The role of Internal Audit in helping boards with their governance responsibilities has been growing in importance and influence in recent years in Ireland and internationally. At a time of global economic uncertainty and heightened geo-political sensitivities, charities and NGOs as well as major corporates and public sector organisations have increasingly been relying on their Internal Audit functions to help identify risks, improve the management of manage control systems and underpin operational performance.
Internal Audit’s remit is a wide-ranging one: it provides Boards with assurance on an organisation’s risk management effectiveness, internal controls and governance processes. In essence that means Internal Auditors help organisations to manage the wide range of risks facing them before they become a problem, including for example: corruption and fraud risks; security risks; health and safety risks; and risks related to non-compliance with regulation.
For many charities and NGOs, particularly those operating in challenging or unstable environments, the importance of this is clear. So how can boards make sure that internal audit is able to do its job properly?
Internal Audit occupies a unique position within organisations. In order to provide effective oversight, it must be at the heart of the organisation, so that it can fully understand what’s really happening internally.
In practice this means working both alongside an organisation’s key operation teams, as well as with any central compliance functions, to ensure that strengths and weaknesses are identified, assess whether internal controls are fit for purpose and functioning correctly and ensure that appropriate strategies to monitor and mitigate risk are developed.
However, at the same time, it must also remain impartial and detached from the management hierarchy, so that its opinions are independently and objectively formed and communicated.
Internal Audit’s primary duty is to act as eyes and ears for the Board, to which it should be accountable, usually via the audit committee. In providing “assurance” to the Board, Internal Audits’ job is to exercise critical analysis to tell it like it is, not how the organisation would like it to be. Boards need to know that their Internal Audit team feels empowered to ask tough questions and challenge assumptions.
With this in mind, it is critical that Heads of Internal Audit have direct and open communication lines with Board members so that any concerns about the management of risk within the organisation can be raised, evaluated and dealt with. So it is encouraging to see that in Ireland it is becoming the norm for HIAs to report to the Chair of the Audit Committee, rather than to an executive director, typically the Chief Financial Officer, as was once common. More than two-thirds (68%) are now doing so, according to our latest annual Governance and Risk Survey.
Internal Audit’s role as a vital check and balance to an organisation’s operations and governance has arguably never been greater. Charities and NGOs today face a wide range of strategic and operational risks. Failure to anticipate and manage these correctly could be hugely damaging – not least to the good reputation on which all such organisations rely. The unique perspective, the critical insight and oversight that Internal Audit provides, are vital weapons in a Board’s armoury to defend against risk and help their organisations get to achieve their goals.