Be prepared

In the last ten years significant and drastic corporate events have pushed concerns about risk management and internal control to the top of the agenda for boards, governments and regulators. Spurred on by those events, internal audit and risk management have been developing as key parts of the corporate governance process in the UK. In the wake of the financial crisis and recession, the next ten years will see an increasingly close partnership between risk management and internal audit, as demand for stronger internal control increases amongst boards, management and external stakeholders.

It is only 12 years since corporate governance principles, guidance and recommendations were brought together into the UK’s first Combined Code, in 1998. In 1999, the Turnbull guidance was published, to support the new Combined Code. The Turnbull guidance formally recognised that a “sound system of internal control”, can exist within an organisation only when there is an active and continuing process for managing risks. A fundamental part of a sound system of internal control is the action that management takes to monitor the effectiveness of its risk management processes and its responses to individual risks.

As good as this recognition may have been for the discipline of risk management, it also played an important part in the development of the internal audit profession. Turnbull set the expectation for risk management to be part of internal control. The complementary need of the board and management for objective assurance around that risk management and internal control also became more evident.

But these were still early days in the development of principles of good governance. The turn of the millennium was to witness landmark examples which would prove the point on internal control. Enron in 2001 demonstrated very clearly what can happen when control fails or is non existent. Enron was worth $60bn and its collapse was the largest bankruptcy in US corporate history at that time. As if to emphasise the point still further, the collapse the following year of the $180bn WorldCom Corporation raised the bar on corporate failure even higher. There have been many more examples over the last ten years, where the response to risk and inadequate internal control have resulted in failure. In 2002, Xerox in the US, was fined $10m for mis-stating its profits. In the same year, Merrill Lynch, the US investment bank was fined a similar amount for unethical practices. Whilst these were all US corporations, Europe was not exempt from poor practice on internal control. Also in 2002, Allfirst, the subsidiary of Allied Irish Bank (AIB) revealed that one of its traders had made losses of $700m over a five year period, due to poor supervision and controls. And in 2008, Sociéte Générale uncovered a $7.2bn fraud in its investment banking business. The fraud had gone undetected by the bank’s own multilayered security systems for more than a year.

These events have fed the debate on corporate governance globally and created opportunities for risk management and internal audit to come the fore. Since 2003, the Combined Code has recognised the importance of internal audit to effective governance.

For its part, the internal audit profession has seen much improvement in the support of its practitioners. The profession’s knowledge base, guidance and professional competence have all developed significantly, starting in 1999, with the publication of a new Definition of Internal Auditing. The profession has grown considerably in number during the last ten years too. Membership of the Institute of Internal Auditors globally had reached 160,000 by 2008. Growth globally was mirrored in the UK and Ireland, where membership of the IIA - UK and Ireland now exceeds 8000. The Institute’s Diploma (PIIA), Advanced Diploma (MIIA) and together with its qualifications in computer audit, have supported the development of over 3000 internal auditors. Many more have passed through its certificate training programme.

A Professional Practices Framework was established in 2001, setting out a structure for the professional knowledge management and dissemination throughout the profession, globally. This has since been redeveloped and relaunched as the International Professional Practices Framework (IPPF) in January 2009. The new framework comprises strongly recommended guidance for members in the form of position papers, advisory notes and other guidelines on best practice. Then there are mandatory elements of best practice, with which all members must comply. These are: the Definition of internal Auditing, the Code of Ethics and the International Standards for the Professional Practice of Internal Auditing (known as the “International Standards”).

The International Standards themselves were recognised in the Smith Guidance to Audit Committees, which was published in 2003 as a supplement to the Combined Code. The International Standards are reviewed and reissued to all members regularly. They are principle –based but mandatory requirements, covering the 49 key aspects of internal auditing. The International Standards are organised into “Attributes” and “Performance” categories, which define the characteristics of organisations and the individuals performing internal audit functions, and the quality criteria against which performance of internal audit functions should be measured.

This development of the profession globally and in the UK and Ireland has brought internal auditing to a state of maturity which has now been publicly recognised; 2010 will see the award of chartered status to the Institute of Internal Auditors in the UK and Ireland, with its advanced diploma holders able to call themselves “Chartered Internal Auditors”, with the letters CMIIA. During the last decade, internal audit has become better able than ever to take up the challenge of good governance.

One can look back over last ten years of development of risk management and internal audit with a certain satisfaction, in the context of this decennial issue of StrategicRISK magazine. However, the present and the future are the real proving grounds for both internal audit and risk management if they are to play an increasing role in enhancing corporate governance.

There is more need than ever for boards, audit committees and management to consider their response to risk and ensure appropriate, effective internal control. And there is much proof that this is starting happen. For example, a report late last year by professional services firm, Ernst and Young, found that 96% of chief executives surveyed around the world considered that their risk management processes could be improved. This statistic is one of many published in reports and surveys over the last year which demonstrate the boards’ increasing acknowledgement of that responsibility for controlling their organisations more appropriately.

This increased interest in a wider view of internal control means that boards are increasingly looking for evidence that there is confidence in the risk management process, confidence in management’s assurance about risk management and internal control and confidence that regulators, standard setters and others who monitor an organisation will be satisfied with the organisation’s performance on risk management, internal control and governance. Risk management and internal audit professionals can both add immense value in providing that confidence. Risk managers support - and sometimes chase - the management team in identifying and reporting their risks. Internal audit makes its contribution through its fundamental focus on providing those responsible for governance with objective and independent assurance on the effectiveness of those risk management processes and controls.

The increased emphasis of boards on risk management is being reflected in the work of the audit committee. The old primary focus of the audit committee on external financial risks and control is fast changing. Its attention is increasingly also on its assurance needs around non-financial controls and risk management. Internal audit and risk management are increasingly adding their own specialist value to the work of the audit committee. For example, whilst the internal auditor may have detailed knowledge of the whole organisation, he or she is not a risk specialist and they would not be adding to the objectivity and independence of the assurance process if they become involved in the detail of risk management. For the audit committee, the value of risk management is in its knowledge of the detail, whilst the value of internal audit is in the fact that it is not absorbed in the detail.

For line managers too, the benefits of risk management and internal audit are in their differences of perspective. Line managers rely on risk managers to help them demonstrate to their boards that they are in control of the organisation and anticipating its future needs in terms of risk management and internal control. They need internal audit’s independent view on what is working well and early warnings when things need improvement.

Having highlighted to managers the areas in need of change, there is some debate within the internal audit profession about the best way to achieve improvements in internal control. Line managers know their departments and requirements best. So, some internal auditors make their recommendations and agree them with managers. Other internal auditors involve managers earlier by discussing the problems and working collaboratively with them to identify an effective and practical solution. And there are further variations on these approaches. Whatever the method, the ultimate goal for internal auditors is the same as for risk managers; to support the organisation to achieve its strategic goals over the long term.

The complementary relationship between internal auditors and risk managers is marked by the fact that risk managers understand the detail of risks and help managers respond appropriately to them. But there may be many types of risks and many assurance providers which the board needs to consider. Internal audit can provide the necessary overview and contribute its independent judgement on the effectiveness of all risk management processes. This not only supports the risk management function but also provides assurance which the board needs to execute its governance responsibilities.

This common strategic purpose and different, but complementary perspectives on internal control will bring risk management and internal audit closer together during the next ten years. The relationship between internal audit and risk management is based on the increasing acknowledgement that successful organisations are built on good governance. Good governance requires good internal control. Good internal control is not achieved without good risk management. All of these things - governance processes, internal control and risk management - require internal audit’s objective and independent assurance on their effectiveness.

Internal audit and risk management functions have developed considerably during the last ten years. Their importance to good governance and their different but complementary perspectives will make for an ever stronger partnership in the future.