Why CEOs and CFOs should engage with internal audit
David Jardine is the senior vice president, Internal Audit at bp plc and a member of ICAEW’s Internal Audit Panel. He explains why CEOs and CFOs need to engage with the Chartered Institute of Internal Auditors’ (CIIA) Code of Practice and why it’s not just for internal audit teams.
A high-quality internal audit function can have a huge influence on a business. “Actually, we have a dual role to play,” Jardine says. “We're a custodian of value for shareholders and we're here to hold management to account. We help businesses better understand how well their risks are being managed. Given the level of risk and uncertainty in the current business environment, there has never been a more important time to have a high-quality internal audit function.”
Internal auditors work to a Code developed following the banking crisis. “In 2010 the CIIA developed the forerunner to the new Code to help the internal audit functions of banks and financial institutions raise their standards,” he adds. “One of the lessons learned from the financial turmoil was that the audit function needed to be at the right level in the organisation to have the right quality of resource.”
“It has to have the right level of independence too and be well-funded to allow it to do its job properly.”
Since then there have been challenges in other sectors too so the CIIA saw an opportunity to broaden the scope of the financial institutions Code of Practice and to apply it to all sectors.
When the revised Code of Practice was issued, Brendan Nelson, Chair of the Internal Audit Code of Practice Steering Committee, said audit functions would be crucial in future risk mitigation. “High-profile corporate collapses linked to governance deficiencies have led to a wide-ranging review of the audit and corporate governance framework,” he said. “Strong, effective and well-resourced internal audit functions have a central role to play in supporting boards to better manage and mitigate the risks they face.”
The Code made 38 recommendations, including giving internal audit a seat at executive committee meetings, access all areas passes to the business, and a direct line to CEOs. Nelson made his position clear, adding: “I urge boards, and in particular Audit Committees, to apply the Internal Audit Code of Practice to increase the effectiveness of their internal audit functions, in the pursuit of stronger corporate governance and risk management.”
For Jardine though, the focus should now be on leadership teams having meaningful conversations about how to effectively engage with an apply the Code in practice.
“It’s a year since the Code was published and again there is significant noise in some circles about corporate failure,” says Jardine.
“[The internal audit function] needs to be at the same level as the executive team and have access to executive meetings. They also need to have an independent line into the chair of the Audit Committee, and make sure that the budget is separate and approved by the board, not by the Chief Executive.
“The principle is that you need to have a well-staffed audit function with the right capability to allow you to challenge appropriately the risk management of that business - it's just common sense. But it’s all about doing better.”
Jardine is also emphatic that a good audit function will judge its performance on how much tractions its recommendations gain. “There's no point writing an audit report, which includes actions and timescales, it if it's not listened to,” he adds. “Actions also have to be tracked. What's wrong with having a really good audit function? Nothing. It can drive change in the business and improve it. It can help avoid pitfalls.”
The Code is designed to deliver standardised behaviour across companies and sectors. “It’s designed to raise standards,” asserts Jardine. “A CEO should be saying: ‘I want a strong audit function because I need to know that my team, is thinking hard about risk, and understands how well risk is being managed.” And it’s difficult to understand why any CEO and CFO wouldn’t engage with the CIIA’s Code of Practice given its principles are already tried and tested in the banking sector.
Of course, the pandemic is bringing all sorts of challenges to the business landscape – that is a very different scenario to the banking crisis of 12 years ago. Has that added risk? Maybe, but for Jardine it’s good test of the function. He adds: “A good audit function will help you understand how resilient your business is. Corporations are being tested in terms of their supply chains and their cash position throughout this pandemic.”
Finally, Jardine emphasises the importance of internal auditors building trust within their organisations. “It’s about building relationships, and understanding that, when you do find something that needs to be fixed, it is better to do so together.”