It is not “Secret Squirrel” stuff but IA groups tend to be fanatical about their so called independence from the organisational structure revelling in the fact that they report to a board committee and operate outside of the normal organisational structure. So much so that in some companies they are viewed by the executive as being a fifth column within the organisation. This operational independence has in some instances moved to the extreme where IA groups have even been located in separate buildings and in other cases started to offer consulting services to management. This is nonsense and can lead to organisational behaviour which is detrimental to the company’s performance.
If we look at the facts:
- There is no argument at all that corporate entities must have a robust IA function within their structure which in some jurisdictions is mandatory under the regulation
- Almost all of IA findings are mundane operational compliance issues which management, when notified, can attend to and rectify in an immediate sense. While important to ensuring operational integrity these issues are not earth shattering
- The majority of operational compliance issues and minor financial irregularities are in the first instance identified by management during their normal duties and not by the IA group
- Major financial, regulatory or compliance issues which involve senior staff or contractors are reasonably rare but by their very nature and possible negative effect on the business require a separate and confidential IA reporting line through the audit committee chairman to the board
- As computer compliance and technical issues have assumed a huge importance in operational performance IA groups need to include a robust technical aspect to their review portfolio.
Taking the above into account, a reporting line function which I’ve successfully worked with is that organisationally IA report to the CFO and sit on the board audit committee with the absolute right to report confidently and directly to the Chairman of the committee on any issues which in their opinion are of such an important nature as to warrant special board consideration.
However as we move into new and more complex business environments with each and every decision impacting on another part of the business and different market pressures influencing functional behaviour, changes in business practise have been forced on companies, resulting in modifications of internal functionality and organisational structures. The addition of more robust governance disciplines coupled with increased shareholder pressures have also influenced boards into more direct monitoring of company and executive performance. These various pressures have resulted in numerous internal changes to historic business models and produced increased performance expectations while focusing on retaining a cohesive, vibrant and successfully functioning operations. These changes have forced most boards to review the relevance and natural discipline of their existing board sub committees and the value they add to board decision making has come under close scrutiny.
In addressing these new business pressures it is my opinion that it is necessary for boards to establish a new “Risk and Finance” committee. This new committee brings together a number of various business accountabilities and responsibilities into one group including morphing the previous audit committee function into the new structure. Naturally the committee’s accountability and responsibilities are presented in detail in the corporate governance document. The IA function can then through this committee have oversight of a number of additional functions such as risk analysis, debt/equity ratio monitoring, etc. thus enhancing and enlarging their current and historic responsibilities.
Therefore in my opinion so called internal audit functions can no longer survive in their currently accepted structure nor reporting lines. They will need raise their corporate involvement and expanded their functionality to cover a far greater business horizon and as a result will be required more than ever before to work more closely and cooperatively with other functions and groups within the business. In addition, with the introduction of more efficient technology IA will need to embrace real time compliance reporting more so than ever before. These operational facets will force a significant change in attitude and understanding of their function within the organisation from most IA groups. They will no longer be able to maintain organisational separation and will need to function as an integral part of the management structure.
The key point to this enlarged IA responsibility is that they must be seen to be part of the organisation reporting to the CFO but still retain the absolute right to communicate directly with the committee chairman should the occasion and need arise.
I know there will be many who disagree with my next comment but gazing into my crystal ball I predict that within twenty years you won’t be able to recognise todays so called internal audit function. The word “audit” with all its negative connotations will be dropped and the function and responsibilities will be morphed into a far more inclusive group involving a greater intensity around analytical and in-depth reviews of key operational drivers and strategic risk elements with more focus on compliance and governance issues but still responsible for identifying major financial misdemeanours. Reporting will be in real time and there will be a demand for more focus on remedial recommendations covering all aspects of the business operation.
"...gazing into my crystal ball I predict that within twenty years you won’t be able to recognise todays so called internal audit function."