During my time at City University London, Deloitte and as an independent audit committee member I have encountered various approaches to delivering internal audit, the one constant being that internal auditors should consistently add value to their organisations by providing assurance and recommendations on the effectiveness of risk management, control and governance processes. This is our core role, but how much of this is recognised as really being value-add rather than a requisite organisational function? How often does the corporate board or equivalent really notice and appreciate internal audit’s contribution?
Doing our job well really does add value and we, as a profession, need to be confident in this. I work within an organisation where internal audit is valued from the university council (governing body) through to the management team - or so I am told!
First, I want to stress the importance of independence as supported by the professional standards of the Chartered Institute of Internal Auditors. This encompasses both organisational independence and individual objectivity. I strongly believe that the head of internal audit (HIA) should report directly to the chair of the audit committee, but I acknowledge the need for a dotted line to either a university secretary or similar role. However, the hiring and firing of the internal auditor should be done by the board via the audit committee.
At City University London I have free and open access to the vice chancellor (VC), Professor Sir Paul Curran. Our meetings are frequent and engaging and he values the role IA can play in supporting City’s implementation of its strategic plan. Sir Paul tells me that “the independent and professional risk assurance provided by our internal audit is an important component of the assurance framework for a complex and rapidly changing organisation”.
Internal audit needs to be visible within the organisation, with open access to the top team, to facilitate sharing on areas of risk such as data security and visa and immigration compliance.
The audit committee is a key partner in the effective delivery of internal audit. This support should be defined in the internal audit charter, setting out the scope, purpose and authority of internal audit and endorsed by the audit committee. For this support to be provided, it’s vital that the audit committee are assured by the work of internal audit.
All internal audit teams have finite resources, so it’s absolutely vital that we make use of those around us. I regularly engage with the senior management team and meet with the chair of the audit committee around eight times a year and other audit committee members at least annually on a one-to-one basis.
A key component of improvement is the ability to reflect upon current performance and take advice and guidance from peers. Without embracing this concept and support from their audit committees, internal audit functions miss the opportunity to improve performance and therefore value. The higher education sector has a group, the Council of Higher Education Internal Auditors (CHEIA), which facilitates an annual peer-review exercise via a quality assurance tool that maps to the International Standards and Public Sector Internal Audit Standards.
It’s vital to be part of a network of peers within your industry sector. Established almost 20 years ago, CHEIA is invaluable in allowing HIAs and internal auditors to engage. In my experience, truly independent audit can be a lonely existence and actively engaging with the internal audit community in your sector is hugely beneficial. If you don’t have a sector network, I urge you to create one.
If delivered and supported appropriately, internal audit has much value to add. And unlocking that value in the ways I’ve described can only enhance the way in which internal audit is perceived.
Steve Stanbury is the director of internal audit at City University London, chair of the Council of Higher Education Internal Auditors (CHEIA) and an independent member of Goldsmiths, University of London audit committee.