To discuss board best practices in the oversight of internal audit by the audit committee and the board, NEDonBoard recently welcomed:
- Kathie Child-Villiers. SID and chair of the audit committee of Utilitywise, NED at Bank of Montreal Capital Markets Ltd and chair of the board of Constantine Group Ltd. Kathie is a former corporate finance adviser in the energy sector with large investment banks.
- Iain Cornish. Chair of St. James’s Place Wealth Management, member of the audit committee of Arrow Global Group plc and Treasurer of MacMillan Cancer Support. Iain is the former CEO of Yorkshire Building Society and former independent director of the PRA.
- Mary Hardy. Board member and audit committee chair of Sensyne Health plc, the Oil and Gas Authority, and the Royal Navy and the Chartered Accountants Benevolent Association. Mary is a former director of internal audit for Diageo, Transport for London and the London Olympics (as part of her role as head of risk assurance).
The panel discussion was chaired by Jonathan Hayward of Independent Audit. He began the discussion by reminding the audience of the provisions of the UK Corporate Governance Code and the Guidance of Audit Committees. Both the Code and the Guidance offer limited recommendations with regards to internal audit.
How does the audit committee assess the need for internal audit?
Kathie Child-Villiers said that audit committee members should assess the need for internal audit on an ongoing basis, considering the external environment, the industry and trends to decide whether the risks are changing. Audit committee members should monitor the risk register and ensure that controls develop in line with the business. Internal audit should be established when internal controls grow and become more complex.
In the absence of internal audit, how can the audit committee receive the assurance it needs to fulfil its obligations?
Mary Hardy reminded the audience that even when there is an internal audit function, it does not provide assurance on all aspects of the business. If there is no internal audit function, audit committee members should spend more time with management. Mary Hardy indicated that external auditors will also come across issues that audit committee members must consider.
For each risk, audit committee members need to consider the assurance they are getting and whether it is sufficient. If not, then internal audit should be established. Deep-dives at the audit committee allow committee members to get an in-depth understanding of a specific area.
Internal audit comes at a cost and, in small organisations, the cost may be too high to justify a potentially under-utilised internal audit function. Nevertheless, for growing businesses, there often comes a tipping point when internal audit is required.
Different models for internal audit services to a company
Iain Cornish highlighted the different internal audit models that a company can use. As companies mature and grow in both size and complexity, their internal audit solution is also likely to evolve. Although cost is an important consideration in the decision-making process, the focus for audit committee members should be on the risks and whether they receive adequate assurance for those risks that are identified.
In-house internal audit
In-house internal audit benefits from the strength of internal relationships between the internal auditors and the areas that are being audited. However, the in-house model is not always cost-effective and there may be constraints around specialist skills.
Outsourced internal audit
Although outsourced internal audit provides flexibility of resources, can bring specialist knowledge and allows benchmarking, it can be expensive. Nevertheless, outsourced internal audit can be a tremendous help for young businesses.
Co-sourced internal audit
The co-sourcing model is a mix of the in-house and outsourced models and is popular with many companies.