The International Standards for the Professional Practice of Internal Auditing Guidance define internal audit governance as: “the combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives”
Governance is generally defined as the overall hierarchy, procedures, and controls set in place to achieve the defined objectives.
Internal Audit Governance Standards
The department of internal audit governance is defined by the standards and generally practiced revolves around the following key points:
The internal audit department is headed by the Chief Audit Executive. A chief audit executive is also referred to as Head of Audit and Chief Internal Auditor in various organizations. He is the person primarily responsible for running the overall department. He is also the key person from the audit department who corresponds with the board and senior management.The audit department should functionally report to the board and administratively to the CEO. This dual reporting helps protect the independence of the internal audit department.
Administrative reporting involves the day-to-day operations of the internal audit function. Examples of the administrative reporting relationship include internal communications and information flow to human resource administration including personnel evaluations and compensation. Please note that if the CEO believes the extent of administrative reporting is compromising the independence of the department, the CEO should raise the issue to the board.
Examples of Functional Reporting
Administrative reporting involves the day-to-day operations of the internal audit function. Examples of the administrative reporting relationship include internal communications and information flow to human resource administration including personnel evaluations and compensation. Please note that if the CEO believes the extent of administrative reporting is compromising the independence of the department, the CEO should raise the issue to the board.
CEO and the internal audit department report functionally to the board. Functional reporting gives the ultimate source of independence and control. It is what allows the department to work independently on interferences from personnel in the organization. Independence is accomplished only if the chief audit executive reports functionally to the board. Examples of functional reporting to the board include the board:
approving the internal audit charter, risk-based annual internal audit plan, internal audit budget, resources plan (manpower and other resources), decisions regarding the appointment and removal of the chief audit executive, and the remuneration and other perks of the chief audit executive;receiving communications from the chief audit executive on the internal audit activity’s performance relative to its plan and other matters; andmaking appropriate inquiries of management and the chief audit executive to determine whether there are inappropriate scope or resource limitations to the internal audit team.
The dual reporting mechanism, administrated to the CEO and, functionally, to the Board, not only empowers the audit department but also allows it to pursue its objectives independently.
Internal Audit Governance Recommendations
Internal audit must assess and make appropriate recommendations to improve the governance process in order to achieve the following goals:
Instilling appropriate ethics and values in the organization.
Ensuring that organizational performance management and accountability are effective.
Disseminating risk and control information to appropriate organizational units.
Coordinating the activities of the board, external and internal auditors, and management, as well as communicating information among them.
Final Thoughts
Internal auditing is an essential component of the organization’s governance framework. Internal auditors’ unique position within the organization allows them to observe and formally assess the governance structure, design, and operational effectiveness while remaining independent.