Are you an Audit Committee member or a Shareholder?

Открыть страницу: на русском языке

Audit committees are under ever increasing pressure from their stakeholders as they exercise oversight over an increasingly wide range of risks to which their organisations are subject. Internal audit can be a powerful source of assurance to them in this role, provided that the function is effectively managed. Internal audit can also be an instrument of positive change to help an enterprise increase transparency and improve the overall level of corporate governance.

How do I respond to ever increasing needs of stakeholders?

The changing Russian business environment is driving Audit Committees & management to raise their expectations of IA, requiring them to deliver more value more efficiently

Focus on value

Tranform your risk assessment process

How PwC can help

How should the audit committee oversee internal audit?

It is essential that the audit committee effectively oversee and support internal audit, especially as the role of internal audit evolves from pure compliance to embrace value added consulting and acting as the “Agent of Change” for your company.

Below we share some of our insights on the practices that effective audit committees, both internationally and in Russia, follow to oversee and support internal audit. These are based on the 2011 global survey performed by PwC and the Institute of Internal Auditors Research Foundation.

1. Trust based relationship between audit committee and internal audit

Build a trusting relationship with internal audit that includes candid and continual communication between meetings, facilitating the ability to raise sensitive issues.

Assist internal audit to elevate its role and credibility within the company by emphasising its importance and acceptance by line management.

2. Clear roles and responsibilities

Ensure that the role internal audit plays meets both the committee's needs and those of management.

Internal audit can perform a wide variety of work on a spectrum from basic compliance to consulting. Often different internal audit stakeholders see different types of value from internal audit.

The audit committee’s challenge is to be comfortable internal audit is focusing its efforts in the right places and using its limited resources to provide not only value to management, but assurance to the audit committee.

3. Clear reporting lines and independence

Ensure internal audit reports directly to the audit committee, as well as to an appropriately senior member of management within the company, promoting internal audit’s status and objectivity.

4. Convincing internal audit leadership and credibility

Play a central role in appointing or replacing the head of internal audit, evaluating his or her performance, determining compensation and ensuring succession plans are established. The head of internal audit drives the function’s effectiveness and perception in the company. This person’s background, experience, and executive presence play a key role in whether other executives view him or her as part of the management team and whether they hold internal audit in high regard.

5. Resources and budget

Ensure internal audit has adequate resources and budget, including quality and continuity of staff, with ability to supplement skills as needed by use of subject matter experts and cosourcing.

“Not having the expertise in-house does not mean we won’t do the audit – we get the expertise” – IA Director

6. Effective reporting

Discuss significant internal audit findings, reported to the Committee at an appropriately summarised level, as well as the status of management’s remediation.

Expect internal audit reports to be as professional as the information the committee receives from other parties. Many internal audit functions struggle to reduce the level of detail in their reports, and consequently committees have to review more information than needed.

Effective internal audit reports typically incorporate:

  • An executive summary that concisely describes the overall state of the company’s control environment and sets the context for the rest of the report, highlighting any areas of significant concern
  • A description of internal audit’s most significant findings, with business implications and indications of management’s remediation plans
  • A listing of the results of all audits conducted since the last report, with the current rating and prior rating for each audit and indication of whether the control environment for that area is improving, deteriorating or stable
  • The status of past significant audit recommendations to allow the committee to monitor management’s commitment to needed remediation and to understand if repeat issues exist, which can indicate ineffective process
  • A combination of short paragraphs, memorable phrases, graphs, tables and pictures to convey key messages simply and succinctly

7. Private sessions

Meet privately with the head of internal audit on a regular basis, ideally at each in-person audit committee meeting. These private sessions should be scheduled as part of the agenda, and wise committee chairs preserve time for the sessions, even when other agenda items run over.

8. Continuous improvement and performance

Evaluate internal audit’s performance and operational independence by considering results of external and internal quality reviews of the function and feedback from company management and external auditors.

The audit committee can rely on internal audit’s work and findings only if the function fulfils its duties. It is important the audit committee regularly evaluates the function’s effectiveness and focus on continuous improvement.

9. Quality and value focused audit plan

Approve the internal audit charter and review the annual plan and any significant changes, ensuring appropriate coverage of risks and co-ordination of work with external auditors to avoid duplication.

In assessing its own performance in overseeing internal audit an audit committee should consider:

  • How are we making sure that internal audit is focusing on the higher risk areas, that either require significant judgment or are susceptible to fraud?
  • What higher risk areas should we devote more of our attention to? What lower risk topics are we spending disproportionate time on, and so should consider handling differently?
  • Do the briefing materials allow us easily to understand the issues and the context for the topics being covered? Or, does the volume of material detract from the core messages? What additional or different information should we get?
  • What could we do differently to improve the substance of the discussion? Do we need longer or additional meetings?
  • How do we ensure that we have the right level of engagement with the head of internal audit? Would the head of internal audit be able to stand up to pressure or influence from management if they push for different focus and results?
  • What actions can we take to improve our relationship with internal audit?
  • What are some ways we could improve the private sessions and meetings to encourage a more open dialogue?
  • Are we and the internal audit function getting the needed support from internal and external resources?
  • What additional skills or experience would be useful to have on our committee? Can these be developed through training, or should we add a new member?
  • Which other Board and management committees should we consult with regarding internal audit?
  • When was the last time the audit committee chair sat down with the head of internal audit to discuss the above questions?

How PwC can help


….and how should my IA function be performing?

Our vision of a high performing Russian IA function:

(Click to enlarge)

How PwC can help

How can I measure how good my IA function is and see where to improve it?

One way is to use a maturity model such as this:

(Click to enlarge)

How PwC can help

….and how can I benchmark my IA function against best practice?

(Click to enlarge)

How PwC can help

Does my internal audit function deliver quality?

PwC offers a comprehensive approach to performing an external quality assessment review (‘EQAR’) of your internal audit function. This includes:

  • A formal quality assessment of your internal audit function and its conformity with International Internal Audit (‘IIA’) Standards, with a report on findings
  • Benchmarking the function’s activities against best practice, with recommendations to improve its quality, efficiency and effectiveness
  • Defining the function’s strategic goals and role within your company’s management and governance structure and identifying development options
  • A review of when and how the head of internal audit interacts with the Board, audit committee and management, with recommendations on enhancing communication focusing on continuous improvement
  • Assessing the effectiveness of your risk based audit approach, methodology and interaction with your company’s risk management function, with suggestions for improvement
  • Reviewing the effectiveness of the function’s staffing model and skill development program, with recommendations for improvement

We tailor the scope of services to meet your needs, but typically provide three types of EQAR:

1. Assessment for conformity with IIA Standards

A detailed review in accordance with international standards to assess the function’s conformity with the individual IIA Standards. This is required to be performed at least once every five years by IIA Standard 1312.

2. Assessment against the expectations of your Board, audit committee and management

In addition to assessing conformity with IIA Standards, we interview and survey the stakeholders of the internal audit function, to determine their expectations and recommendations for its future development.

3. Performance benchmarking

In addition to the above we compare your internal audit activities against those of high performing functions in Russia and global companies in similar industries. To do this we use our in-house tool Profiler™, which contains anonymised data on internal audit best practice from Russia and all over the world, covering strategy, structure, people, process and technology.

At your request we can deliver our EQAR in two stages consisting of:

  • Readiness assessment, with interim recommendations
  • Some 3 to 6 months later, a full EQAR, with final recommendations.

Companies obtaining their first EQAR typically prefer this approach, to give them time to remediate their initial weaknesses identified.

How PwC can help

How should the head of internal audit communicate with the audit committee?

Building a successful trust-based relationship between the audit committee and internal audit is essential. Effective communication by the head of internal audit is critical to this relationship

Based on our experience of working with leading organisations around the globe, we often see heads of internal audit focusing on the following critical areas to build trust and effectively communicate with their audit committees:

  • Clearly defined roles and responsibilities - is there misunderstanding or conflicting expectations?
  • Effective communication – can parties really be heard? How often is there face to face communication? Does the head of internal audit take into account the audience?
  • Courage – this is vital to be able to discuss the big issues and provide and obtain feedback. Are you ready for this?
  • Focus on value – does internal audit deliver practical value to the business and audit committee? Does the internal audit team really understand the business they are auditing?

1. Clearly defined roles and responsibilities

Assumptions can be made about the role of internal audit and the audit committee. For example, is its primary focus to provide assurance or to provide insights to management and the Board? If expectations differ, this can create tension.

Clarifying roles and responsibilities helps to define performance expectations and work approaches for both the audit committee and head of internal audit.

The basis for a robust internal audit function lies in the quality of its discussions with its stakeholders and the way in which potential differences are resolved. The audit committee should be an ally to the head of internal audit in this process.

2. Effective communication

Companies that apply best practices make communication a core skill set in their internal audit function. They do this by conducting ongoing communication training, exploring new technology to distribute reports, and continually refining internal audit’s communication channels.

The following guidelines will help you convey your message clearly and convincingly.

Command the language
Be articulate, in all written and spoken communication. Get feedback on your language skills and learn from it.

Be yourself
Authenticity is a vital element of credibility. If you try to sound like someone else, your message will be diluted.

Invite dialogue
Do not talk at people; talk to them. Let them respond, question and push back. They must know that they are valued participants in the conversation.

Speak with confidence
Make sure that you believe in what you are saying and let it come through. Your honest display of conviction, passion and authority will foster trust, inspiration and action.

‘’Walk your talk”
Do not just say it. Do it. Live it. People quickly spot hypocrisy and will discredit your words (and you) if they do not correspond with your actions.

Say it again
And again. Do not be afraid of overdoing it. Even the most powerful and important messages must be repeated to get into the hearts and minds of your listeners.

Take a stand
Inconsistent or insipid communication will be quickly discounted. Be clear on the facts, then have a point of view.

Say it in different ways
Formally and informally. In the executive summary of the report and verbally to the audit committee.

Listen to others
Ask provocative questions. Learn what is on the minds of your audience. Some of the most powerful communication occurs when we stop speaking and listen to what others have to say.

Respect your audience
Consider who you are communicating with and tailor your messages to their individual needs and availability.

Be clear
Important messages should be obvious, not buried deep in a report or conversation. Issue powerful and clear presentations, reports and emails. When seeking to provide clarity share your views on implications, so the potential issue can be understood.


Leading an internal audit function is a rewarding role but also a challenging one. This is particularly relevant when there are issues in the business, and management teams are under pressure. At these times internal audit needs the courage to step back and speak up about what they see.

This is where the skills of a great internal audit team come together. They need to leverage their relationships, foster trust in all stakeholders and effectively communicate their observations to the company, so a common understanding is shared. This ultimately is the role of internal audit.

Focus on value

Clearly demonstrate the value that internal audit brings to the business and audit committee.

Deliver practical recommendations that can be implemented, covering assurance and process improvement and not least potential cost savings and revenue enhancement.

Keep presentations to the audit committee short and focused. Highlight current status, key achievements, major issues and planned actions and significant areas of concern, including emerging risks, or areas where you need help from the committee.

Demonstrate your knowledge of the business to both management and the audit committee. Deliver audit engagements that address the key risks of the company, using subject matter experts where required.

Become the “Agent of Change” for your company.

How PwC can help


Where does my IA function fit within my company’s overall governance model? To whom should I report?

(Click to enlarge)

How PwC can help

What are the implications of a UK stock exchange listing for corporate governance in general and internal audit in particular?

Here we set out some thoughts on corporate governance and the key role internal audit can play when a Russian company prepares for a listing on the London Stock Exchange (‘LSE’).

1. The context of corporate governance

Corporate governance in the UK has evolved in the context of a particular business environment including:

  • Diversified share ownership
  • A culture of accountability
  • An influential stock exchange in a globally respected financial centre
  • A climate of trust between business and regulatory authorities

Russian companies have developed in a very different economic and commercial environment.

Russian companies looking to list successfully on the LSE often need to consider how to adapt their corporate governance activities to meet UK requirements whilst remaining relevant to the particular local environment within which they operate, including:

  • How to demonstrate to future investors an effective ‘Tone at the Top’?
  • How to communicate to the market that the Board fosters a culture of transparency, delegation of authority and risk based decision making within the company?
  • How to redesign existing internal control and risk management activities to be more closely aligned with those typically adopted by international peers?
  • How to demonstrate to the market the Board’s commitment to continuous improvement within the company?

2. Increased scrutiny

A successful listing on the LSE generally involves a significant increase in scrutiny of a company’s corporate governance activities, including by potential investors, regulatory bodies, analysts and the financial press, and other stakeholders.

They will assess your corporate governance activities for:

  • Compliance with the principle based UK Corporate Governance Code
  • Alignment with industry peers and best practice
  • Transparency, and not least
  • How these activities contribute to effective decision making at board level

How will you effectively manage this increase in scrutiny?

3. Transparent and robust governance, risk and control system

UK listed companies are more and more operating a transparent and robust system of Governance, Risk and Control (‘GRC’) based on the 3 Lines of Defence Model, with internal audit acting as the independent 3rd line of defence.

4. Board structure and responsibilities

A critical element for successful corporate governance for a company listed on the LSE is its Board structure and division of responsibilities, whereby:

  • The Board is collectively responsible for the long term success of the company
  • No one individual should have unrestricted powers of decision.
  • The Chairman of the company is responsible for leadership of the Board and ensuring its effectiveness
  • The Chairman is independent* and should not act as the company’s Chief Executive Officer
  • There is a clear division of responsibilities at the top of the company between the Board and executive management who are responsible for running the company’s day to day business
  • The Board typically consists of 9-13 members with the majority being independent* and non-executive directors, supplemented by a minority of executive directors, such as the chief executive officer and chief finance officer. All directors should be submitted for re-election at regular intervals, subject to continued satisfactory performance
  • Collectively, Board members must have the appropriate balance of skills, experience, independence and knowledge of the company to enable them to discharge their respective duties and responsibilities effectively
  • The Board typically meets 8 to 10 times per annum
  • Clear procedures exist for the appointment of new directors to Board
  • A self or external assessment of the effectiveness of the Board is performed annually with focus on continuous improvement
  • Training and development programs are provided for all Board members

Board sub-committees

The Board delegates a range of its responsibilities to sub-committees to effectively discharge their responsibilities.

There are usually at least 3 main sub-committees each typically consisting of 3 independent* non-executive directors, including the chairperson.

  • Audit Committee - oversight of financial reporting and external audit, internal audit, risk management, internal control, ethics and compliance
  • Remuneration Committee - remuneration of board members and executive management
  • Nomination Committee – identification and appointment of Board members and executive management

Other Board sub-committees exist depending on the specific need of the company. For example committees responsible for oversight of financial reporting, investment, risk and corporate social responsibility.

Board responsibilities

Board responsibilities typically cover 6 core areas and are allocated between the Chairman, the Board collectively and its sub-committees. For example:

5. What role can internal audit play?

An effective internal audit function can play an important role in transforming your corporate governance activities.

It can act as your in-house consultant and “Agent of Change” to help you establish and maintain a transparent and robust system of governance, risk and control (‘GRC’) that is both:

  • Appropriate for your company and LSE requirements, and
  • Attractive to investors.

Leading internal audit functions of UK listed companies are:

  • Acting as the independent ‘3rd Line of Defence’ within an integrated GRC structure
  • Delivering assurance on the effectiveness of the companies GRC activities and continuous improvement recommendations
  • Introducing modern data mining software to establish continuous monitoring of current transactions
  • Providing foresight to both the Board and management by:
    1. Driving behavioural change across the company
    2. Instilling risk awareness in the next generation of business managers
    3. Auditing strategic risk and courageously addressing the ‘bigger business issues’
    4. Embedding change within the business
    5. Being used as a training ground for future managers

How PwC can help

PwC Russia is a Partner of the XXII Olympic Winter Games and XI Paralympic Winter Games to be held in the city of Sochi in 2014
Learn more