Against a backdrop of ongoing change, audit committees play an increasingly important role within the governance framework of public service organisations in Ireland. The change agenda within the public sector has resulted in continuing pressure on organisations to achieve more with less in an increasingly complex risk environment. Changes in technology, regulation and legislation – not to mention the deployment of shared services – have also contributed to higher levels of reputational risk, which requires a more diverse skillset at both board and audit committee levels.
Audit committees need to be more effective in how they operate, particularly in their relationship with internal audit. The practices and principles outlined in this article are vital to establishing and maintaining a successful audit committee relationship with internal audit, and take into account the ongoing development of guidelines and codes that prescribe requirements in relation to the operation of audit committees in public sector-based organisations in Ireland. Indeed, many of the practices and principles outlined are applicable to other sectors including the private and not-for-profit sectors.
Corporate governance guidelines for commercial and non-commercial State bodies in Ireland are set out in the Code of Practice for the Governance of State Bodies, which was last updated in May 2009. At the time of writing, a draft revision to this Code of Practice had been circulated for review. Many interested parties await the final publication by the Department of Public Expenditure and Reform (DPER).
The requirements in respect of audit committees in central government departments and offices are presently based on the 2002 Mullarkey Report and the Audit Committee Guidance paper published by DPER in 2014. The Department has also published a Draft Corporate Governance Standard for Central Government Departments for public consultation. The draft standard aims to promote best practice in corporate governance across the central government sector while also providing greater clarity on the role of the audit committee.
Success Factor #1
It is critical for the audit committee and internal audit to hold an open dialogue around enterprise-wide risks, share their perspectives, and seek to reach a common viewpoint on the role of internal audit around the most critical risks. There are a broad range of risks facing organisations today in the areas of financial reporting and control, risk management, business continuity planning, data security, corporate governance, fraud, performance management, whistleblowing policy and conflict of interest declarations among others.
Alignment around the most critical risks is essential to prioritise and enable effective allocation of internal audit resources. While diverging viewpoints may arise, there is a need for continuing communication between all parties on how well the audit committee perceives risks to be managed.
Success Factor #2
While internal audit’s role in providing independent assurance on risk, control and governance should be clearly stated in the internal audit charter, the importance of the strategic internal audit plan should not be understated.
A detailed strategic internal audit plan enables the internal audit function to align its objectives to the organisation. The internal audit strategy should have a minimum three-year time horizon and provide a roadmap based on the organisation’s overall strategy, risk priorities, key stakeholder expectations (including parent department expectations), regulatory requirements and the role of the other risk and assurance activities specific to the organisation. Examples of other risk or assurance-type activities may include external audit, legal, security, environmental health and safety and compliance. Consideration of wider aspects allows for the assessment of duplication of efforts or potential gaps between these activities and functions. In addition to providing a clear basis for audit committees to approve internal audit activities and priorities, the plan can serve to:
- Set and agree clear timelines and deliverables;
- Facilitate discussion on risk coverage on an ongoing basis to allow for changing priorities;
- Provide a framework for evaluating and identifying potential skills gaps in the internal audit team based on the types of internal audit reviews to be performed. Such evaluation at an early stage also allows time for the sourcing of skillsets outside the organisation, if required; and
- Assess whether the internal audit activity will add value in addition to providing the necessary assurance to the audit committee over the lifetime of the plan.
Success Factor #3
The Code of Practice for the Governance of State Bodies requires the audit committee to assess the effectiveness of the internal audit and risk management. This assessment should consider whether processes, methodologies and tools are up-to-date; internal audit has the functional, organisational and sector insights it needs; and staffing models are flexible enough to anticipate change and address emerging risks/issues.
In order to make this assessment, audit committee should explore the following questions:
- Are the existing skill sets within the team appropriate?
- Is the internal audit team adequately resourced for its role?
- Has the internal audit activity performed its work in accordance with its charter?
- Does the existing internal audit model (in house, outsourced or co-sourced) provide sufficient flexibility to gain access to the skillsets to provide the necessary assurance over a broad range of risks?
- Do members of the team participate in professional development training?
- Have the team members acquired professional designations that demonstrate their competency?
- Does the internal audit department have the tools it needs, including advanced data analytics?
- Are the internal audits conducted in conformance with the International Standards for the Professional Practice of Internal Auditing and the Institute of Internal Auditors’ (IIA) code of ethics?
- Does the internal audit activity have a quality assurance and improvement programme in place to provide feedback and drive continuous improvement?
Audit committees should also consider whether internal audit activity has been subject to independent external quality assessment within the past five years. External assessments should be conducted in accordance with the IIA’s International Standards for the Professional Practice of Internal Auditing and be performed by an outside independent assessor or assessment team.
The objective of the external assessment is to evaluate an internal audit activity’s conformance with the IIA’s definition of internal auditing, code of ethics and standards. External assessments should also focus on identifying opportunities to enhance internal audit processes, offering suggestions to improve the effectiveness of the internal audit activity and promoting ideas to enhance the activity’s positioning within the organisation.
Communication between the audit committee and the internal audit function is key. An effective audit committee can strengthen the position of the internal auditor(s) by acting as an independent forum for internal auditors to raise matters impacting upon management. The head of internal audit should be invited to audit committee meetings to present and discuss audit planning, findings and observations.
The lines of communication and reporting should be clearly defined and encourage internal auditors to speak freely, regularly and on a confidential basis with the audit committee.
It is the overall combination of factors which should guide audit committees in managing the relationship with internal audit. The use of the principles and practices outlined should build meaningful trust between the audit committee and internal audit for the ultimate benefit of the organisation.
Bernard Barron FCA is a Partner in Mazars, specialising in governance, audit and internal control. Justin Moran FCA is a Director in Mazars, specialising in governance, internal audit and risk management.
This article first appeared in Accountancy Ireland magazine December 2015.