Latest News

Internal Auditing Standards

The International Standards for the Professional Practice of Internal Auditing state that internal audit independence is critical to the effectiveness of the internal audit activity.  Standard 1100 explains that:

Independence is the freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner. To achieve the degree of independence necessary to effectively carry out the responsibilities of the internal audit activity, the chief audit executive has direct and unrestricted access to senior management and the board. This can be achieved through a dual-reporting relationship. Threats to independence must be managed at the individual auditor, engagement, functional, and organizational levels.

Reporting is discussed in two parts:  functional and administrative.  It is almost universally accepted that functional reporting should be to the organisation’s audit committee.  (The Internal Auditing Standards use the term “board”, but The Standards also state that in most contexts this term refers to an audit committee).  Administrative reporting is a different matter.

The Standards require that the Chief Audit Executive (CAE) report to a level that allows internal audit to fulfill its responsibilities and to confirm annually to the audit committee that this is the case (Standard 1110). 

Some public sector jurisdictions go further than this.  For example, the New South Wales Government Internal Audit and Risk Management Policy for the General Government Sector (2020) requires that “the CAE shall report administratively to the Accountable Authority” (para 2.1.14).  In this context the “Accountable Authority” is generally the agency head.  In the context of agencies where the Accountable Authority is a board, the requirement is that the CAE report to direct report of the Accountable Authority.  In a practical sense, the NSW Government requires that the CAE report administratively to the agency chief executive.

It is generally accepted that administrative reporting is:

(NSW Government, 2020, p. 30)

Matter related to the professional direction and support are functional matters and are reserved to the audit committee.  Assessment of the quality of work and the performance of internal audit is expected to be reserved to the audit committee.

Survey

In conjunction with its 2022 annual conference, IIA-Australia conducted a survey addressing internal audit independence.  146 responses were received.  The responses covered a wide industry base (Exhibit 1) and multiple roles in relation to the internal audit activity (Exhibit 2).

To help obtain organisational trends for some responses, we have focused on the responses of those who have identified as the CAE or as a sole internal auditor in an organisation.  In this way we can be confident that each response represents a unique organisation.  The 58 responses that fall into this grouping were also representative of a wide range of industries (Exhibit 3).

Exhibit 3 - Industry of respondent heads of internal audit

Structure of Audit Committee

Audit Committees: A Guide to Good Practice (Auditing and Assurance Standards Board, Australian Institute of Company Directors and the Institute of Internal Auditors-Australia, 2017) recommends that:

the majority of members of the audit committee are independent and non-executive members. However, if the entity is in the S&P/ASX 300 at the beginning of the year, it is a requirement under the Listing Rules that the committee consist solely of non-executive directors, a majority of whom are “independent”.

The purpose is that member of audit committees should be “free from any management, business or other relationship that could reasonably be perceived to materially interfere with their ability to act in the best interests of the entity”.

Once again, various public sector jurisdictions have strengthened these requirements.  For example, the Australian Government requires that audit committees consist of “persons who are not officials of the entity” and that a majority of members “must be persons who are not officials of any Commonwealth entity” (Commonwealth of Australia, 2022).

An audit committee with members who are independent of the management of the organisation are regarded as a strong contributor to the good governance of the organisation and the independence of the internal audit function (ASX Corporate Governance Council, 2019).  If an organisation does not have an audit committee it is probable that the internal auditors are reporting to management.

The heads of internal audit report that more than half of the audit committees in respondent organisations consist entirely of independent members.  Those organisations that continue to have internal member son their audit committee cross all industries and some would appear to be at variance with the requirements of their regulatory environment.  Disturbingly, two heads of internal audit (3%) report that their organisation does not have an audit committee.

Exhibit 4 - Composition of Audit Committees

CAE Administrative Report

Only 39% of heads of internal audit report that they report administratively to the chief executive officer.  The IIA-Australia recognises that individual organisational circumstances may mean that a busy chief executive may not wish to be concerned with minor administrative matters and may elect to delegate this to a more junior officer (The Institute of Internal Auditors - Australia, 2021).  In some jurisdictions, this is not necessarily permitted by regulation.

The nature of this delegation is important.  It is critical that this does not give the delegate the ability to influence the internal audit review activity or the reports that internal audit may make to the audit committee or senior executive.  What may begin as well-meaning advice on presentation can easily become unwarranted interference in the internal audit process.

Where the head of internal auditing is not reporting administratively to the chief executive, they have indicated that they report administratively as shown in Exhibit 5.

Exhibit 5 – Administrative reporting points other than the Chief Executive

Reporting to the Chief Financial Officer or to the head of Corporate Services is problematic as these officers are commonly the subject of internal audit review and have an increased motivation to see internal audit reports or internal audit activity modified.  In some organisations the Chief Operating Officer is effectively a deputy Chief Executive and reporting at this level may be acceptable, but of the options listed, reporting to the head of governance or legal is the most acceptable.  Some of the respondents indicate that they report to the Chief Risk Officer.

Of some concern are the details of reporting lines described by those who provided additional commentary.  Some of the reporting lines are well removed from the Chief Executive and while the report might be to an individual with a sensible portfolio of activity, this person is themselves subordinate to an officer such as the head of corporate.

Safeguards of Independence

Where the CAE’s administrative reporting is not to the Chief Executive the standard safeguards are generally in place.  One respondent indicated that there were no safeguards in place.  The percentages shown in Exhibit 6 are against the number of organisations that do not have administrative reporting to the Chief Executive.

Exhibit 6 - Safeguards in place

Management responsiveness

The extent to which management respond promptly to internal audit recommendations is an indicator of the quality of internal control within an organisation.  There is an expectation management and the board will assess the results of evaluations (including internal audit) and will remediate deficiencies promptly (COSO, 2013).

Only 53% of the total respondents regarded their organisations as fulfilling this requirement.

Undue Pressure on Internal Audit

Independence is a concept that is affected by context.  It is clear that internal audit is not independent of their organisation, but in serving the board they are serving the organisation itself rather than its management or its current owners.  Section 184 of the Corporations Act 2001 requires directors to act in the best interests of the company; internal auditors inherit that duty.

In the service of the company, it is important that the professional judgement of the internal auditor should not be unduly influenced by the opinion of members of management or even of individual directors.  Independence describes the situation that allows the internal auditor freedom to undertake an engagement and provide their results without fear of reprisal.

14% of respondents report having been sanctioned because of the contents of one of their reports or been subject to significant pressure change an adverse finding. 

The forms of sanction reported by individuals are:

• Dismissal
• Denial of promotion
• Antagonise or bullying behaviour
• Reports ignored and/or the quality of reports questioned
• Reduction in resources for the activity

Others reported pressure from executive management to change reports after they have been published.

We are not suggesting that internal auditors never make mistakes.  Indeed, The Standards require internal auditors to correct errors in fact.  This is not the same thing as changing an opinion.  If an internal auditor’s opinion is based on the available evidence, they are not obliged to change it.  An internal audit activity that has a robust quality assurance and improvement program in place (including the conduct of an external review) should be in a position to refute claims of poor-quality work.

The structure of an organisation should be designed to minimise the potential for internal auditors to be subject to reprisal for reporting the facts.  Sadly, it would seem that more than one in ten internal auditors has experienced an organisation where this has failed.

Conclusion

Much of the value of internal auditing arises from the fact that its work is not unduly influenced by individuals.  The independence provisions in The Standards describe how this should be achieved.

The ideal is for the Chief Audit Executive to report functionally to an audit committee that is comprised of independent members and to report administratively to the Chief Executive.  Only 28 respondents (19%) report that this describes the position of internal audit in their organisation; 13 (22%) of the 58 heads of internal audit indicated that they worked in this arrangement.  These numbers suggest that governance practices in Australia still have significant room for improvement.

Useful References

ASX Corporate Governance Council, 2019. Corporate Governance Principles and Recommendations, 4th Edition. Sydney: ASX.

Auditing and Assurance Standards Board, Australian Institute of Company Directors and the Institute of Internal Auditors-Australia, 2017. Audit Committees: A guide to good practice. 3rd ed. Sydney: The Auditing and Assurance Standards Board, the Australian Institute of Company Directors, The Institute of Internal Auditors–Australia.

Commonwealth of Australia, 2022. Public Governance, Performance and Accountability Rule 2014. s.l.:s.n.

COSO, 2013. Internal Control - Integrated Framework. [Online]
Available at: www.coso.org

International Internal Auditing Standards Board, 2016. International Standards for the Professional Practice of Internal Auditing, Lake Mary, FL, USA: Internal Audit Foundation.

NSW Government, 2020. Internal Audit and Risk Management Policy for the General Government Sector. [Online]
Available at: https://www.treasury.nsw.gov.au/documents/tpp20-08-internal-audit-and-risk-management-policy-general-government-sector

The Institute of Internal Auditors - Australia, 2021. Factsheet: Chief Audit Executive Reporting. [Online]
Available at: https://iia.org.au/sf_docs/default-source/technical-resources/2018-fact-sheets/factsheet-chief-audit-executive-reporting.pdf