The Role of the Au­dit Com­mit­tee

Au­dit com­mit­tees should see that in­ter­nal au­di­tors have not only ap­pro­pri­ate in­de­pen­dence but also stature in the or­gan­i­sa­tion, and are vis­i­bly sup­ported by se­nior man­age­ment.

The Malta Business Weekly - - ENEWS & TECH -

It is im­por­tant for the au­dit com­mit­tee to see that the in­ter­nal au­di­tors have not only ap­pro­pri­ate in­de­pen­dence but also stature in the or­gan­i­sa­tion, and are vis­i­bly sup­ported by se­nior man­age­ment. They should sup­port the CAE, pro­vid­ing guid­ance and as­sis­tance when he or she re­ports po­ten­tial man­age­ment lapses.

The in­ter­nal au­dit func­tion plays a crit­i­cal role in or­gan­i­sa­tions, per­haps even more so to­day given their broad busi­ness ecosys­tems, which can present a host of ex­tended en­ter­prise risks. For these and other rea­sons, the au­dit com­mit­tee’s over­sight of the in­ter­nal au­dit func­tion is as im­por­tant as its role vis-à-vis the ex­ter­nal au­di­tor.

When the in­ter­nal au­dit func­tion re­ports to the au­dit com­mit­tee, it al­lows the in­ter­nal au­di­tors to re­main struc­turally sep­a­rate from man­age­ment and en­hances ob­jec­tiv­ity. This re­port­ing re­la­tion­ship also en­cour­ages the free flow of com­mu­ni­ca­tion on is­sues and pro­motes di­rect feed­back from the au­dit com­mit­tee on the per­for­mance of the chief au­dit ex­ec­u­tive (CAE).

It is im­por­tant for au­dit com­mit­tees to as­sess whether in­ter­nal au­dit’s pri­or­i­ties, such as mon­i­tor­ing crit­i­cal con­trols and de­vel­op­ing an au­dit plan fo­cused on risks iden­ti­fied in the en­ter­prise risk man­age­ment pro­gram, are aligned with those of the au­dit com­mit­tee, as dis­cussed in Deloitte’s 2018 Au­dit Com­mit­tee Re­source Guide.

The spe­cific ex­pec­ta­tions for in­ter­nal au­dit func­tions vary by or­gan­i­sa­tion, but may in­clude:

• Ob­jec­tively mon­i­tor the health of fi­nan­cial, op­er­a­tional, and com­pli­ance con­trols

• Pro­vide in­sight into the ef­fec­tive­ness of

risk man­age­ment

• Of­fer guid­ance re­gard­ing

in­ter­nal/com­pli­ance con­trols

• Act as a cat­a­lyst for pos­i­tive change in

pro­cesses and con­trols

• Co­or­di­nate ac­tiv­i­ties with the in­de­pen­dent au­di­tor

In sup­port of these ex­pec­ta­tions, the au­dit com­mit­tee and the CAE should have a strong re­la­tion­ship char­ac­terised by open com­mu­ni­ca­tion. The au­dit com­mit­tee should chal­lenge the CAE and the in­ter­nal au­dit de­part­ment by set­ting high ex­pec­ta­tions, ex­press­ing those ex­pec­ta­tions clearly, and hold­ing the de­part­ment ac­count­able for meet­ing them. The CAE should be can­did in rais­ing con­cerns with the au­dit com­mit­tee when they arise.

It is im­por­tant for the au­dit com­mit­tee to see that the in­ter­nal au­di­tors have not only ap­pro­pri­ate in­de­pen­dence but also stature in the or­gan­i­sa­tion, and are vis­i­bly sup­ported by se­nior man­age­ment. They should sup­port the CAE, pro­vid­ing guid­ance and as­sis­tance when he or she re­ports po­ten­tial man­age­ment lapses.

Mem­bers of the au­dit com­mit­tee should en­gage with the CAE reg­u­larly to main­tain a re­port­ing re­la­tion­ship that is both sub­stan­tive and com­mu­nica­tive. Hold­ing reg­u­lar ex­ec­u­tive ses­sions with the CAE is com­mon and is re­quired for NYSE-listed com­pa­nies. The au­dit com­mit­tee should ac­tively par­tic­i­pate in dis­cussing goals and eval­u­at­ing the CAE’s per­for­mance; these re­spon­si­bil­i­ties should not be del­e­gated solely to the CFO or CEO.

The au­dit com­mit­tee should un­der­stand and ap­prove the an­nual in­ter­nal au­dit plan and de­ter­mine if the CAE has a suf­fi­cient bud­get and re­sources to ex­e­cute against it. In de­ter­min­ing that re­sources are ad­e­quate, au­dit com­mit­tees of­ten con­sider whether the CAE and his or her staff are ad­e­quately com­pen­sated. As part of this re­view, they should re­view and eval­u­ate the sta­tus of the en­ter­prise-wide risk man­age­ment pro­gram and the align­ment of risks to the in­ter­nal au­dit plan. The au­dit com­mit­tee should also eval­u­ate the progress and re­sults of the in­ter­nal au­dit plan against the orig­i­nal plans and any sig­nif­i­cant changes made sub­se­quently.

The In­ter­na­tional Stan­dards for Pro­fes- sional Prac­tice of In­ter­nal Au­dit­ing es­tab­lished by the In­sti­tute of In­ter­nal Au­di­tors (IIA) re­quire in­ter­nal au­di­tors to main­tain a cer­tain level of in­de­pen­dence from the work they au­dit. This means that an in­ter­nal au­di­tor should have no per­sonal or pro­fes­sional in­volve­ment with the area be­ing au­dited and should main­tain an im­par­tial per­spec­tive on all en­gage­ments. In­ter­nal au­di­tors should have ac­cess to records and per­son­nel when nec­es­sary, and they should be al­lowed to em­ploy ap­pro­pri­ate in­ves­tiga­tive tech­niques with­out im­ped­i­ment.

In­ter­nal au­dit de­part­ments should also em­ploy qual­ity pro­cesses with a fo­cus on con­tin­u­ous im­prove­ment. These pro­cesses should be pe­ri­od­i­cally re­viewed through self-as­sess­ment and/or ex­ter­nal re­views. The IIA’s stan­dards re­quire ex­ter­nal as­sess­ments to be con­ducted by a qual­i­fied, in­de­pen­dent party at least once ev­ery five years. The CAE should dis­cuss the form and fre­quency of the ex­ter­nal as­sess­ment, as well as the qual­i­fi­ca­tions and in­de­pen­dence of the ex­ter­nal asses­sor, with the au­dit com­mit­tee.

With re­spect to its in­ter­ac­tions with in­ter­nal au­dit, au­dit com­mit­tees might give con­sid­er­a­tion to the fol­low­ing ques­tions:

• Does in­ter­nal au­dit have a clearly ar­tic­u­lated strat­egy that is re­viewed and ap­proved by the au­dit com­mit­tee pe­ri­od­i­cally?

• Does in­ter­nal au­dit have a clear set of

per­for­mance ex­pec­ta­tions that are mea­sured and re­ported to the au­dit com­mit­tee?

• Does in­ter­nal au­dit have a char­ter that is pe­ri­od­i­cally re­viewed by the au­dit com­mit­tee? Does in­ter­nal au­dit op­er­ate in ac­cor­dance with its char­ter?

• Is the in­ter­nal au­dit plan aligned to the pri­mary risks of the or­gan­i­sa­tion and other as­sur­ance ac­tiv­i­ties? Is in­ter­nal au­dit’s risk as­sess­ment process ap­pro­pri­ately linked to the com­pany’s en­ter­prise risk man­age­ment ac­tiv­i­ties?

• Is in­ter­nal au­dit flex­i­ble in ad­dress­ing new risks promptly and meet­ing the au­dit com­mit­tee’s needs?

• Is in­ter­nal au­dit ef­fec­tive in us­ing ad­vanced tech­nolo­gies, such as data an­a­lyt­ics, to im­prove au­dit qual­ity? • Does in­ter­nal au­dit per­form peer re­views or self-as­sess­ments of its per­for­mance and re­port the re­sults to the au­dit com­mit­tee?

• Is in­ter­nal au­dit funded ad­e­quately

and staffed ap­pro­pri­ately?

• Does in­ter­nal au­dit’s re­port­ing struc­ture en­sure suf­fi­cient in­de­pen­dence and re­spect from man­age­ment and other em­ploy­ees?

• Does in­ter­nal au­dit meet with the in­de­pen­dent au­di­tor reg­u­larly to dis­cuss risk as­sess­ments, the scope of pro­ce­dures, or op­por­tu­ni­ties to achieve greater ef­fi­cien­cies in the com­pany’s au­dit ser­vices?

Newspapers in English

Newspapers from Malta

© PressReader. All rights reserved.