When things go wrong, as they sometimes will, in corporate entities in India and abroad, the question invariably asked is “what were the auditors doing?”. Statutory Auditors are often in the firing line, but they sometimes manage to get away using their disclaimers as their shield. Internal Auditors however have no place to hide. The explanation that the blowout happened in some area, not covered by the annual audit plan, will not wash. The outside world rightly believes that the function of Internal Audit (IA) is to scrutinise the conduct of business, to ensure that it is consistent with laws and regulations, and delivers value to all stakeholders.

There was a time when the IA function was a minor entity in the corporate structure, and did not receive adequate attention. Statutory audit was believed to represent the entire universe of audit that the company had to provide for. Happily, that relative irrelevance has become a thing of the past. Presently, no corporate, big or small, can ignore the role of IA, even if some treat it as a necessary evil.

A starting point for assessing IA in a corporate has to be the existing reporting relationship. There have been companies in which Internal Auditors reported to the CFO and/or CEO, and as a consequence, were unable to, or were perceived to be unable to, function independently. Reporting to the CFO and/or the CEO blunted the sharpness of audit, and in some cases the remit of the IA function was circumscribed.

It is absolutely necessary to ensure that the Internal Auditor reports, in respect of his/her functions, only to the Audit Committee (AC) of the Board, and to no one else. Some companies indicate that they enable “access to the AC” by the Internal Auditor. This is clearly inadequate. Direct reporting is far more value-adding than “access” that might not amount to more than a dignified physical presence in meetings, or, what is worse, occasional interaction. For administrative purposes, such as the provision of an adequate number of persons or for logistics support, the Internal Auditor would have to approach the CEO, since the AC cannot make these requisites available. It should be ensured that reporting for administrative reasons to the CEO does not translate in any manner to placing the CEO in a position in which he/she can influence the conduct of IA.

Strengthening the function of IA is one of the major responsibilities of the AC. It is not enough to invite the Internal Auditor to all meetings, and have him/her remain a mute spectator for the most part of the meetings. What often happens is that the agenda of the AC is disproportionate to the time allotted, and therefore IA presentations and reports are rushed through, doing no justice to the interests of the company. ACs should ensure that IA reports are sequenced sufficiently high in the agenda, and that adequate time is budgeted for presentations and discussions. If it is found that detailed IA presentations cannot be accommodated in quarterly AC meetings that focus on results, at least 2 non-accounts meetings should be scheduled to allow enough airtime for the Internal Auditor. This practice of holding 2 additional meetings of the AC has been found to be very useful in companies that have already adopted this practice. Further, the Internal Auditor should not only be a permanent invitee to the meetings of the AC, but should also be enabled to weigh in when matters that impact on the financials of the company are discussed. The AC is, in a manner of speaking, in a situation of in loco parentis with regard to IA. If ACs give short shrift to IA by not attaching adequate importance to its work, the rest of the corporate entity is unlikely to treat the IA function with appropriate respect and seriousness.

The Internal Auditor is expected to prepare an annual audit plan for the subsequent year, and get it approved by the AC. In some cases, this approval is obtained after the commencement of the financial year. There ought to be a sufficiently in-depth conversation between the AC and the Internal Auditor before the commencement of the financial year, regarding the sequencing of the areas of IA quarter-wise, and determining an appropriate periodicity, having regard to the relative importance of each audit area. Leaving it to the management to finalise the audit plan, and to inform the AC is not appropriate, since IA not only reports to the AC, but is also the instrument through which the AC ensures that different audit areas and subjects are revisited with appropriate frequency. The AC should also critically examine requests from IA for extension of deadlines, since it could be a result of the inadequate manning of the IA function.

Knowledge of business is a non-negotiable requirement for IA. Therefore, populating the IA department with persons whose only exposure is to accounting, will not deliver the right results. The connect between audit and business can be ensured by deputing persons from the business function to the IA department for 2 or 3 years. This would be a mutually enriching experience for both the IA function and the business function. In the absence of such a practice, there could be conclusions drawn by IA on account of a lack of adequate understanding of the business. Yet another experiment which has yielded good results, especially in large manufacturing companies, is to have “guest auditors” in the IA department. These guest auditors, who are company insiders with a business background, can help to facilitate a better understanding of why a business function chose to act in a particular manner, in a given context.

In most organisations, IA being a support function is not perceived as a preferred assignment. If this ends up with IA having less motivated persons parked in it, the company will be shooting itself in the foot. As against this, it would be desirable to give persons in the IA department, fixed terms, and also indicate to them where their next assignment is likely to be, once they have satisfactorily completed their innings in IA. This does not however preclude persons staying on in IA for long periods, merely on their volition, and based on their interest and performance.

There is only relatively recent recognition of the symbiotic relationship that exists between IA and Risk Management. Enlightened ACs and managements recognise that IA is unarguably the best instrument for identifying risks, and suggesting risk mitigation. It follows that the Chief Internal Auditor should be a regular presence in the meetings of the Risk Management Committee. At the same time, the Chief Risk Officer should be present in meetings of the AC. This mutuality could considerably enrich the IA function and the Risk Management function.

One of the major reasons for ACs not extracting full value from IA is that the entire exercise is viewed through a transactional lens, rather than a systemic lens. While a transactional approach has its merits, in that it throws up deficiencies from which lessons could be learnt, an undue focus on transactional audit will detract from moving beyond individual transactions to fixing the underlying issues involved. One of the sub-optimal practices that the IA function sometimes follows is to make observations, without being supported by detailed analytics. This is an aspect on which management should challenge the IA in order to make the process of IA value-adding.

There is also the question of whether IA should be undertaken by auditors in the service of the company or by external audit firms. There is merit in both these approaches. However, the few companies that have divided the IA responsibility between its IA department and an external firm have discovered that the performance of the IA department significantly improved on account of learning from, and comparing with, the external IA firm. It has also been noticed in some cases that familiarity blunts the sharpness of questioning and the challenging of management. Therefore, rotation of Internal Auditors in a non-disruptive manner, after the prescribed number of years have elapsed would be a good practice. While the law has prescribed rotation of Statutory Auditors, some companies have resorted to rotation even in respect of IA. This is clearly a good practice.

Happily, IA in banks has become centre stage after the RBI has reiterated and reinforced its two-decade old instructions on risk-based IA. The revised guidelines issued in January, 2021 provide inter alia that the IA function must have sufficient “authority, stature, independence and resources within the bank” so that assignments can be carried out with objectivity.

The AC’s expectations from the Internal Auditor, as from the Statutory Auditor, should not rest with getting confirmation that the practices followed are appropriate. They should be asked to share better practices that some other auditees have, so that the process of value addition is complete. IA is not a fault-finding exercise. Therefore, while the professional scepticism that goes with the audit function should not be eschewed by IA, it must not be forgotten that this is a value-adding exercise, which should identify corrective measures, and throw up solutions.

Finally the good news. The number of trained Internal Auditors with certification from the Institute of Internal Auditors (IIA) is expected to increase. Managements, you have been put on notice.