There are many questions for directors to address. We hear frequently about the challenges in determining the scope of activities that fall within the much broader definition of controls than companies are used to. In addition, we know companies are grappling with how to assess materiality when it cannot always be measured through a financial lens. The FRC has provided scant guidance, intentionally wanting to drive accountability and improved discussion in corporate boardrooms.
For internal audit this poses a challenge. Functions must be prepared and must ensure their companies are considering the issues in good time. The starting point will vary widely. For financial services regulated businesses it would be anticipated that the control frameworks are well established. With recent focus on conduct and Consumer Duty, even those frameworks and processes associated with operational issues should have received attention and documentation.
For many companies there will be a steep learning curve. Management will look to where there is already expertise. Internal audit should expect that call.
However, this raises a number of questions:
- How directly involved in the process of documentation and testing can internal audit be?
- Where might there be other teams that could undertake the second line activities of monitoring and testing?
- How does this process integrate with the wider remit of internal audit?
- How do we prioritise the activities required to deliver the attestation alongside the broader risk-based audit programme?
- What role should internal audit play alongside the external auditors – if they are to be involved?
At the heart of this is the need to ensure this does not become a Sox-style process, dictated by an external audit mandate that requires testing and retesting is a rules-based manner. If we allow this exercise to progress in this way it will quickly become unwieldly given the much broader scope. We need to find pragmatic and proportionate solutions.
More than financial controls
One of the key challenges is that the scope goes significantly beyond the financial and financial reporting risks and controls that have typically been considered in the context of preparing the annual report. These controls are generally limited to the finance function, perhaps with some input from functions such as payroll or technology. The remit going forward will be much broader, so where do the resources sit to own the process of documentation and monitoring – a role that is more aligned to the second line, as opposed to internal audit. Individuals need to be identified and appropriate training provided in the operations and broader compliance and reporting obligations.
Independence and the Three Lines
Inevitably the directors will look to internal audit to provide expertise, and often oversight, given the skills and experience in testing a broad range of non-financial risks and controls. For some organisations it will make sense to have a combined reporting line and to draw on this experience, particularly in the early days. The Audit Committee needs to be engaged to make conscious and documented decisions in relation to the implications of this. Mitigating actions and safeguards need to be identified to ensure there are not unintended consequences.
Oversight and the role of the Board
The attestation is the responsibility of the Board. Historically, oversight of the financial controls has been delegated to the Audit Committee, usually chaired by an individual with experience as an accountant, external auditor and/or finance director. This attestation is much broader, encompassing non-financial reporting, compliance obligations generally overseen by the General Counsel and operational controls where accountability may be widely dispersed. The Board has to determine whether these are all combined in reporting to the Audit Committee and/or whether alternative Board and executive committees are also involved. Internal audit, in support of the Board, will need to be clear on which committees we need to report to.
Internal audit work programme and resourcing
The existence of such a significant new requirement will inevitably lead to a greater pull on internal audit resource. In the extreme we anticipate functions will be asked to take on the lead role, coordinating the response and performing all testing. So long as adequate safeguards are in place and the work is performed to the standards of internal audit this may be acceptable in some companies. However, it will create a significant diversion from other risk-based auditing. Heads of Internal Audit are already saying that they anticipate existing work programmes will be adversely impacted as they are not getting additional budget or resource. It will be critical to model and forecast the impact of this so that the Board (generally via the Audit Committee) can make informed choices.
Within the Internal Audit profession we welcome the broadened scope of the UK Corporate Governance Code, as well as the focus on ensuring directors have adequate internal assurance. However, we must also recognise the consequences this has and lean in to providing solutions.