Risk & Economy » Audit » Internal audit detective work far from elementary

I HAVE just received a disappointing internal audit report following a visit that the team made to our business in Nigeria, a trip that also included a contingent from the external auditors. This was unusual, although it was excused on the basis that it formed part of their fieldwork for the year-end, but I suspect something more unpleasant was going on.

This visit was in response to a fraud, so I was keen to understand how we could tighten the controls in order to prevent any possibility of repetition. Eventually, I received a 40-page report which was mostly irrelevant and full of blame, and which contained a naïve assessment of the risks in the external environment. It unhelpfully pointed out that “Nigeria is a complex and challenging environment, where corruption is well established” and said that “the requirement for constant management scrutiny together with a strong control framework is crucial”. Whatever the truth may be, this internal audit report was the most useless one yet.

Of course we have a charter for internal audit, but the function has lagged behind evolving business trends and modern practice. It has stuck to a system of cyclical compliance auditing and has failed to respond to issues of organisational reputation, environment, growth and employee engagement. It does not see its role in terms of helping the organisation to succeed, nor to contribute to improving our risk profile. It focuses on frivolous travel, stating the obvious, protecting the chief executive, and criticising everyone else. The unpopular head of internal audit has been in the post far too long and has developed an air of arrogant immunity and detachment.

He reports to the CEO for pay and rations, has a strong relationship with the audit committee chair, and agrees the audit programme with the audit committee. I have only a limited influence over the internal audit function’s activities, but this latest report has made me reconsider whether the board should agree to some changes. Surely, internal audit should play a leading role in the corporate governance framework by providing high-quality independent assurance, protecting against risks, informing strategic decision making, and enabling performance improvements, and it should align its approach accordingly.

Crucially, there should be an appropriate balance between the roles of enabling and policing the organisation, and the external auditors should be able to rely on the work of internal audit.

I doubt that our internal audit department can making a successful contribution without first addressing its staffing model. It is used as a recruiting ground from which staff are borrowed by or transferred to the wider organisation, sometimes in response to crises highlighted by internal audit itself. Unfortunately, good auditors working in the profession are less keen to join us as internal auditors, so the department tends to be understaffed, therefore outsourcing or co-sourcing the workload with a consequential reduction in efficiency and effectiveness.

The wider organisation tends to look upon internal audit with disdain, assuming it to be staffed by people with little business, operational or commercial experience. But some of the internal audit professionals do possess superior knowledge and skills in areas such as IT, financial controls, security and risk – resources that should be made available. Indeed, when I dropped into the internal audit department recently, I listened in on a conversation between two of the newer IT auditors, and I realised how much more knowledgeable they are than the rest of us, so there is something impressive to build upon.

The challenge for me is to find backing for the idea that internal audit should report to me as CFO. Then I can lead a transformation of the function, making the best of its unusual resources, upskilling the team and repositioning it culturally and reputationally within the wider organisation, which now has very limited appetite for it. ?

Last month the SFD attended an enjoyable prestigious FD awards dinner in London, but did not win anything