By Sarah Blackburn, speaker at CIPFA Audit Update
Some audit committees have been described as passive consumers of external audit; 'reluctant, even if able, to ask penetrating questions, demand performance, and discipline the partner and/or the firm where necessary [1].'
But how good are audit committees at overseeing the performance of internal auditors? What are they doing and what should they be doing?
A Chartered Institute of internal audit survey, released this November, of Heads of Internal Audit (HIA) in the UK and Ireland, showed that in the public sector, audit committees were responsible for only 38% of HIA appointments, compared with 76% in financial services and 75% in other private sector organisations.
Public sector audit committees did approve 85% of audit plans and 68% of internal audit charters (91% and 86% in financial services; 85% and 76% in other private sector organisations). There is scope here for further audit committee involvement in the oversight of their key source of independent assurance.
However, executive management was responsible for: the internal audit budget (62% public sector; 31% financial; 51% other private); the HIA’s appraisal (86% public sector; 71% financial; 78% other private) and their remuneration (82% public sector; 48% financial; 70% other private).
While the audit committee, as a non-executive body, has traditionally left the internal audit budget and remuneration to the executive, it is arguable that audit committees rather than executives should have a greater say in these areas. Particularly the HIA’s appraisal, since the audit committee is the primary recipient of the HIA’s opinion on the reliability of risk management and internal control, and the audit committee’s oversight is essential to the independence of internal audit from management.
The contrast between the public and private sector on budgets and remuneration is striking. The balance of power in the financial services sector appears to be shifting to the audit committee, in response to governance and risk management failings. In light of examples of past failings at Mid-Staffordshire NHS Foundation Trust and others in the health and social arena, perhaps public sector audit committees need to wake up and seize the initiative with internal audit.
Internal auditors need audit committees who can challenge, as well as support them. The audit committee should know whether internal audit is a reliable assurance provider that helps the board and executive management sleep through the night, leaving them confident that risks are being managed within defined parameters.
[1] Norman Marks, Audit Committees Should Discipline the Auditors More Often
Sarah Blackburn is a well-known governance specialist, non-executive director and Audit Committee Chairman, Chartered Internal Auditor and member of the board of The Institute of Internal Auditors Inc (Global IIA).