What is Internal Audit?

The purpose of internal audit is to be a vital asset to the organisation’s board and senior management in helping them protect the organisation’s assets and it’s sustainability.

All organisations, such as banks in our field, whilst pursuing their strategic goals face risk. Internal audit can help organisations achieve their strategic goals by providing them with assurance whether the risks they face are adequately controlled and governed or not.

The role of internal audit can be summarised as follow with its key attributes:

• They are independent from the organisation’s operations, often reporting to the Chair of the Audit Committee.
• Provide risk-based and objective assurance. This includes insights, advice and foresight.
• Utilises key skills such as challenging and influencing the senior management to improve its efficiencies and effectiveness, in areas such as controls adequately designed to meet the risk objectives and are not duplicated elsewhere and getting rid of controls that serve no risk purpose.
• Assess whether controls are adequately designed to manage risks to the organisation whilst in pursuit of its strategic objectives.

The classical thought of internal audit methodology is having papers attached to a clipboard and an auditor asking questions that have been pre-defined, perhaps questions used in the last audit, and ticking them whether the answer fits the box or not. If the answer did not fix the box, the operations were asked to amend their action so that it ‘fits the box.’

The modern methodology gives priority to assessing the structure and risk profile of the organisation for assessing the audit coverage. It considers areas such as the following:

• Business strategy and whether key risks have been identified, including emerging risks
• How effectively these risks are being managed
• Focus on areas with higher risks
• Ongoing assessment of risks, such as business process changes, new products and services, M&A, macroeconomic events
• Review organisational culture and whether it’s embedded within the business strategy

The modern internal audit methodology helps more in achieving its purpose and helping the organisation by prioritising matters of greater concern and importance through evaluating its risks and its management.

There are typically three routes to an internal auditor: graduate or entry level internal auditor, moved from an external audit practise - typically post accountancy qualification, move from the first or second line within an organisation. The latter two may have to demonstrate some level of skills to the hiring manager to showcase the typical thought-process and skills an internal auditor should process.

More accomplished auditors have the following skill sets that allows for greater audit quality:

• Inquisitive, scepticism – wants to know how things work, fits in the bigger picture, doesn’t always take things/ explanations at face value
• Passion – genuinely wants to pursue the purpose of internal audit and learns and enjoys it whilst doing it
• Team collaboration – learns from others in the team and shares experience and knowledge with the rest of the team so that overall audit quality and personal experience improves
• Communication – gives stakeholders better perspective and understanding of risk and control, communicates ideas and issues through a systematic process enabling better understanding of how improving the risk management effectiveness and efficiency helps attain organisations strategic objectives.

If an auditor doesn’t have prior experience in a business segment, for example experience in FX products, but has the above skills, they would be more useful as they would be able to learn quickly through their passion and give more impact to the audit quality. Prior experience is not a good indicator of good audit quality as it would be useless if they were unable to share this knowledge to benefit the rest of the team or communicate issues more effectively.

Internal audit can be performed with an in-house team, outsourced to a third party, or in-house team is supplemented by a co-source provider.

Newly set up or smaller banks and building societies often go for an outsourced function. The hope is that the OSP can provide insights from other organisations within their portfolio that can share best practices and insights that can help them better manage risk. This can prove expensive in the long run and senior management should look to build an in-house internal audit team that has a sustainable purpose aligned with the corporate’s strategy.

An in-house internal audit team provides the best all-round value in achieving the purpose. With a strong leadership in the team, knowledge and experience can be shared with the team members stretching their abilities and obtaining vital skills that rarely any other team offers. Audit members rotating into the operations of the organisation helps build a better culture, risk management and for the individual stronger leadership capability. 

A co-source solution can be very useful to build the team’s capability if used well. Knowledge and experience sharing through coaching is vital here, but its debatable whether this is achieved.

The future of internal audit needs to adapt modern principles in order to achieve the purpose that has been described above, which supports the sustainability of the organisation it serves. The Chartered Institute of Internal Auditors (IIA) recently refreshed its Code of Practice and has included these modern theses. It highlights the importance of the scope of audit, which is vital. This blog was created to help auditors and audit teams devise the audit scope, to ensure that matters of importance and emerging risks that are linked to the organisations business strategy is assessed. Undoubtedly, if internal audit functions were to adopt these principles it would be in a very good position to achieve the purpose in providing that much needed assurance that the business can go about its strategies knowing that it has sound risk management.