The internal audit function is headed for a fundamental change in the coming years. This change will affect the way in which it is conducted and will have implications for the various stakeholders of the company. So far, almost everybody has associated internal audit with a separate department within the company that monitors its transactions and operations.
Some movement towards outsourcing this function began when internal audit became compulsory for all companies falling within certain criteria (listing, size, etc) but this option was generally adopted by firms who were too small to justify maintaining an in-house department.
Larger firms continue to have their own internal audit departments. This department is often the entry point where bright chartered accountants and, in more recent years, industrial engineers and MBAs cut their teeth.
In short, internal audit has been an in-house activity, as opposed to external (statutory) audit. Incidentally, ISA 610 from the International Auditing and Assurance Standards Board (IAASB) whilst defining the internal auditor states that he may belong to the internal audit department or any other equivalent function which appears to imply that this activity is an integral part of the company.
In other words, the term internal refers to the person carrying out the activity rather than the activity itself.
The term internal audit is derived from internal auditor and not vice versa. Otherwise all audits pertain to the internal activity of a company.
This definition is now being turned on its head. For instance, The Corporate Governance Voluntary Guidelines 2009 issued by the Ministry of Corporate Affairs, in December 2009 state, inter alia, that, in order to ensure the independence and credibility of the internal audit process, the Board may appoint an internal auditor and such auditor, where appointed, should not be an employee of the company.
This has been followed by a circular from SEBI in early January 2010 that requires credit rating agencies to submit an Internal Audit Report' every six months, from chartered accountants, company secretaries or cost and management accountants who are in practice and who do not have any conflict of interest with the CRA (read external agencies).
These trends clearly indicate that the internal audit function is likely to move out of the organisation to an independent agency.
The CG guidelines, though voluntary as of now, have a persuasive power and will soon become the litmus test for a well-governed company. However, it is pertinent to ask whether this activity should be outsourced and whether such a move would serve the interests of all stakeholders?
To answer this question we need to understand what the internal audit function really comprises. The SIA 2 from the Institute of Chartered Accountants of India states that Internal audit is an independent management function which involves the continuous and critical appraisal of the functions of an entity with a view to suggest improvements thereto and add value to and strengthen the overall corporate governance mechanisms of the entity including the entity's risk management and internal control systems.
The IAASB prescribes six objectives for this function one of which is to review the economy, efficiency and effectiveness of operating activities including non financial activities of an entity.
It is abundantly clear that the internal audit function has come a long way from being a department that checks vouchers to detect financial frauds and verifies all transactions and records to ensure compliance with the extant laws of the country.
In the last 10 years, this function has evolved qualitatively and is now expected to be an objective partner of the management in the efficient running the organisation.
The above distinctly differing activities are of varying importance to a) internal stakeholders (board and executive management) and b) external stakeholders (shareholders, regulators, lenders).
A company's board is responsible to its shareholders and is enjoined to manage their company not only ethically but in the most efficient and profitable way. For this stakeholder, a constant review of the efficiency and effectiveness of operating activities becomes very important.
This review not only calls for an intimate knowledge of the company's business, operations and culture, but also a year round commitment to closely follow up on audit recommendations. This could also entail being privy to the company's intellectual property, knowledge of which is best confined to within the organisation. In the light of these considerations, it is likely that the management's interests would be better served if this function is kept within the company.
However, various arms of the Government and the market regulator are today very concerned about safeguarding external stakeholder interests and it would appear that their primary expectation from the internal audit function is fraud detection/prevention and compliance assurance.
There is no denying that the independence of the auditor is very important in this traditional internal audit activity. It is also likely that the National Foundation for Corporate Governance which drafted the Guidelines has been exercised by the gross failure of the internal audit function in some recent cases of corporate governance failures.
On balance, today, regaining the external stake-holder's faith in Corporate India gets precedence over other considerations. One proposed measure to achieve this objective is to restore the credibility of all audit reports pertaining to a company. Therefore, there is no stopping the trend towards externalising the internal audit activity. All that remains to be done is to draft a new definition for this assurance function to bring it in line with the emerging practice.