:: Making internal audits effective ::

The three layers of defense that have come to be recognized as imperatives for corporate governance structures are:

First Layer | Process owners, who manage risks associated with day-to-day operational activities, while being accountable for the implementation of controls.

Second Layer | Management & specific functions (such as compliance, risk management, and legal), that set standards and provide oversight in the form of frameworks, policies, tools and techniques to support risk and compliance management.

Third Layer | The function that provides an objective and independent assurance, while assessing the operation of the first-and second layers, with a reporting to the board/audit committee ('AC').

This brings us to our survey, which related to approaches that contribute in making the internal audits (as the third layer) most effective.

Risk driven internal audit charter

A majority of the respondents (52%) have assigned the greatest importance to the development and polarization of a risk universe and making this the fulcrum of their strategy to make internal audits effective.

A well-prepared risk driven internal audit charter (a) depicts the nature, frequency, extent, manner and type of tests; (b) is based on polarization of the risks (i.e. where risks are rated in terms of their relative importance to the business on parameters of likelihood and impact); and (c) is in alignment with the risk appetite and tolerance of an organization. This should be viewed as the blueprint relating to the operation of an internal audit function and one which seeks to ensure that the management is provided ongoing assurance on the effectiveness of measures to mitigate their strategic, financial, operational and compliance risks. The life cycle of the internal audit charter should therefore not be retrofitted to a year and can potentially extend to longer periods. The internal audit function needs to address the state of the current practices and controls to combat these risks, while considering the nature, size and complexity of the business and planned growth, so that the results of such assessments can enable the senior management team to make well-informed decisions. In the current and emerging business environment, the value from internal audits can be optimized by identifying and polarizing risks at an early stage (i.e at the time of planning, before fieldwork), rather than doing a post-event analysis of the same.

The Reserve Bank of India (‘RBI’) has mandated the conduct of risk based internal audits in Scheduled Commercial Banks (except regional rural banks) through its notification CO.PP.BC.10/11.01.005/2002-03 dated December 27, 2002 and has issued a detailed guidance note for the same. The previous notification from the RBI in this context that was issued on January 07, 2021, had outlined additional best practices to be followed by a bank’s internal audit team such as authority, stature, independence of the internal audit function along with aspects relating to competence, staff rotation and reporting lines. These notifications serve as good practices for other industries as well and have been analysed by a team of experts from MGC Global in a previous and separate thought leadership alert.

Direct reporting to the board/AC

Over 1/4th of the respondents of our survey have attributed maximum weightage to the reporting relationship, in making internal audits effective. Clearly, to be an effective third layer of defense, the internal audit function should be independent and capable of providing objective assurance on a wide range of activities, through a systematic approach to evaluate and improve the effectiveness of the risk management framework, controls and governance processes. The structural separation of the internal audit function from the management facilitates greater objectivity when its direct reporting is to the board/AC. The manner of this reporting relationship should provide the basis for a coherent flow of communication that merits importance and facilitates direct feedback from the board/AC.

What brings the role of the board/AC come to the forefront is independence and objectivity from the internal audit function, which require direct reporting to and guidance from the board/AC. In turn, it is essential that the board/AC facilitates suitable independence and stature with visible support from the senior management and other stakeholders.

As best practices, the board/audit committee should approve the internal audit charter with the internal audit budget and resource plan. They should receive ongoing communication from the chief audit executive/internal audit head on the internal audit's performance to assess its progress with reference to the pre-approved plan. They should make appropriate inquiries of the management to establish facts and address limitations as a consequence of the scope or resources.

Usage of data analytic tools

Analytic-driven recommendations support effective decision-making through the usage of software and programs that collect and analyze data related to areas of audit - information regarding the business, its customer and its competition. This helps internal auditors in understanding trends and uncovering patterns of decision making and transactions, with agility and soundness.

Intelligence generated from data analytic tools help in improving processes that otherwise would require the involvement of data scientists or technology experts. For example, an internal audit team might use data analytics to review employment data such as onboarding logs to ascertain presence of any anomalies, the results of which could then be shared with other departments, such as payroll/Human Resources, finance and compliance, to see if the observations are in sync.

In large data-driven internal audits, the analytics software must have the ability to review over a million rows of data backed by a comprehensive library of tests that can be run instantly. With over 1/5th of our respondents rating data analytic tools as a necessity for enhancing the effectiveness of internal audits, the clear message is that the usage of data analytic tools are gaining prominence. These enable auditors to mine information pertaining to monumental data sets and to find actionable audit insights through the use of technology, whether it is in the analysis of accounting practices to spot financial risks, IT records to identify cybersecurity risks, forensics and much more.

Closing comments

The question that invariably comes up for discussions is whether the internal auditor must be rotated every five years as is the case that has been specified for statutory auditors in section 139 (2) of the Companies Act . As long as objectivity of the internal audit function is maintained, there are changes in team composition for a constant provision of fresh perspectives with industry insights and the involvement of senior resources, this is not a practical necessity, neither a legal requirement. What is most important is for the internal audit function to be independence from the responsibilities of management - this is not only a holy grail but also a practical necessity, which is critical to its objectivity, authority and credibility.

The internal auditors must have unfettered access to people, resources and data, which are required to undertake their mandate, with freedom from bias or interference in the planning and delivery of their services. Stakeholders working in the first, second and third layers need to work together and collectively in order to contribute to the creation and protection of an organization’s value, with a common alignment, which is to the prioritized interests of all stakeholders of the organization. Frequent, open, honest and direct communication with cooperation, collaboration and healthy criticism are imperatives to enhance the reliability, coherence and impact of the internal audit function.

Should you have any questions require assistance please do not hesitate to reach out to contactus@mgcglobal.co.in.

With best wishes,

Markets team

MGC Global Risk Advisory

About MGC Global Risk Advisory

Recognized as one of the '10 most promising risk advisory services firms' in 2017, as the 'Company of the Year' in 2018 &, 2019' (both in the category of risk advisory services), one of the 'Top Exceptional Companies to Work For’ in 2020, amongst the ‘Top 25 Customer Centric Companies’ in 2020 and 'The Consultant of the year' in 2021 (in the category of risk advisory services); MGC Global is an independent member firm of the US$ 4.6 billion, Atlanta headquartered - Allinial Global.

MGC Global provides services in the areas of internal audits, enterprise wide risk management, control assessments (SOC, IFCR & SOX), process re-engineering, governance frameworks, IT risk advisory, GDPR, VAPT, ISO readiness, cyber security, CxO transformation and forensic services. Our Firm has the capabilities to service its clients through its offices in Bengaluru, Mumbai, NCR; and has service arrangements in all major cities in India.

About Allinial Global

Allinial Global (formerly PKF North America) is currently the world's second-largest member-based association (with collective revenues of approximately USD 4.6 billion) that has dedicated itself to the success of independent accounting and consulting firms since its founding in 1969. It currently has member firms in 99 countries, who have over 26,000 professional staff and over 4,000 partners operating from 688 offices across the globe.

Allinial Global provides its member firms with a broad array of resources and support that benefit both its member firms and their clients in the key impact areas of learning and development, human resources, international outreach, technical support, knowledge-sharing platforms through its specialized communities of practice, marketing resources, information technology and best practices in practice management.