Posts Tagged “audit committee”

Audit International are privileged to share some recent insights from Dr Rainer Lenz- Head of Corporate Audit at Villeroy & Boch on his thoughts about internal audit and its Independence.

“Recently, I was invited to share some thoughts about independence of internal auditors. I am basically challenging that concept:

The IIA definition positions internal auditing as an …

“ independent , objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.”
To be blunt, in my view, independence is largely theory. It is overrated, I think. So is objectivity. But let’s stay with the subject matter of independence. There is nothing wrong with aspiring independence. But, who cuts the hand feeding him? There are inconsistencies among talk and action. Consequently, academic authors refer to the internal auditor’s “role dilemma” and “role confusion”, acknowledging for example the difficulties of internal auditors to strike the balance between being independent from operations and, at the same time, providing added value and benefit to operations. Being both watchdog and consultant is challenging.

Some authors view internal audit as a schizophrenic management function. On one hand, it needs to be completely integrated and knowledgeable. On the other hand, it needs a measure of independence required of all auditors. Thus, internal audit may have a built in cognitive disconnect. Organizations and Chief Audit Executives (CAEs) may cope at different levels of proficiency with such inconsistent demands. Those who can do that well may live longer. Thus, “organizational hypocrisy” may serve a useful purpose.

When you ask non-executive directors and audit committee chairmen what they think, how independent internal auditors are, what will they say? I recall surveys where those members of oversight bodies state that (some) heads of internal audit are not up to the job, internal audit lacks adequate independence, and internal audit has not properly defined the role that they wish internal audit to fulfill.

That points to the “who’s your boss” question. There is no congruence between what the board wants, what the audit committee wants, and what senior management wants. Aiming at satisfying all customer groups is likely to disappoint one or the other customer in some dimension, as all may expect something different from internal audit, such that no one is fully satisfied. In other words, internal audit may face tension from its attempt to serve – let’s say – its two prime customers: managers and the audit committee. The IIA acknowledges that there may be conflicts when internal audit tries to “serve two masters”. Thus, the “who’s your boss?” issue can present problems in terms of allegiances, independence, and effectiveness.

Academic studies confirm that role ambiguity and role conflict can negatively affect the independence of internal auditors. At the same time, CEOs (often) want the CAE to have no fear or favor. It is crucial that the CAE is able to work with other stakeholders in the organization and is not afraid to voice his or her opinion even in controversial situations. That draws particular attention to the importance of the CAE’s characteristics, possibly more important than the debate around independence.

There are authors who suggest that internal auditors must be independent of senior management, so that the board is to rely on internal audit to provide the assurance it needs; otherwise, the risk is that internal audit’s reports to the board/audit committee will be filtered by senior management in such a way that only what is palatable to senior management is communicated. Investing in these relationships and having a steady and robust dialogue is critical to the internal audit function’s success, given its organizational context.

My 2 cents about independence of internal auditors in a nutshell.”

Guest Article Writer- Dr. Rainer Lenz-Head of Corporate Audit at Villeroy & Boch

Source: Lenz, R. (2016), Insights into the effectiveness of internal audit: a multi-method and multi-perspective study, LAP LAMBERT Academic Publishing, Saarbrücken, ISBN 978-3-659-85241-1

How an Internal Audit function will battle cyber security issues for your company WHEN it happens in 2017?

It is no longer a question queried in a boardroom by senior management of multinationals companies. Could we be hacked? It is now an inevitable occasion of when will we be hacked and how can we combat this data breach? Given the possible exposure and risk to a company’s valuable assets and information there is a duty for the board of directors to be adequately prepared for this occasion. How can they prepare for this? One major tool available to them is an internal audit team. Internal auditing is indispensable for helping companies manage cybersecurity threats and preventative programs. Here are some suggestions on how best to prepare.

1- Ensure your audit function is adequately prepared with talent, resources and budget.
It may be the responsibility for your HR department to ensure that you have hired the “IT Audit Dream Team”. Do not hinder this by not approving budgets for hire. In the long term this will cost your company more in time and in finances. Using specialised external executive search firms such as Audit International ensure you find the right skill and industry-specific experience to best facilitate your company as this is often challenging, Therefore management should prepare their companies to prioritize developing, training, and adequately hiring resources to the internal audit team.

2- Keep communication open with your Internal Audit Team
There is vital importance of engagement between the internal audit team and the business it serves. In order to comprehend where the cyber risks are coming from, you have to appreciate how the business works. This would include assessing firewalls, networks and apps, but also understanding the company’s processes and how it interacts with customers and sellers. Cyber security risks are moving targets. Most of the exposure lies in a company’s human element. You should ensure your internal audit teams are given a clear and thorough understanding of business operations. The only way this can really happen to keep an on-going rotation of internal audit staff into the business into various functions and units. This serves multiple purposes; it ensures retention of valuable talent in the company as they are then satisfied with their own personal career progression. It is a well-known fact in the recruitment space this is one of the key drivers for auditors to leave their role which in turn ends up costing the company time and resources to replace, train and hire new audit talent. Secondly it gives your auditors a better well rounded view of the company and thus can add more value and stay in tune with the company.
3- Ensure coordination between functions- IT and Internal Audit
Another integral part of this issue is the level of coordination between the internal audit team and other key functions and this is critical to the success of tackling your cyber issues and risks. You must ensure that your internal audit teams should be given access to other members of the IT Audit team. This can include the chief information officer and chief information security officer, as well as human resources, supply procurement, and business leaders. Coordination can make or break any important undertaking — and cybersecurity is no exception.

4- Where to start and what questions to ask first?
Below is a suggestion of where your audit committee can begin and what issues need to be addressed first.
• Currently it is important to ask, what interaction and coordination does the internal audit team have with other corporate functions (e.g., information technology, information security, operations, supply chain, human resources, etc.) related to cybersecurity matters?
• What skill sets does your internal audit team have that are related to information security? Cybersecurity? How do team members keep their skills current? How do you retain team members? Do you need to hire further talent to support them?
• Does the company perform internal and/or external system penetration testing? Are the tests announced or unannounced? What role, if any, does the internal audit team play? Is there open communication between all your functions to facilitate this?
• What types of prevention, detection, and reaction/response testing does the internal audit team perform in the threat and vulnerability management life cycle? Again do you have sufficient in-house talent to tackle all these problems? Are you supporting your team enough to support this in terms of team resources and talent?
• What role, if any, does the internal audit team play during a breach? Regular meetings and coordination could play an integral part in highlighting how these functions can support each other if a breach occurs which may then lead to quicker resolution of the problem.
• What role, if any, does the internal audit team play after a breach has occurred?
• Who performs cyber-related investigations within the organization?- Do you outsource this responsibility and if so would it be worth hiring an in-house function to address these issues.

Economic and political uncertainty fused with volatility, regulatory compliance, and operational risk continue to cause major angst among global audit committees, a survey bu Consulting giant KPMG has revealed.
The survey of over 1,500 audit committee members across 36 countries exposed that for the second successive year, respondents reported that they found it “increasingly difficult” to oversee major risks in addition to financial reporting.

Three out of four respondents said the time required to carry out their audit committee responsibilities had risen significantly (24%) or moderately (51%), while half said the role was increasingly difficult given the committee’s time and expertise.
In addition to financial reporting members of the committee admitted overseeing further risks such as cyber security

Tim Copnell, chairman of KPMG’s UK Audit Committee Institute, said: “The resounding message is that the audit committee can’t do it all. Overseeing financial reporting and audit is a major undertaking in itself, and the risk environment is clearly straining many audit committee agendas today.”