Although a vitally important function for any business, the role of internal audit is often not paid its fair dues by senior management figures. An eye for risk and an eagerness for efficient compliance are hard to put a price on, yet, for many, they consider the role as one that can be easily outsourced and not given as much emphasis.
Much like the role of the CFO, the purpose served by internal audit has evolved, and now encompasses a broader scope of work. Against this backdrop, it is essential for businesses to have a clear idea of exactly what they need from the function. “Modern internal audit has moved beyond auditing only finance and a box-ticking approach,” Abdulqader Obaid Ali, President, UAE Internal Auditors Association, says. “Anything that a corporation does can be audited. Internal audit needs to provide assurances that key risks are being appropriately managed. This includes strategic, technology, financial reporting, operations and compliance risks. In addition to this assurance role, internal auditing can be used to promote positive change through consulting activities such as facilitating risk assessments, promoting control self-assessments, reviewing key policies, supporting change programmes or system implementation, or giving training to management on governance, risk management and internal control related topics.”
While the role of internal audit has changed, that is not to say it has been negated. Although lines of reporting may have evolved, the function still has the ability to retain vital holistic and critical perspectives on an organisation. “The genesis of IA function was to support CFO in ensuring compliance with organisational policies, procedures and delegation of authority,” says Avinash Totade, Senior Vice President, Internal Audit, Emirates Global Aluminum. “However, that was a century ago. The function and the concepts of corporate governance moved on. Today, the IA function reports to the audit and risk committee and not to CFO or CEO. IA has a global view of the organisation. It is staffed with expertise ranging from finance to IT and operations to engineering. The CFO should take a lead role amongst other executives to realise the true potential of the IA function.”
Internal auditors will rightly argue that their role is crucial to an organisation, but many senior management teams may not deem the function as business-critical. Ali feels the role of internal audit is necessary, but requires organisations to make key decisions. “Having an internal audit function is a sign of corporate maturity,” he says. “Internal audit is not a luxury for any corporation; it is as necessary as operations, finance, HR or any other core business function. In the UAE, you very rarely find a major corporation, whether private or public, that does not have an internal audit function. The real question directors need to ask themselves is ‘do we need an in-house internal audit team or do we need to outsource it?’”
So, what can be done to ensure the function gains greater appreciation? As with any department, product or service, justifying worth is always easier with quantifiable results. In the case of internal audit, it is a case of ‘policing the police’, and Ali believes that relevant assessments are needed to ensure internal audit meets its KPIs and gets the exposure it deserves. “The best approach – which is a requirement in complying with international internal audit standards – is to have an independent party conduct an external quality assessment,” he says. “In such an assessment, the qualified assessor will analyse the mandate of the department, its independence, methodology, the department’s working papers and the qualifications of the team to determine whether the function adds value and complies with international standards. The UAE Internal Auditors Association has conducted numerous external quality assessments across the country.”
One potential solution in boosting the role of internal audit is to give the function a position in the boardroom. Although one could argue that a range of sub-divisions would subsequently also demand a seat at the top table, Totade believes the move would add increasing legitimacy to the division and help to reduce the reputation of IA. “In order to guarantee IA’s independence, it does not have any management responsibility,” he says. “This independence is construed by some CEOs and CFOs that the function does not add value to the entity. This may be the reason why some organisations do not see the importance of this function. The audit and risk committee must ensure that the chief audit executive (CAE) is positioned in the executive grade of the organisation. They should be given an appropriate title – CAE , senior vice president or chief internal auditor.”
The CFO’s collaboration with internal auditors is pivotal in a number of key decisions. Internal auditors need to act as key advisers, who meet frequently with the CFO to offer impartial advice, and be able to share concerns regarding any risks, and particularly those surrounding topics such as hedging and treasury management. These discussions should also reflect on an organisation’s effectiveness and potential at combatting these risks. Independent reviews of investment and credit policies are needed between the CFO and internal auditor, so as to ensure things are as shored up as possible before being approved by executive management teams.