Leveraging internal audit: Questions the audit committee should be asking

The audit committee’s agenda is packed whether it’s oversight of evolving risks or a business as usual topic such as financial reporting. Leveraging internal audit (IA) to aid in understanding complex topics and the company’s ability to effectively mitigate risks is imperative these days. As you prepare for the quarter and your next meeting with the chief audit executive, here are three questions to consider for discussion:

1. What is your confidence level that the internal audit function is spending time in the right areas?

Internal audit continues to be viewed by many as an assurance provider focusing mainly on financial reporting risk and SOX controls that provide a reactive perspective on risks. Leading organizations are evolving their view, looking for internal audit to more proactively provide assurance and insights over operational and strategic risks as well as key strategic initiatives.

Dig deeper:

• Does internal audit have the autonomy needed to guide its plan
• Are the board, executive team, and the internal audit function aligned on internal audit’s mandate in the company?
• How has IA’s mandate evolved over time in line with the broader company’s evolution and should it evolve further?
• What percentage of internal audit’s plan focuses on traditional financial reporting risk versus critical operational and strategic risks?

2. How is internal audit working with process owners, functional areas, and possibly external auditors in advance of the finalization of the proposed SEC disclosure rules on climate, human capital, and cybersecurity?

The last few months have seen a flurry of activity as companies try to understand the details of the SEC’s proposed rules and their implications.

Dig deeper:

• How is internal audit collaborating with other groups to help advance the company’s compliance?
• How is internal audit evaluating the related processes, systems, and controls enabling the high quality reporting needed in a regulatory filing?
• For any identified gaps in information needed versus high quality information available, what is IA’s plan to address those areas that pose the greatest risk to the organization and will require the most focus?

3. How is internal audit working with other risk functions (e.g., compliance, enterprise risk) to deliver a combined view of risk to the audit committee?

With a limited amount of time and increasing public scrutiny, it is critical that the audit committee have a clear picture of the company’s top risks, risk owners, and mitigating activities. While IA may not be formally tasked with building an integrated assurance program for the organization, they should understand how other risk functions view the risks in their respective areas. That also includes understanding other assessment and monitoring activities performed across the business to better inform the internal audit plan.

Dig deeper:

• How are risks being identified and reported? Who is reviewing the mitigating activities for effectiveness?
• How are your chief audit executive, chief risk officer, and chief compliance officer partnering together to view risk holistically?
• Is the manner in which different risks are evaluated, rated (if applicable), and reported on by their functions aligned?
• Can internal audit rely on monitoring activities performed by the organization’s compliance function to gain greater risk coverage?