Вы находитесь на странице: 1из 8

PROFESSIONAL GUIDANCE DIRECT

A view
from the audit
committee
Audit committee chairs give their views on
the role and value of internal audit and what
they expect from the head of internal audit
Meeting higher expectations

Internal audit has become an integral part of good corporate governance, but it continues
to need the support of its audit committee to be effective, says Institute chief executive
Gail Easterbrook.

The relationship between the audit committee and agree. Internal auditors should be giving an opinion on
the head of internal audit has never been so the quality and extent of its assurance so that audit
important. Both the requirements of the Sarbanes- committee chairs can see exactly where the business
Oxley Act in the US and the revised Combined Code stands in relation to achieving its objectives.
on Corporate Governance in the UK have placed
Sir Ian Prosser rightly says that good internal auditing
assurance on internal control centre stage.
work is carried out according to the Institute’s
Audit committees are expected to know what risks International Standards for the Professional Practice of
they face and how they are to be managed, and they Internal Auditing (International Standards). In fact, Ian
are increasingly turning to their heads of internal audit Harley wanted to see more reliance put on the work
for help. Their expectations are higher now than ever. that internal audit does by external auditors – not just
as a way of cutting the external audit fees, but
because he believes that the quality of work provides
“The extent to which the audit the right sort of assurance.

committee chairs rely on their These audit committee chairs agree that a
professional, well-resourced internal audit function is
heads of internal audit is striking” an integral and necessary part of an effective corporate
governance framework. We see it as one of the four
cornerstones of good governance, together with the
While there have been many useful surveys exploring board, executive management and external audit.
the changed role of the audit committee chair, the
More than that, though, audit committee chairs who
Institute wanted to find out how best practice works
work together with their heads of internal audit have
in some of the UK’s leading organisations. It is
access to fresh and independent perspectives on some
sometimes helpful to know why people are building
of the issues that really matter to the business. But
the sorts of relationships they find useful and how
what do these audit committee chairs give back to
they expect to benefit from them. It is difficult to
internal audit to make that relationship work
survey on these more complex issues.
properly? In conversation each of the interviewees
That is why we asked some of Britain’s highest profile here stressed how important it was for the audit
audit committee chairs to take part in the interviews committee to ensure the independence, profile and
that are distilled into this publication. We spoke to professionalism of the internal audit function. The
John Buchannan, Bill Griffiths, Ian Harley and Sir Ian audit committee can help create a culture of
Prosser – all of whom sit as chair on multiple blue chip challenge and transparency in the organisation so
or government audit committees. that internal audit can report with candour up to and
including board level without fear of retribution.
Without exception, the audit committee chairs
interviewed have high expectations of their heads of There are different points of view expressed in these
internal audit. They want someone with integrity who interviews. Personalities and organisations are diverse.
knows what is going on in their organisation, What emerges, though, is a picture of a close and
someone who cuts through the mass of operational dynamic relationship between the audit committee
detail to give them the information that they really chairs and their heads of internal audit that is essential
need to know, and someone who is not afraid to to steer the organisation in the right direction.
speak their mind and be unpopular, if necessary.
Longer versions of each interview can be found in the
These are precisely the qualities that the Institute
Institute’s magazine Internal Auditing & Business Risk.
promotes and fosters among its members.
The extent to which the audit committee chairs rely on
their heads of internal audit is striking, but, in our view,
necessary. Providing assurance to the board is a key
2 role for internal auditors, as all of those interviewed
Action agenda

“I appreciate internal audit as a key source of assurance even more as a non-executive”

John Buchanan holds high-profile non-executive positions on the boards of four FTSE 100 companies. He is chairman of the audit
committee at AstraZeneca, deputy chairman of Vodafone, senior independent director at BHP Billiton, and non-executive chairman
of Smith & Nephew. The Times newspaper ranks him as the most powerful boardroom figure in the country. He spent his executive
career at BP, where he was chief financial officer from 1996 to 2002. Prior to that, he held a range of financial and operational roles
at the company. Buchanan was born in New Zealand and has a PhD in chemistry from Auckland University.

Quality assurance
Verification is an important word for John Buchanan. in doubt about which is which, then that is an item

and improvement
It’s good to be able to trust people, but trust on its for discussion.”
own is not enough. The big question, he says, “is how
He spends a lot of time in what he calls “shoe-leather
do you get verification?”
management,” – getting out there and talking to
It’s a simple question, if deceptively so. He got the people. And because he puts a lot of store in personal

programmes
idea from Ronald Reagan. The former US president relationships, the head of internal audit’s personal
was telling an anecdote about his disarmament talks attributes are very important to him. “You want
with Soviet counterpart Mikhail Gorbachev. Things someone who is open, confident, challenging, bold,
were at an impasse. Gorbachev wouldn’t give access independently minded, and has deep integrity,” he says.
to American weapons inspectors. “Don’t you trust
us?” asked the Russian. “Yes,” replied Reagan, “but He believes that experience in business management
SEPTEMBER 2007
trust with verification.” is ideal, perhaps essential, so they can “earn their
business stripes.” He says that counters a tendency
“It’s so simple, like all brilliant things, but for me it is among some internal auditors to worry about things
a key note,” he says. The need to back up assertion that don’t actually matter that much. Understanding
with verification is one reason why Buchanan says
the business end of the process helps internal audit
internal audit is “essential” at the companies were he
work effectively with the managers they deal with.
is on the board.
Buchanan also expects internal audit to make a positive
Buchanan says internal audit has become more
contribution. “You want someone who is walking into
important to him since he moved into the non-
the CEO’s office at least once a month and offering a bit
executive world – previously he was CFO at energy
of insight,” he says. They should be raising concerns,
group BP. He says that it is hard enough as an
flagging risks that are affecting other companies,
executive director to get assurance about what is
really going on in a huge corporation, but as a non- “acting as a sounding board for the CEO as well as the
executive, you do not have a team around you, which CFO – someone who operates at that level.”
is why “I appreciate internal audit as a key source of And they must have an action-based agenda, looking
assurance even more as a non-executive.” to get things nailed down and finished. He wants
So, what does he appreciate about internal audit? someone who is suggesting things that can be
First, he says, there is the formal role. He defines this implemented, “and not just agonising over worries
as “providing assurance that in key risk areas that go on and on from meeting to meeting.” There
standards and policies are in place and are being should be what he calls a programme for closure:
implemented effectively.” “Who will do what for whom and by when? Then it’s
full stop, turn the page, next item.”
But the informal side of internal audit is just as
valuable too. A good head of internal audit can act as Summing it all up, he needs “a valued player to the
a sounding board, which is vital for a non-executive. business people, as opposed to someone who’s going
Buchanan talks to the head of internal audit before to ask difficult questions without adding a lot of value.”
every audit committee meeting. “I ask them what is
And there’s more that he would like internal audit to
on the agenda, and what isn’t on the agenda that if
do in future. It should be “getting ahead of the curve
they were the CEO or CFO they might like to add.”
on insight,” he says. Asking “what’s the next big
“That helps us to focus on the key issues so we don’t problem and where is it coming from?” That requires 3
spend too much time on the peripherals, and if I’m people who can “sniff out the danger signs fast.”
Close relationship

The most important attribute for a head of internal audit to have is personal integrity,
says Sir Ian Prosser. While the changing role of the profession has meant that a much
wider range of skills are required than in the past – such as commercial intelligence and
knowledge of the business – people management and leadership skills have remained
central. “Above all you’ve got to see integrity shining through,” he says.

Sir Ian Prosser joined the board of global energy giant BP in 1997 and was appointed non-executive deputy chairman in 1999. He
is the company’s senior non-executive director, chairman of the audit committee and a member of the remuneration and
nomination committees. He is also the senior independent non-executive director of GlaxoSmithKline and a non-executive director
Qu
an
of the Sara Lee Corporation. He was previously on the boards of The Boots Company and Lloyds TSB and was chairman of
InterContinental Hotels Group.

When asked why internal audit is important, Prosser


points to the requirements of the Combined Code of
Corporate Governance, which all listed companies are
expected to follow.
and don’t make life difficult or complain if the head
of internal audit decides to use it. Taking an issue to
the audit committee “has to be an acceptable thing
to do,” he says.
pro
“It’s clear that an internal function is required to Rather than worry about the value that internal audit
examine whether the system of internal control is is adding, at BP, where Prosser is audit committee SEPTEM
working as you envisaged that it might,” says Prosser, chair, there is an annual assessment of internal audit’s
“and to see that it is responding to the significant risks performance. This review focuses largely on the
in the company and reporting on that position to the performance of the head of internal audit. Important
board, through the audit committee.” areas include the way the head of internal audit
presents the programme of work, how well the
Prosser defines an organisation’s governance system
function liaises with the external auditors, how closely
as the framework of rules by which it runs itself and
the function is managed in line with criteria set out by
internal audit’s job is to monitor the extent to which
the audit committee, and the quality of the data that
managers work effectively within that framework. If
the function brings to the audit committee. The key
management stray from the framework, it is internal
question, says Prosser, “is whether this is data that
audit’s role to point that out and enforce compliance.
gives the audit committee comfort.”
While he accepts that it is worth meeting internal
auditors further down the line, the reality is that he
Often the most valuable does not have the time to do so.

insights internal audit can give The introduction of the requirements of the Sarbanes-
Oxley Act for US listed companies has increased the
relate to the corporate culture, workload of the audit committee – and many
organisations have followed the tenets of that Act,
especially in those that make even if they have not been compelled to do so.
“Audit committees require increased amounts of
large acquisitions. information and a broader level of information,” he
says. “It is internal audit’s job to harness the data within
the company to meet those requirements and
The audit committee and internal audit need to have a understanding what the true risks of significance are.”
close relationship, he believes. That means meeting the
Such changes have pushed internal audit further into
head of internal audit before every audit committee
the risk management arena, says Prosser. He now likes
meeting and keeping in touch in between, if necessary.
to get information on the profile of risks that come from
4 It is important, he says, that management are aware an audit assignment. Working on a scale of priority from
of this reporting link, appreciate what it is there for, one to ten, items above five would be discussed at the
uality company
assurance
“It is internal audit’s job to harness the data within the
to meet those requirements and understanding
nd improvement what the true risks of significance are.”

ogrammes audit committee and any below that would just be


reported in summary, with a note of how many there
were and whether they had been remedied. “Let’s
concentrate on those risks that could be significant from
the total group point of view,” he says.
MBER 2007 Would he like the head of internal audit to give an
overall opinion on the effectiveness of the control
framework? “Wouldn’t that be lovely!” he laughs. He
believes that reporting by exception is necessary, so
that the audit committee can focus on problem areas,
but he still likes to see the head of internal audit set out
a work programme for the year. “But I wouldn’t expect
to spend a lot of time on things that the internal
auditors didn’t feel were necessarily large enough.”
Often the most valuable insights internal audit can
give relate to the corporate culture, especially in those
that make large acquisitions. As for the culture of the
internal audit function itself, Prosser says it is
important that work is done in accordance with the
Institute’s international Standards.
Not only does he expect the head of internal audit to
be fully up to speed with the standards, he thinks they
should be actively involved in the profession, helping
to formulate new standards and helping the
profession to develop more widely.

5
The right questions

Bill Griffiths advocates a risk based approach to internal audit. That is because in large,
new government departments like HM Revenue & Customs (HMRC), where he is chair of
the audit committee, there are so many things going on at once it would be all but
impossible to do otherwise.

Bill Griffiths is non-executive chairman of the Forensic Science Service. He has an international finance and general management
background, chiefly with Unilever, including spells abroad in Ghana, Nigeria and Cote d’Ivoire – and latterly with ICI. He is also a
non-executive director and chairs the audit committees at HMRC, the Department for International Development, the Department
for Environment, Food and Rural Affairs and at the Child Support Agency. In addition to his work in the public sector, he is involved
with university spin-out technology businesses in Manchester.

“The head of internal audit should not feel a slave to his Like many audit committee chairs, Griffiths uses internal
programme,” Griffiths says, “he needs to be flexible and audit to act as a conduit for information about how
have the ability to calibrate the work he does to different parts of the organisation is progressing. He
complement other assurance work in the organisation.” expects the head of internal audit to keep him and the
Griffiths has clear views about what he wants from his board updated on any new developments. “I would
head of internal audit. He says he expects him to be a start to worry about internal audit if I heard about things
good communicator and to be able to make that the board did not know about,” he says.
presentations to senior management and the board in He would also worry if internal audit had not given
ways that make sense to them. That means asking the sufficient weighting to risks, particularly in light of the
right questions and analysing the data in ways that annual statement of internal controls that the
are appropriate to each level of the business. “The organisation has to submit to government. “There is
way things are expressed and written up are just as a lot of candidate stuff to go into the statement,
important as the way that they are followed up with which means that the risks have to be properly
action,” he says. calibrated by internal audit,” he says. “I don’t want
Most of Griffiths’ contact with the internal audit internal audit to put every trivial item on the list.”
function is through the head of internal audit. They “I also don’t want internal audit to provide floods of
get together before each audit committee meeting. information because we only have four or five
“He also has unfettered access to me,” he says. meetings a year,” he says. “Internal audit needs to be
Giffiths says that he would be involved if the head of really insightful, which means that good judgement
internal audit did not meet expectations, or if HMRC on these issues is important. One of the key questions
needed to recruit a new one. But he is cautious about for internal auditors is to ask, ‘how do you help
advocating the need to bring those with extensive management focus on important things and the new
experience of the private sector into the department things that are coming up?’”
at this level. He believes the balance between working
If the head of internal audit is good, he says, it is helpful

“Internal audit needs to be for the audit committee to promote his cause. Similarly,
the audit function can promote the audit committee’s

really insightful, which means role in a way that is mutually beneficial. The audit
committee can help internal audit if there is a squeeze

that good judgement on these on its resources: “If internal audit has too much work
on, we make sure that it can get the most from the

issues is important. resources it has. In addition, we help it put together its


overall audit plan and set its priorities for the year.”
on big projects, dealing with ministerial pressures and That is not to say that compliance is not the bedrock
getting risk management right is tough to balance of what internal audit does. But Griffiths believes that
and that the personal satisfaction for doing so might it needs to be efficient in compliance and, from the
6 not match the needs of those that have worked in HMRC perspective, work within the expectations of
private business. the external auditors – the National Audit Office.
Widening internal audit’s scope

“Internal audit is a key thermometer for the board,” says Ian Harley. “It tells the board
what is going on and helps the messages from the top reach down to the bottom.”

Ian Harley is a non-executive director and audit committee chair at Rentokil, British Energy and Remploy. Harley spent five years at
the accountant Touche Ross before moving to Abbey National where he spent the next 25 years. During that time he worked in the
finance, retail banking and wholesale banking areas, in a succession of management roles. He was a main board member for over

Quality assurance
nine years with his time on the board being split evenly between the finance director and chief executive roles. He has held a number
of industry posts including being chairman of APACS for three years and a member of Financial Services Authority practitioner panel
for three years. He is vice-president of the National Deaf Children’s Society.

and improvement
Harley sees the internal audit function as playing a
central role in corporate governance by providing
assurance to the board, looking over the financial
the executive, but not of the executive at the same
time,” he says. He also rates highly people who are
articulate and coherent. And he values those who can

programmes
controls and checking on the probity in the organisation.
“Internal auditors are not there just to look at the
numbers and inspect them,” he says. “But typically, in
raise critical points in a board meeting in addition to
making their own presentations. On the other hand, he
does not believe that industry-specific experience is
generally needed, except in very specialised sectors, such
the organisations in which I have been involved, if the
as derivative trading.
internal audit department,
SEPTEMBER 2007 or the chief internal auditor,
have been engaged in consultancy, it hasn’t ended well.” “Increasingly,” he says, “internal audit is seen as a
positive step, a real career option.” He sees this trend as
Harley believes that the board would need to recruit
a positive development in the profession and has
different sorts of people for the internal audit role
noticed that in smaller organisations, where a career
depending on whether they were to be used for
approach may not be as possible, internal audit is seen
consultancy or not. In addition, he says that
often as a talent pool for the rest of the company.
consultancy projects can make the relationship with the
line manager more difficult because the function could Harley says that in the organisations where he has
be seen as interfering with the way the business is run. worked, internal audit is the key link in the assurance
chain and works closely with the external auditors.
He places his faith in an internal audit process that
Its job is to look after the probity and financial
involves making recommendations and coming to
controls of the organisation, as well as ensuring that
conclusions that can be discussed with line managers.
executive management is doing what it should be
He accepts that line managers may not agree with
doing. Increasingly, it manages the whistleblowing
everything that internal audit suggests, but managers
procedures too.
should produce plans of action in light of what
internal audit has to say.
“All of this is moving away from simple inspection and
“Increasingly, internal audit
widening internal audit’s scope,” says Harley. He
contrasts this approach to his time in retail banking in
is seen as a positive step, a real
the days when internal audit was a matter of
inspection. “The internal auditors would come in and
career option”
say, ‘nobody move until we’ve counted the cash’.
Given this remit, he believes that internal audit is the
There was a lot of site inspection of this nature. Now,
key part of the assurance loop – not as well as, but
of course, internal audit is more risk-based and is done
instead of external audit. “If internal audit is doing the
less by rote. That has made it much more flexible and
assurance work, external audit should be relying on
more responsive to organisations’ changing needs. It
that work,” he says. “If an organisation is running an
is not an internal ‘McKinsey’ though.”
internal audit team of some scale, then they want
Harley says that internal auditors should be independent, external audit to rely on it.” That is not just a cost
intelligent and self-confident. He understands that being issue. It is also a testament to the value of professional 7
a head of internal audit can be a lonely job – “you are of internal audit in today.
PR

About the Institute

The Institute of Internal Auditors (IIA) has been leading the profession of internal auditing for over 60 years. We
A
fr
are the only body focused exclusively on internal auditing and we are passionate about supporting, promoting
and training the professionals who work in it.
Every year we help thousands of internal auditors at every stage of their career with training, qualifications
and technical resources enabling them to deliver exceptional results for their organisations.
Our International Standards and Code of Ethics unite the global community of over 130,000 IIA internal auditors.
These Standards mean that employers can be sure that IIA members across the world operate with integrity and to
the highest levels of professional competency.
c
Au
The IIA - leading the profession of internal audit.
the
the

www.iia.org.uk
The Institute of Internal Auditors – UK and Ireland Ltd
13 Abbeville Mews, 88 Clapham Park Road, London SW4 7BX
tel 020 7498 0101 fax 020 7978 2492 email info@iia.org.uk

Registered in England and Wales, no. 1474735


© October 2007. Information can be made available in other formats.

Вам также может понравиться