The Internal Audit Function

Today, the news frequently reflects inappropriate corporate activities, ranging from fraud and corruption, payment of bribes, to general rule-breaking by rogue employees. Compliance programs and training are intended to detect and prevent these activities and actions. In theory, an effective compliance program and an active, risk based internal audit function should thwart or deter illegal or inappropriate activity.

Following the Enron scandals, the Sarbanes-Oxley Act of 2002 was implemented. Among other things, it provides requirements for internal control over financial reporting standards, enhancing the role of internal audit. Recent publicity of corporate misconduct continues to demonstrate that the internal audit function must be more rigorous and also should be focused on corporate culture. Separation of functions and multiple approval levels are the most appropriate safeguards to consider when designing the compliance program, its controls and its oversight. When aided by an active internal audit function, this should minimize, or promote early detection of, inappropriate or illegal activities. Given the growing importance of the internal audit function, the IIA recently released a revised framework, intended to provide fundamentals and core guidance that are essential to an effective internal audit function.

New Framework

The International Professional Practices Framework recently released by the IIA is intended to provide guidance for internal auditors, by seeking to focus on core principles. The framework identifies 10 core principles that describe or guide what an effective internal audit function should focus upon and to what it should adhere.

The 10 core principles are contained in the International Professional Practices Framework, part of the IIA Revised Professional Practices Framework. They are intended to motivate internal auditors to a higher level of practice, consistent with the mission of enhancing and protecting value by providing risk-based and objective assurance. They are as follows:

• Demonstrates integrity;
• Demonstrates competence and due professional care;
• Is objective and free from undue influence (independent);
• Aligns with the strategies, objectives and risks of the organization;
• Is appropriately positioned and adequately resourced;
• Demonstrates quality and continuous improvement;
• Communicates effectively;
• Provides risk-based assurance;
• Is insightful, proactive and future-focused; and
• Promotes organizational improvement.

These core principles focus on integrity, competence, communication, positioning, resources and due professional care that is consistent with what should be the current focus of an internal audit function. However, there are several of the principles that are more aspirational. According to the principles, an internal audit function through its leadership should be “insightful, proactive and future-focused,” to promote organizational improvements. Clearly, these particular principles are forward-looking and subject to interpretation. The chief audit executive (CAE) and the audit committee should focus on these principles in preparing the internal audit policy, through which an organization will set the standards for guidance and instruction of internal audit staff, as well as form part of an overall mission statement.

With the core principles framework in mind, it is suggested that the CAE, with guidance and ultimate approval of the audit committee or the board of directors, should design a strategic plan for the internal audit function that would form the guidelines used to establish an annual audit plan, contemplating each of the core principles.

The strategic plan for the internal audit function should provide alignment of that function with the strategic objectives and risk-tolerance of the organization, both currently and looking forward. Based upon the core principles, the strategic plan also should provide a vision based upon the direction and objectives the organization intends to pursue. In other words, it should be a business-aligned strategic plan that is risk based.

Once such a plan is developed, there should be “buy-in” not only from senior management, but also at the board level. This strategic plan also should be instructive for educational purposes involving the internal audit staff and used specifically in connection with both training and the evaluation of individual audits performed as well as performance objectives for the individual internal audit staff member. The strategic plan also should be firmly based on the objectivity of the internal audit function, clearly reflecting its reporting functionally to the audit committee, avoiding the imposition of management influence on its functions.

The importance of management, audit committee and board approval, and “buy-in” of the internal audit function strategic plan is of great significance. However, it is also most important that the highlights or basic tenants of the strategic plan have acceptance and understanding by the various functions and business units that are subject to internal audit. With a complete understanding of the methodology and the strategic plan for internal audit, cooperation with the internal audit function is enhanced. Equally important is the continued and visible support of senior management and particularly at the board level, to make certain that the culture and important function of the internal audit process permeates the organization.

Application of the Core Principles

The corporate culture of an organization is effectively its soul and the heart, and in many cases the lack of strong corporate culture has been reflected in inappropriate or illegal conduct. The forward-looking aspects of the core principles underscore the proposition that the internal audit function should consider corporate culture. The internal audit strategic plan should contemplate the corporate culture, as part of a qualitative analysis. An initial step is to define the corporate culture. Assuming that every organization aspires to a corporate culture that embraces compliance, integrity and ethics, it would appear that the normal “objective” audit approach may become more subjective.

Perhaps the methodology for approaching an audit of corporate culture may be to include in each of the audit plans specific interviews and/or questionnaires addressed to random employees functioning in the audited business unit. These questions should center on observation of any perceived misconduct, or deviation from the defined culture, comments regarding adherence to or peer group compliance with the culture, and related issues. It would also be appropriate to consider organization-wide periodic training, related to “tone at the top” and compliance with or adherence to a defined corporate culture.

Conclusion

As the internal audit function becomes more forward-looking, the importance of a strategic plan for internal audit becomes more significant, together with training and oversight of the internal audit staff. Given the mission of providing objective assurance, specific guidance related to subjective aspects of the audit function should be addressed. Likewise, demonstrating that the internal audit function is observing and following the core principles should be an objective for the audit committee. The core principles should become a part of internal audit policy, and implementation of the principles should be part of the strategic plan, both of which are approved and monitored by the Audit Committee.

William L. Floyd is senior counsel in the Atlanta office of Dentons US LLP. A member of this newsletter's Board of Editors, he focuses on securities and corporate finance, mergers and acquisitions and corporate and regulatory matters, including corporate governance and responsibility. He can be reached at [email protected] or (404) 527-4000.