In our last article we highlighted the role of the audit committee
as the engine of an effective board. In this article we will
examine the internal audit as an important tool of the audit
The responsibilities of the audit committee go far beyond
simply reviewing internal control management letters and comprises
oversight responsibility for internal control exercised by
means of reports from management and both external and internal
This function, by necessity, requires committee members to
understand the nature of the risks to which the company is
exposed and how it manages these risks.
In face of the list of their responsibilities, it is difficult
to see how the audit committee members could discharge their
responsibilities effectively, even if they were to meet monthly.
Clearly, they could only do so with considerable assistance
from internal audit.
As the European Commissions green paper on auditing
statesCompanies without a strong internal audit
function will be unable to provide an audit committee with
sufficient information to fulfill its responsibilities
Changing internal audit
It is now clearly established, given recent world corporate
failures and best practice legislation (SOX 404), that the
demands on the internal auditor are changing as companies
strive to enhance governance, manage their risk more effectively
and create a sustainable compliance process.
The chief internal auditor, in particular, is in the corporate
spotlight much more frequently.
For the internal audit team, the current environment presents
a unique set of challenges, as well as an exciting opportunity
to contribute to the organisational agenda and add real value.
To succeed in this environment, internal audit may have to
change old staffing models and more effectively navigate the
often-conflicting expectations of its stakeholders.
In advising all levels of management and the board (through
the audit committee), on the companys systems of internal
control and management of business risk it is evident that
internal audit is expected to add value specifically in the
areas of risk management processes, internal control effectiveness,
opportunities for process improvement, implementation of recommendations,
corporate governance, systems development, management of change,
acquisition and divestments and cost reduction opportunities
The audit work plan
Each financial year, internal audit should be required to
prepare an audit work plan which should be submitted to the
audit committee for approval.
This plan should be sufficiently comprehensive to ensure a
complete and effective review of the companys operations
on a cyclical basis while at the same time being flexible
to accommodate special assignments requested by the audit
Essential to the audit plan is an audit schedule which should
be based on a credible business process risk assessment. This
should be used to prepare an audit schedule specifying which
audit projects are to be undertaken each month together with
an estimate of the time and resources required to complete.
In prioritising the audit schedule, the degree of risk attributable
to individual activities will be assessed taking into consideration
factors such as: materiality, the significance of the activity
in terms of the companys goals, the effectiveness of
manual and automated system controls, importance in terms
of sensitivity and public accountability and the findings
of previous external and internal audit reviews.
Given the current drivers, internal audit functions are expected
to meet higher performance standards and contribute more to
the quality of an organisations governance process.
In the Caribbean, and in particular Trinidad and Jamaica,
we are witnessing a shift by some of the leading companies
towards greater effectiveness and accountability in the internal
Next week we will examine some of the best practices within
Arnold Niranjan is the leader of Business Risk Services at
Ernst & Young Caribbean. EYC is a regional firm providing
assurance, tax and business advisory services to a diverse
portfolio of clients. This article forms part of a series
on governance issues and emerging best practices.
the audit committee expects of internal audit is usually set
out in detail in the internal audit charter, a document which
should either be drafted or at least approved by the audit
committee. The following items should be addressed in the
The internal audit department is created by and exists as
an extension of the audit committee of the board of directors
for the purpose of assisting the committee, and the board,
in satisfying their legal obligations for ensuring proper
and reasonable operations of the company. In order to promote
independence and enable internal auditors to render unbiased
judgements, it reports functionally to the audit committee
of the board and administratively to the chief executive.
Internal audit operates with the full, direct authority and
guidance of the audit committee. It is entitled to audit all
systems, activities, projects, subsidiaries and business units
of the company. It has unrestricted access to all records,
reports, personnel and premises for audit purposes. In essence,
internal audit is an arm of the audit committee.
The following, while not exhaustive, spells out what the audit
committee should expect from internal audit:
To perform in accordance with the standards applicable to
the professional practice of internal auditing
To examine and evaluate the adequacy and effectiveness of
the companys systems of internal control which should
Reviewing the reliability and integrity of financial and operating
information and the means used to compile and report on such
Evaluating the companys systems to ensure compliance
with company policies and procedures as well as laws and regulations
Reviewing the means of safeguarding assets and verifying their
Auditing significant business processes to determine if they
are operating efficiently and effectively. Identifying key
performance indicators within the process and measuring results
against those key performance indicators
Undertaking special investigations and reviews of the related
areas of fraud control, risk management and security as well
as any other area focused on by the audit committee
Participation in information technology systems design to
determine whether adequate controls are incorporated into
Specifically, what the chief internal auditor is not expected
to do is exercise any executive or managerial authority except
within the department itself or get involved with the day-to-day
operations of the company.
E-mail: [email protected]