In my roles as Head of Internal Audit and International Forensic Co-ordinator, in both Philips and De Beers, I have had many years of experience setting up and running audit departments. Based on this experience I have put together my personal “top ten” list of attributes that make up a world class internal audit department.
1. Independent – an internal audit department that is not independent, or seen to be independent, is no use to man nor beast. Independence is functionally achieved through establishing a clear, direct reporting line to the audit committee (which itself should be comprised of independent non executive directors). Additionally, independence is maintained by ensuring that reports are fair and objective (not bending to the wills of dominant CEO’s) by senior review within the department; and ensuring that audit assignments are rotated so that members of the department do not become too close to the operational management of specific business units.
2. Approachable – contrary to popular belief the internal audit department is not the Gestapo. The department should report on business operations, risks and controls in an independent, fair and objective manner. Additionally, it should be the source of best practice advice; management should feel that they can raise an issue with the members of the department and obtain constructive, informed advice on that issue.
3. Communicative – the primary role of the department is to report on the adequacy of the business controls and effectiveness of the risk management process. Therefore by definition the reports need to be clear, concise and relevant. In order to garner information for the preparation of the report auditors need to interview people at various levels within the organisation. Additionally, where a situation arises that requires the attention of the Board this should be communicated in an effective and prompt manner. Members of the department therefore need high level communication skills, both written, oral and “soft”.
4. Deadline orientated– businesses are deadline orientated and so, by definition, should be the internal audit department. Reports need to be issued on a timely basis; a report that takes six months to clear is of no use, as the events on which it has been based have moved on. At the commencement of a review the deadline for publication of the report (after clearing the draft for errors with management) should be clearly stated, and accepted by auditor and “client”.
5. Appropriate mix of skill sets– internal audit departments should be staffed by people with skill sets, and experience, appropriate to the business. This would include people with IT, management, commercial and technical experience. Additionally, the department should have an appropriate cross section of career auditors and fast track trainees (who stay no more than two years in the department before moving on to line management).
6. Technically up to date – the members of the department should be up to date with technical and other issues relevant to the business, eg corporate governance. This can be maintained by internal/external training courses, and regular meetings with other bodies such as the external auditors.
7. High ethical principles– should the members of the audit department be regarded (rightly or wrongly) by other members of the organisation as being anything other than beyond reproach, then their ability to carry out their role effectively has been nullified. To ensure that ethical standards are maintained the company’s code of conduct should be strictly adhered to, and the acceptance of gifts from management/staff within the organisation being audited forbidden.
8. Flexibility – members of the department must be prepared to travel, and work in a variety of situations; such as international assignments, frauds, special management requests and due diligences.
9. Audit charter– this is an essential requirement as this document enshrines the mission, independence, reporting lines, right of access to documents/people and modus operandi of the department. The charter must be signed by the senior members of the board, to show their commitment to an independent function, and distributed to all senior management.
10. Commercially literate– members of the internal audit department must be commercially literate; understanding the general nature of business eg, marketing, logistics, cash flow etc. Additionally, they should have a specific understanding of the nature of the business which they are reviewing eg; risks, competition, results, market, suppliers, business plan etc. This will ensure that the review will be tailored to the needs of the organisation.
It goes without saying that the audit department should possess the basic operational attributes such as budgeting, planning and recording its work.