Internal Audit claims its rightful place in governance

Disclaimer: Please note that this article is at least 12 months old.
Any information herein was accurate when published on 9 March 2009

Subscribe to the Industry News newsfeed

The recently released draft King III Corporate Governance Report reinforces the need for internal audit (IA) in an organisation and gives further guidance on the nature of this function. "By giving recognition to the key role that IA plays in a business, King III elevates the function to where it should rightfully be playing a pivotal role in the governance of a company" says Mark Dunn, BDO Spencer Steward director for risk management. "For too long, the role of IA has been understated, sometimes even viewed as a grudge cost to the company. However, it makes a vital contribution to the achievement of an organisation's strategic objectives. It does this through providing an effective challenge to all aspects of the governance, risk management and internal control environments in a business."

Dunn says there has been much debate as to the lines of reporting of the IA function and where it should sit in terms of an organisation's oversight and accountability structures. "King III reinforces the independence of this function and recommends it should fall under the ambit of the Chairman of the Audit Committee, who in turn is ultimately accountable to the board and CEO. It also recommends there should be direct relationships between IA and the Corporate Governance and Risk Committees in the organisation." Furthermore Internal Auditors are now expected to provide a written assessment to the Audit Committee on the status of the internal controls within the organization.

King III states that with more direct Audit Committee oversight of IA, and a much greater degree of interaction between the audits, corporate governance and risk committees with the IA function, this should ensure that an optimum level of control oversight is maintained.

The recommendation is also that the audit committee should be ultimately responsible for the appointment, performance assessment and/or dismissal of the Chief Audit Executive or outsourced internal audit service provider. King III also states that where possible the Chief Audit Executive must be a part of the company's executive committee or top management team.

"Absolutely key is that King III reinforces the requirement that the IA function must be structured in a way that it remains independent" emphasises Dunn. "As a significant role player in governance, King III requires this function to have the respect and cooperation of both the board and the management, and should report at a level within the company that allows it to remain independent and objective to ensure it fully accomplishes its responsibilities."

Dunn highlights that IA should no longer be viewed as a function which considers only the risks and downsides of a business. "Besides focusing on risks that have the potential to detract from the realisation of the strategic goals of a business, IA can also evaluate and assess opportunities that will promote such realisation. King III points to the invaluable contribution IA can make in ensuring that potential opportunities are identified timeously, assessed adequately and managed effectively by the company's management team."

Dunn emphasises that in downturns such as the current economic crisis, the focus on the IA function becomes even more critical. "This is not the time to be scaling down the IA function. Risk concerns become heightened during tough times. Companies start to retrench staff and a lighter work force has to cope with the same or even increasing workload. This in turn heightens risks associated with issues such as the effective segregation of duties. Company internal controls can be compromised because of a lack of human resources."

During both up and down cycles, Dunn says an effective IA function ideally could result in a reduction in external audit fees. "Through co-ordination of the internal and external audit functions and other assurance providers, there can be optimisation of all audit costs, the elimination of duplication and the avoidance of audit and assurance overload."

Dunn points to the qualifier in King III where a board, in its discretion, decides not to establish an internal audit function, either internally or outsourced. "In this case, King III requires that full reasons should be disclosed, with an explanation as to how adequate assurance of an effective governance, risk management and internal control environment has been maintained."

Disclaimer: Please note that this article is at least 12 months old.
Any information herein was accurate when published on 9 March 2009