Corporate governance in the UK has recently been issued a series of challenges that could have major implications for the internal audit profession. Many, although not all, of these have been in the financial services sector.
•The Salz Review commissioned by Barclays into its business practices raised concerns that some governance and control issues had not been identified early enough and suggested that internal audit had not been sufficiently risk-based.
•The FSA report into rogue trading in UBS concluded that there had been serious weaknesses in the firm's procedures, management systems and internal controls.
•The Parliamentary Commission’s report on HBOS pointed to failures in internal control and risk management and a lack of central challenge.
•The Ofgem report on SSE’s mis-selling of energy contracts concluded that senior management should have been aware of the breaches, and that many breaches concerned inadequate monitoring and control arrangements over the behaviour of SSE’s sales agents.
What these, and other examples, have in common is that internal audit did not appear to be positioned, tasked or resourced properly to act as the effective eyes and ears of the board and the third line of defence in managing organisational risk.
As many will know, in the financial services sector the institute is in the process of preparing a code of practice based on the recommendations of a committee chaired by Roger Marshall. This is in direct response to FSA concerns about the role of internal audit. The committee will report in the summer.
In the meantime we have been working with the Institute of Directors on a new publication – “What every director should know about internal audit”. This document, based on work at European level, offers boards ten essential actions to ensure they maximise the value they get from internal audit and gain maximum protection and assurance from its activities. While this detailed guidance is produced primarily for private-sector organisations, boards in the public sector and third sector may also find it of value. We have sent copies to IIA heads of internal audit and to audit committee chairs in FTSE 350 companies.
In summary the ten actions are
1.Evaluate the need for internal audit where it does not exist.
2.Assess and approve the internal audit charter (terms of reference) and review regularly.
3.Ensure a close working relationship with the head of internal audit, promoting effective formal and informal communication.
4.Assess the resourcing of the internal audit function.
5.Monitor the quality of internal audit work, both in-house and external.
6.Evaluate, approve and regularly review the risk-based annual internal audit plan.
7.Oversee the relationship between internal audit and centralised risk monitoring.
8.Ensure the collective assurance roles of internal audit, other internal assurance providers and external audit, are coordinated and optimised.
9.Assess internal audit findings and the breadth and depth of internal audit reports.
10.Monitor management implementation of internal audit recommendations.