Audit environment….. What is it? Never heard of it? Why do we need it? Who is responsible for it?
What is the ‘audit environment’?
Internal Audit reports to the Audit Committee and has independent status to make objective, unbiased evaluation and judgement about systems, controls and risks relating to business operations. The Internal Audit Charter gives Internal Audit a mandate to access information, records and people. Yet the Internal Audit Department often struggles to gain acceptance and prove its value to stakeholders in their organisation.
A definition of ‘audit environment’ could be:
“An organisation environment where Internal Audit aligns its activities with business activities and risks. Internal Audit services focus on strategic and operational issues important to the business, with a collaborative partnership formed between Internal Audit and management. Action plans emanating from audits are facilitated by Internal Audit, but agreed, owned and implemented by management.”
For many years, Internal Audit professionals have been focusing on the ‘control environment’, which is the foundation on which an effective system of internal control is built within an organisation. It is designed to ensure:
- Objectives are achieved.
- Decisions are properly authorised.
- Reliability and integrity of information.
- Assets are safeguarded.
- There is compliance with laws, regulations, policies and contracts.
- Efficiency, effectiveness, economy and ethics of business activities is promoted.
- Opportunities for fraud and corruption are minimised.
Stakeholders contribute to make this foundation strong and effective.
The role of Internal Audit is well-defined, with the ‘International Professional Practices Framework’ (IPPF) issued by the Institute of Internal Auditors stating Internal Audit’s mission as:
“To enhance and protect organisational value by providing risk-based and objective assurance, advice, and insight.”
In this context, Internal Audit has a duty to work with management to improve the organisation’s risk management, control and governance processes.
What is Internal Audit’s role?
The role of Internal Audit is usually defined in the Internal Audit Charter approved by the Audit Committee. The charter may also include organisation expectations about Internal Audit and its value-add. The charter should be circulated to key management so they understand Internal Audit’s obligations, but also their obligations.
The standing of Internal Audit in an organisation can be raised by the Chief Audit Executive becoming a trusted adviser to management. It is up to the Chief Audit Executive to effectively communicate with management, develop a stakeholder relationship strategy, and implement actions designed to develop a partnership relationship with management that together improves the business.
Is it important to have a control environment?
The existence and robustness of a ‘control environment’ has been emphasised for many years, has been discussed by Audit Committees and management, and in some jurisdictions is required by law.
In conjunction with the ‘control environment’, an ‘audit environment’ can be developed and implemented in collaboration between the Chief Audit Executive and management. The Chief Audit Executive should ideally be seen as a business partner. The Audit Committee can assist Internal Audit’s contribution to the organisation by making the ‘audit environment’ complementary to the ‘control environment’. A spin-off is likely to be greater acceptance of Internal Audit by the people who are audited.
Who is responsible for that?
The Chief Audit Executive is often considered to have many roles, such as an appraiser, consultant, facilitator, business partner, etc. It is therefore incumbent on the Chief Audit Executive to have deep knowledge of the organisation and its business activities through review of strategic and business plans, risk assessments, and other relevant information.
Ultimately, the Chief Audit Executive needs to drive the ‘audit environment’ and provide continuous review of the effectiveness of governance, risk management and control processes by:
- Providing independent, unbiased assessment of an organisation’s operations.
- Offering information to management on the effectiveness of governance, risk management and control processes.
- Acting as a catalyst for improvements in governance, risk management and control processes.
- Advising management what it needs to know, when it needs to know it.
The Chief Audit Executive needs to develop a relationship with the Audit Committee and management through compelling analysis and data that provides clarity and encourages management to make timely remedial actions.
As a ‘governance guardian’, the Audit Committee will be more confident of the audit environment’ being effective if Internal Audit steps up and collaboratively tackles important business issues and risks.
That is where the real value of Internal Audit can be found and where organisation value can be enhanced.
|Internal Audit needs to step up and collaboratively tackle important business issues and risks.|