The Companies Act, 2013, has mandated appointment of an internal auditor by listed companies and certain other classes of companies. Why should the law mandate appointment of an internal auditor, which serves the management and the board of directors (Board)? The plausible reason is that an effective internal audit acts as eyes and ears of the Board and thus, plays a critical role in corporate governance.
Internal audit's customers are financial auditors (often referred to as a statutory auditor), the management and the Board.
Internal audit provides an assurance to the management and the financial auditor that internal control related to the preparation of financial statements are adequate and operating effectively. The primary objective is to reduce the cost of financial audit and to prevent and detect financial irregularities, frauds and errors. Internal audit also helps in achieving operating objectives. It monitors compliance with standard operating procedures (SOP) and operating policies in conducting business operations. It reviews efficiency in resource allocation and utilisation. Often, the internal auditor acts as an internal consultant to local managers in addressing challenges that they face in complying with SOPs and achieving target efficiency. It suggests modifications in SOPs and company's operating policies that are required for achieving operating objectives in the changed environment, both internal and external.
The internal auditor optimises the use of its resources by focusing on financial transactions and operations where the fraud risk or the risk of deviations from SOPs or the probability that wastes might be higher than the standards are high; or where internal controls are under stress due to the external environment, for example, when the demand for the product or service is low, internal controls related to marketing function are under stress. Some refer to this internal audit approach as risk-based internal audit. However, in companies that have robust enterprise risk management (ERM) system, risk-based internal audit refers to internal audit around risks identified under ERM.
Although operating objectives are derived from strategic objectives, achieving operating objectives does not necessarily result in achieving strategic objectives. Internal audit helps in achieving strategic objectives and improving Board effectiveness. Two important tools that the Board uses to help the company in achieving strategic objectives are ERM and strategy audit.
ERM system minimises future shocks from unfolding of uncertain events and help management in responding to emerging risks and opportunities proactively. The greatest challenge in implementing an ERM system is to establish the right culture - shared understanding about risk, including risk appetite and ethical standard established by the Board. The Board cannot directly monitor the organisation culture and the ERM system. The internal auditor monitors the same on behalf of the Board.
The effectiveness of strategy audit, which is a periodical review of the current corporate strategy and business strategies, depends on the timeliness and accuracy of information being made available to the Board. Usually, the management information system (MIS) is oriented towards the management's information needs for performance evaluation, planning and control. A strategy review requires a different set of information - mostly drawn from the external environment (e.g., competitor's analysis, emergence of new opportunities, market performance of the company's products compared with that of competing products and indication of structural changes in economic political, technological and social environment). The internal audit provides an assurance that the information system is adequate and operating effectively.
The effectiveness of an internal audit depends on its independence and resources available to it. The law has made the audit committee responsible for protecting the independence of the internal audit and providing adequate resources. The Companies Act requires that the audit committee or the board shall formulate the scope, functioning, periodicity and methodology for conducting the internal audit. Clause 49 of the Listing Agreement requires the audit committee to review the performance of the internal auditor, adequacy of internal audit and the findings of any internal investigation by internal auditors. It requires the audit committee to discuss with the internal auditor significant findings and follow up actions there on.
Unfortunately, the audit committee of most companies is apathetic to the internal audit. An internal audit is still perceived as a service to management. In most companies the chief internal auditor (CIA) reports to the CEO or the CFO. This reporting structure is appropriate when the internal audit serves the management. When an internal audit serves the Board, the CIA should report to the chairperson of the audit committee. The audit committee spends inadequate time in examining internal audit reports. The internal auditor presents its observations through power-point presentations before the audit committee, which allocates about three hours in a year for discussing internal audit findings. The audit committee seldom discusses with the internal auditor the internal audit scope, its performance, and resources available to it.
Audit committees, in their own interest, should comply with the law, in spirit. They should have intensive engagement with the internal auditor to understand challenges it faces in achieving excellence. Absence of a robust internal audit is a corporate governance risk.