King III - Chapter 7: Internal audit

The challenge that the board faces is how it concludes that an effective internal audit function was operational for the period covered by the integrated report. While the execution of a risk-based plan would have been sufficient for this purpose in the past, King lll requires a more holistic approach that is related to other areas as well. Practically, this means a challenging of the norms and exploration of concepts that will move internal audit in the direction of real progress. These include:

• Annual report disclosure in the event that an effective internal audit function was not maintained
• An organisational custodian function in situations where internal audit is outsourced
• Reviewing organisational ethics
• Cost optimisation and the prevention of assurance fatigue
• An assessment of the control environment
• The relationship between internal audit and audit committees
• The role and attributes of a chief audit executive
• The implementation of an internal audit quality assurance and improvement programme
• The interdependency between internal audit and other assurance providers such as risk management

Adequacy of suitable skills and an understanding of the true absorbed cost of internal audit will be instrumental in the assessment of the potential of internal audit to deliver value to organisations as envisaged in King lll. In this environment, diligent audit committees will ask the difficult questions and more assurance than in a compliance-based quality review will be required to provide committees with a reasonable level of comfort.

The maturity of other functions such as ethics and risk management with which internal audit is expected to interact may be cause for some concern. Immature functions that form part of a combined assurance view are likely to complicate assessments of control environments, even where internal audit has been effective.

Leadership, strategic inquisitiveness and other attributes will need to drive the expectations of the chief audit executive. This, coupled with strong analytical skills and the ability to interact at the highest levels of the organisation, are fundamental to internal audit using the opportunities it is afforded in King lll to reach a level that populists conclude is internal audit’s rightful place. Appropriate technology leverage in the performance of internal audit becomes non-negotiable.

Ultimately, internal audit will have to make combined assurance work and help organisations realise the benefits of cost optimisation, prevention of assurance fatigue and a business partner relationship that adds real value by sifting through the irrelevant and focusing on the critical.

1. Is internal audit aligned to strategy and does its plan focus on areas that are most likely to impact stakeholder value?
2. Is internal audit effective and frequent enough in its communications with the audit committee and us?
3. When last was an objective assessment done to ascertain whether internal audit has the appropriate level of technical and analytical skills required to address the industry risk and risk requirements of our business?
4. Is our internal audit function poised to lead a combined assurance initiative?
5. Is there sufficient assurance of our ethics and risk management programmes?
6. Does internal audit utilise technology in its processes and use existing systems and data effectively in the performance of its work?
7. What were our most recent loss events and what comfort did internal audit provide us with on these?
8. How does our internal audit function compare against its peers in benchmark studies?
9. Is our chief audit executive subjected to a robust annual assessment based on key attributes relevant to our business?
10. What is our true absorbed cost of internal audit?
11. Is our internal audit agile enough to address emerging business issues?
12. Does the internal audit function have the necessary and diverse skills required to give assurance to the audit committee on internal financial control?