Internal audit functions have not remained untouched by the changes in the business and economic environment. They are faced with myriad challenges, which range from meeting the additional expectations emanating from the current business realities to finding the resources to meet these challenges.
Findings from a recent Internal Audit survey conducted by Ernst & Young suggest that stakeholders at PSUs now expect the internal audit function to have a larger and strategic role in governance and risk management.
This is a significant shift from the earlier role of assurance and compliance. The internal audit function is now expected to provide value to the business through an expanded mandate. Over 90 per cent of respondents expected internal audit to provide recommendations relating to process improvements and cost reduction; while over two-thirds expected the function to be involved with sharing of best practices and management initiated mandates.
This trend indicates the importance given to governance requirement by stakeholders and acknowledges that internal audit function is best suited with necessary framework, tools and enablers to provide adequate coverage and delivery.
That said, only some PSUs are using risk assessment as an enabler and prerequisite to defining governance and control requirements for the entity. The other significant point is the absence of IT & fraud risk assessment done as part of the overall risk assessment exercise.
Given the importance of information system in business operations and regulatory requirements, it is critical to include these as key components of the risk assessment exercise. Even in companies where risk assessment is done, it is performed more as an annual ritual rather as a tool to recalibrate the control framework in light of the risk environment.
A significant proportion of the organisations surveyed did not have a clearly defined charter for internal audit. While the headcount and budget of the function has remained the same or increased marginally in the past year for public sector organisations, the number of items on the agenda has increased greatly.
This has, in turn, resulted in increased pressure on employees. This is further exacerbated by frequent refreshes of the internal audit plan, which add to unplanned items competing for resources, scheduled based on the original audit plan.
This indicates that while the audit function is seeing increasing expectations, it may not yet be ready to fulfil its mandate, in its current form and structure, across the majority of organisations.
Internal audit functions in PSUs are investing significant resources in skills and competency development to attract best talent. Cross function movement has helped PSUs in providing a challenging work environment while keeping attrition levels under control.
Also, internal audit resources are deployed on strategic projects which offer an enriching experience to the team. Several organisations have not devoted sufficient time and effort to develop a well-defined people model that factors in the competencies of team members and the opportunities they need to be provided with as they grow professionally.
Further, there is immense scope for audit committees in PSUs to play a larger role to ensure that risk and control function is delivering as per stakeholder expectations.
The level and depth of the audit committee interaction with the internal audit function should increase substantially as compared to today.
The role, responsibility and reporting structures need to be aligned for the audit committee to meet its intended objectives of ensuring effective and efficient mechanism for assessing the adequacy of internal controls.
The oversight role of the audit committee is a critical pillar of governance in an organisation. In the current environment, where the pulls and pressures on internal audit functions are manifold, it will be important for audit committees to ensure that they remain independent and objective in providing assurance coverage.
The role of an audit committee in these challenging times is more critical than ever before in providing strategic direction to internal audit, so that the latter is able to focus on risks that matter and meet conflicting demands on its resources. Audit committees have a fiduciary duty to protect the interests of widely dispersed shareholders.
Quality is the cornerstone of internal audit and will require an even greater focus in the todays environment as internal audit functions will be more intensively scrutinised by stakeholders.
Internal audit will only be able to play a meaningful role in the broader value delivery agenda of organisations if its base assurance programme is executed smoothly and adhere to the desired quality benchmarks.
It is the right time for public sector companies to pause and reflect on their internal audit functions and their current practices and capabilities, and thereafter, delineate an improvement roadmap. This will help their internal audit functions to meet the expectations of all their relevant stakeholders and build an image of a credible business assurance function.