Audit committees are under ever increasing pressure from their stakeholders as they exercise oversight over an increasingly wide range of risks to which their organisations are subject. Internal audit can be a powerful source of assurance to them in this role, provided that the function is effectively managed. Internal audit can also be an instrument of positive change to help an enterprise increase transparency and improve the overall level of corporate governance.
The changing Russian business environment is driving Audit Committees & management to raise their expectations of IA, requiring them to deliver more value more efficiently
It is essential that the audit committee effectively oversee and support internal audit, especially as the role of internal audit evolves from pure compliance to embrace value added consulting and acting as the “Agent of Change” for your company.
Below we share some of our insights on the practices that effective audit committees, both internationally and in Russia, follow to oversee and support internal audit. These are based on the 2011 global survey performed by PwC and the Institute of Internal Auditors Research Foundation.
Build a trusting relationship with internal audit that includes candid and continual communication between meetings, facilitating the ability to raise sensitive issues.
Assist internal audit to elevate its role and credibility within the company by emphasising its importance and acceptance by line management.
Ensure that the role internal audit plays meets both the committee's needs and those of management.
Internal audit can perform a wide variety of work on a spectrum from basic compliance to consulting. Often different internal audit stakeholders see different types of value from internal audit.
The audit committee’s challenge is to be comfortable internal audit is focusing its efforts in the right places and using its limited resources to provide not only value to management, but assurance to the audit committee.
Ensure internal audit reports directly to the audit committee, as well as to an appropriately senior member of management within the company, promoting internal audit’s status and objectivity.
Play a central role in appointing or replacing the head of internal audit, evaluating his or her performance, determining compensation and ensuring succession plans are established. The head of internal audit drives the function’s effectiveness and perception in the company. This person’s background, experience, and executive presence play a key role in whether other executives view him or her as part of the management team and whether they hold internal audit in high regard.
Ensure internal audit has adequate resources and budget, including quality and continuity of staff, with ability to supplement skills as needed by use of subject matter experts and cosourcing.
“Not having the expertise in-house does not mean we won’t do the audit – we get the expertise” – IA Director
Discuss significant internal audit findings, reported to the Committee at an appropriately summarised level, as well as the status of management’s remediation.
Expect internal audit reports to be as professional as the information the committee receives from other parties. Many internal audit functions struggle to reduce the level of detail in their reports, and consequently committees have to review more information than needed.
Effective internal audit reports typically incorporate:
Meet privately with the head of internal audit on a regular basis, ideally at each in-person audit committee meeting. These private sessions should be scheduled as part of the agenda, and wise committee chairs preserve time for the sessions, even when other agenda items run over.
Evaluate internal audit’s performance and operational independence by considering results of external and internal quality reviews of the function and feedback from company management and external auditors.
The audit committee can rely on internal audit’s work and findings only if the function fulfils its duties. It is important the audit committee regularly evaluates the function’s effectiveness and focus on continuous improvement.
Approve the internal audit charter and review the annual plan and any significant changes, ensuring appropriate coverage of risks and co-ordination of work with external auditors to avoid duplication.
In assessing its own performance in overseeing internal audit an audit committee should consider:
We tailor the scope of services to meet your needs, but typically provide three types of EQAR:
A detailed review in accordance with international standards to assess the function’s conformity with the individual IIA Standards. This is required to be performed at least once every five years by IIA Standard 1312.
In addition to assessing conformity with IIA Standards, we interview and survey the stakeholders of the internal audit function, to determine their expectations and recommendations for its future development.
In addition to the above we compare your internal audit activities against those of high performing functions in Russia and global companies in similar industries. To do this we use our in-house tool Profiler™, which contains anonymised data on internal audit best practice from Russia and all over the world, covering strategy, structure, people, process and technology.
At your request we can deliver our EQAR in two stages consisting of:
Companies obtaining their first EQAR typically prefer this approach, to give them time to remediate their initial weaknesses identified.
Based on our experience of working with leading organisations around the globe, we often see heads of internal audit focusing on the following critical areas to build trust and effectively communicate with their audit committees:
Assumptions can be made about the role of internal audit and the audit committee. For example, is its primary focus to provide assurance or to provide insights to management and the Board? If expectations differ, this can create tension.
Clarifying roles and responsibilities helps to define performance expectations and work approaches for both the audit committee and head of internal audit.
The basis for a robust internal audit function lies in the quality of its discussions with its stakeholders and the way in which potential differences are resolved. The audit committee should be an ally to the head of internal audit in this process.
Companies that apply best practices make communication a core skill set in their internal audit function. They do this by conducting ongoing communication training, exploring new technology to distribute reports, and continually refining internal audit’s communication channels.
The following guidelines will help you convey your message clearly and convincingly.
Command the language
Be articulate, in all written and spoken communication. Get feedback on your language skills and learn from it.
Authenticity is a vital element of credibility. If you try to sound like someone else, your message will be diluted.
Do not talk at people; talk to them. Let them respond, question and push back. They must know that they are valued participants in the conversation.
Speak with confidence
Make sure that you believe in what you are saying and let it come through. Your honest display of conviction, passion and authority will foster trust, inspiration and action.
‘’Walk your talk”
Do not just say it. Do it. Live it. People quickly spot hypocrisy and will discredit your words (and you) if they do not correspond with your actions.
Say it again
And again. Do not be afraid of overdoing it. Even the most powerful and important messages must be repeated to get into the hearts and minds of your listeners.
Take a stand
Inconsistent or insipid communication will be quickly discounted. Be clear on the facts, then have a point of view.
Say it in different ways
Formally and informally. In the executive summary of the report and verbally to the audit committee.
Listen to others
Ask provocative questions. Learn what is on the minds of your audience. Some of the most powerful communication occurs when we stop speaking and listen to what others have to say.
Respect your audience
Consider who you are communicating with and tailor your messages to their individual needs and availability.
Important messages should be obvious, not buried deep in a report or conversation. Issue powerful and clear presentations, reports and emails. When seeking to provide clarity share your views on implications, so the potential issue can be understood.
Leading an internal audit function is a rewarding role but also a challenging one. This is particularly relevant when there are issues in the business, and management teams are under pressure. At these times internal audit needs the courage to step back and speak up about what they see.
This is where the skills of a great internal audit team come together. They need to leverage their relationships, foster trust in all stakeholders and effectively communicate their observations to the company, so a common understanding is shared. This ultimately is the role of internal audit.
Clearly demonstrate the value that internal audit brings to the business and audit committee.
Deliver practical recommendations that can be implemented, covering assurance and process improvement and not least potential cost savings and revenue enhancement.
Keep presentations to the audit committee short and focused. Highlight current status, key achievements, major issues and planned actions and significant areas of concern, including emerging risks, or areas where you need help from the committee.
Demonstrate your knowledge of the business to both management and the audit committee. Deliver audit engagements that address the key risks of the company, using subject matter experts where required.
Become the “Agent of Change” for your company.
Here we set out some thoughts on corporate governance and the key role internal audit can play when a Russian company prepares for a listing on the London Stock Exchange (‘LSE’).
Corporate governance in the UK has evolved in the context of a particular business environment including:
Russian companies have developed in a very different economic and commercial environment.
Russian companies looking to list successfully on the LSE often need to consider how to adapt their corporate governance activities to meet UK requirements whilst remaining relevant to the particular local environment within which they operate, including:
A successful listing on the LSE generally involves a significant increase in scrutiny of a company’s corporate governance activities, including by potential investors, regulatory bodies, analysts and the financial press, and other stakeholders.
They will assess your corporate governance activities for:
How will you effectively manage this increase in scrutiny?
UK listed companies are more and more operating a transparent and robust system of Governance, Risk and Control (‘GRC’) based on the 3 Lines of Defence Model, with internal audit acting as the independent 3rd line of defence.
A critical element for successful corporate governance for a company listed on the LSE is its Board structure and division of responsibilities, whereby:
The Board delegates a range of its responsibilities to sub-committees to effectively discharge their responsibilities.
There are usually at least 3 main sub-committees each typically consisting of 3 independent* non-executive directors, including the chairperson.
Other Board sub-committees exist depending on the specific need of the company. For example committees responsible for oversight of financial reporting, investment, risk and corporate social responsibility.
Board responsibilities typically cover 6 core areas and are allocated between the Chairman, the Board collectively and its sub-committees. For example:
An effective internal audit function can play an important role in transforming your corporate governance activities.
It can act as your in-house consultant and “Agent of Change” to help you establish and maintain a transparent and robust system of governance, risk and control (‘GRC’) that is both:
Leading internal audit functions of UK listed companies are:
|PwC Russia is a Partner of the XXII Olympic Winter Games and XI Paralympic Winter Games to be held in the city of Sochi in 2014