and dynamic; and in order for internal audit to effectively fulfil the role as defined in the audit charter, it will be difficult and probably impossible for internal audit to have all the required skills within its team - especially in cases where the number of headcount is limited.
This is why most internal audit functions will need a combination of in-house capabilities as well as specialist skills from external providers such as information technolocy (IT) audit resources to address cyber security risks.
COVERING EVERY ASPECT
The scope of internal audit work covers every aspect of the business from people to processes to systems.
The varied nature of skills required also means that internal audit may have to depend on "just-in-time auditors" or staff within the organisation who are seconded to internal audit to perform audits of a specialised nature.
In such cases, the skills are not likely to be available externally or cannot be outsourced due to confidentiality reasons. Companies are complex, and the Audit Committee needs to recognise the diversity of skills needed for internal audit to be effectively resourced.
The third and final pillar of an internal audit function is for it to be independent. To be independent has been seen to mean "without fear or favour, without pressure from or partiality to any person or other external influence".
In other words, to be independent means to be able to do the right thing.
This is an interesting and definitely the most challenging pillar of internal audit. If being independent means doing the right thing, then should it not be a requirement for the CEO, CFO and everyone else in the organisation to be independent? Why is internal audit singled out and specifically required to be independent?
This is largely due to the occupational hazards of internal audit. Like it or not, the Audit Committee would expect internal audit to look for internal control lapses, any hints of fraud and essentially perform the role of a "policeman".
There is nothing wrong with this requirement - it is one of the roles that internal audit should play.
Internal audit findings and reports, no matter how they are couched, will describe shortcomings of the company, the processes, the systems and the people - including management. There may be sensitivities in raising issues especially when it implies the shortcomings of the management.
As a result, internal audit must weigh the sensitivities against "doing the right things" and hence, the need to perform its role without fear or favour, and be seen as independent. Once again, it is an occupational hazard. It is in the internal audit charter.
What makes a great internal audit function? To be effective, adequately resourced and independent, internal audit needs to know its purpose, be nimble and always do the right thing.
And not forgetting the part to "maintain on an ongoing basis".
Internal audit is not just about doing one project a year - one swallow does not make a summer. Internal audit is not only a function but a mindset that should be part of the corporate culture.
- The writer is governor of the Institute of Internal Auditors Singapore