February 19, 2017

Internal auditors should provide advice on effectiveness of controls and risk management

Internal auditors have as large a role to play in protecting enterprises from various kinds of risks. But they have a delicate balancing act to do to ensure that they stay independent in their enquiries even as they try to identify and address the risks in various functions. Richard Chambers, Global President and CEO of The Institute of Internal Auditors (IIA), representing 1,90,000 members in 170 countries worldwide, speaks about the role internal auditors have to play in the current rapidly evolving world, in this exclusive interview with BusinessLine. Excerpts from the interview:

Can you tell me a little about what the Institute of Internal Auditors does?

The IIA is the global professional body for internal auditors. The purpose of the organisation is to set the standards by which internal audit is practised around the world. We are the certifying body for internal auditors as well. There are over 1,40,000 Certified Internal Auditors around the world. We are also the chief voice and advocate for this profession. In India, the IIA has about 3,000 members.

One of the myths that persists about internal audit is that it is an accounting profession but that is not the case at all. Less than 20 per cent of internal audit resources are spent looking at financial issues. A vast majority of resources are spent looking at compliance matters, technology risks, operational risks and business and strategic risks.

Has the definition of internal auditors changed over time?

The internal audit profession today is a risk-centric profession designed to provide assurance and advice on effectiveness of controls and risk management. The key here is that it is risks-based. So internal auditors go through a process every year where they assess the risks of the enterprise. They work with the management to look at all the key risks.

Then depending on what the key risks are, they build an audit plan to see if appropriate internal controls have been designed and implemented to mitigate those risks. Financial reporting controls are not the most significant risk that companies face. Risks like cyber security, for instance, would be on top of the list of priorities for most companies.

Accountants are traditionally called bean counters. I always say internal auditors need to be much more than bean counters, they have to know how to grow the beans, harvest them and market them.

How equipped are internal auditors to check the processes that involve technological innovations? Do they find it difficult to keep upgrading themselves?

That’s an excellent question. It’s absolutely true that technology is emerging and developing very rapidly and so are the associated risks. I wouldn’t say that internal auditors are experts in every risk. There are some risks in which we have more training and capabilities when compared to others. Our global standards guidance says that if you don’t have that expertise in your department, then you have to source it from a third party. We typically have co-sourcing and partnering relationships with consultants, accounting firms and others to help us cover these risks where expertise is not available within the company.

How do you ensure independence in reporting? If departments report to the CEO, how are governance issues addressed?

Our guidance is that internal audits should have dual reporting relationship. There should be a reporting relationship administratively within the company, ideally with the CEO. But there should also be, more importantly, a reporting relationship with the Board, with the audit committee of the Board.

The audit committee’s charter typically requires the committee to oversee the work of the internal audit, approve the audit plans, see they are briefed about the resources that internal audit departments need and ensure that audit committee is appraised of their findings.

This has worked effectively in many companies. If you see the case of Worldcom, the internal auditor reported to the CFO who tried to stop the auditor from reporting the control breaches but the audit committee stepped in and heard the story from the internal auditor that actually helped expose the financial fraud.

In India too, in well-managed companies, the internal auditor reports administratively to the CEO or the MD but functionally he reports to the Chairman of the audit committee or Board of Director. There could be exceptions but this is the case in the well-managed companies.

While the statutory auditors have responsibilities towards investors, creditors, etc, that’s not the case with internal auditors. To what extent is an internal auditor responsible to external stakeholders?

If an internal auditor finds a fraud, it is his responsibility to inform the Management or the Board about it. They decide whether to expose this to other stakeholders or not. Internal auditors do not have that responsibility or the authority to communicate their findings to sources outside the company unless the statutes or the regulations compel them to do so. We feel that internal audit becomes compromised with regard to the trust that it has within the company if they are seen to have direct reporting lines outside the company. It’s not an ideal situation for internal auditors to take their information public.

Do you think it’s a good idea to rotate internal auditors too?

I don’t think it will be ideal to require that. There is a lot of value that the internal audit head adds with his knowledge of the company, the industry and the risks and controls. My concern is that if it is mandated that internal audit heads are rotated, it might affect their objectivity. I have had heads of internal audit in companies that mandated rotation tell me that they felt restricted in what they can say or look at. We don’t think that is a good idea. If rotation is mandated, pressure and coercion can occur that will undermine the effectiveness of the internal audit function.

There is a discussion going on currently in India to mandate that internal audit should be done by an external consultant and the department should not be established within the company. We think that would be a very bad idea.

[The Hindu Business Line]