Internal audit, risk management and internal control

Internal audit

'The internal audit function is an integral part of the corporate governance regime of most public companies and a number of larger private companies. The primary goal of internal audit is to evaluate the company’s risk management, internal control and corporate governance processes and ensure that they are adequate and are functioning correctly. King II views the existence of an internal audit function as essential for all affected companies and suggests that where the board of such a company decides not to implement an internal audit function, full reasons for its decision should be advanced in the company’s Annual Report. In addition, the board should consider how, in the absence of internal audit, the effectiveness of the company’s internal processes and systems will be verified.

Internal audit may be carried out by an in-house division or outsourced, although where the function is outsourced to the same firm that performs the company’s external audit, care should be taken to ensure that suitable ‘Chinese walls’ exist. The separateness of the external and internal audit functions are essential to proper corporate governance, as the one acts as a system of checks and balances in respect of the other. In practice there is often a high degree of cooperation between the external and internal audit functions of a company, and the external auditors usually affirm in their audit report the extent to which reliance has been placed on the work performed by internal audit.

The purpose, authority and responsibility of the internal audit function should be formally defined in a form consistent with the standards of the Institute of Internal Auditors, and a formal Internal Audit Charter should be approved by the board. The charter should define the mission and scope of the internal audit function, its sphere of responsibility, its authority within the company, and its accountability and reporting obligations. A pro-forma internal audit charter is contained in an appendix to King II.

The internal audit function should be sufficiently independent of the activities audited to ensure that the fact that internal auditors may be employees of the company does not hamper their independence and their ability to be objective. Internal audit should report at a level within the company that allows it to accomplish its responsibilities without undue interference, preferably to the CEO or the chairman. As previously stated, the head of the company’s internal audit function should have regular, independent access to the chairman of the audit committee. The appointment or dismissal of the head of internal audit should be dealt with in consultation with the audit committee.' ^†

Risk management

Risks are uncertain future events that could influence the achievement of a company’s strategic, operational, financial and compliance objectives. Risks are an unavoidable part of the business process, but good risk management at least protects an organisation against avoidable losses. Risk management is the process of deciding which risks to avoid, control, transfer or tolerate.

The overall responsibility for risk management, which includes internal controls, rests with the board of directors. The board is responsible for ensuring that a formal risk assessment is undertaken at least annually for the purposes of making its public statement on risk management, including internal control. The board should acknowledge, in this statement, its responsibility for the risk management process and for reviewing its effectiveness. Management is accountable to the board for designing, implementing and monitoring the process of risk management, and integrating it into the day-to-day activities of the company. Management is also accountable to the board for providing assurances that it has done so.

Risk management is multi-faceted and requires a team-based approach. Boards are encouraged to appoint dedicated committees to oversee the risk management process. Members of a risk committee should be executive directors and senior management who are involved with the operational functions of the organisation in addition to non executive directors with relevant skills or experience.

Scope of risk management

Risk management aims to create a disciplined, structured and controlled environment within which risks to the organisation can be anticipated and maintained within predetermined, acceptable limits. Risk assessment is a continuous process requiring regular review as internal and external changes influence the company’s strategies and objectives. Circumstances demanding close attention include substantive changes to the operating environment, new personnel, new or revamped information systems, rapid growth, new technology, products or activities, corporate restructuring, acquisitions and disposals, and foreign operations.

Control activities

Control activities such as approvals, authorisations, verifications, operating reviews and reporting, and division of duties should be implemented in order to try and avoid risks materialising.

Information and communication

Relevant information should be communicated in an appropriate and timely way in order to enable employees to properly carry out their responsibilities. The communication system should ensure that all information, positive and negative, reaches senior management without delay.

Monitoring

The monitoring process assesses the quality of control systems over time.This may be accomplished through ongoing monitoring activities, separate evaluations or by a combination of the two.

Internal control

The formality and nature of a company’s system of internal control will generally vary with the size of the company and the level of public interest in it. Since profits are in essence the reward for successful risk-taking by a company, the purpose of an internal control system is to help manage and control risk appropriately rather than to eliminate it.Control mechanisms should be incorporated into the business plan and embedded in the day-to-day activities.

The environment in which a company operates and the risks it faces are continually evolving; the challenge for the board remains to ensure that the company’s system of internal control remains relevant and is effective in managing the risks confronting the company at any given time. The system of internal control should be capable of responding quickly to the needs of the business arising from factors within the company and changes in the internal and external business environment. It should include procedures for reporting to appropriate levels of management any significant control failings or weaknesses that are identified.

An effective system of internal control should enable the company to:

• identifykey objectives and those risks that may impact their delivery
• measure performance of staff, policies, systems and processes in managing these risks
• manage the process through timely and meaningful communication of relevant information available via workable and effective reporting structures
• monitor the effectiveness with which risk is identified, measured and managed

Risk management

Since risk management includes a system of internal control, the internal auditing function should assist the board and management in identifying, evaluating
and assessing significant organisational risks, and provide assurance as to the effectiveness of related internal controls.


Key questions:

• Does my company have a strong, independent internal audit function? Has the board accepted its ultimate responsibility for the management of risks facing the company? 
• Is the board, together with management, sufficiently skilled and knowledgeable to carry out this function? 
• Are additional resources required? 
• Have all material risks facing the company been identified and have appropriate strategies been put in place for dealing with those risks? 
• Does the company’s risk management strategy take account of the changing nature of risks facing the business and has the risk management strategy envolved to deal with these changes?