In recent years, cases of corporate failure have highlighted the need to look beyond the assurance provided by external audit and the oversight role of the statutory audit committee with respect to the board’s responsibility for risk management, control, and the entire governance framework. Attention has been focused on strengthening internal governance infrastructure that will provide the basis for external audit. Consequently, the role of the internal audit function has become quite critical in providing the required support to the board in the discharge its governance responsibilities.
Principle 18 of the Nigerian Code of Corporate Governance, 2018 (NCCG) provides that, “An effective internal audit function provides assurance to the board on the effectiveness of the governance, risk management and internal control systems.”
The Institute of Internal Auditors defines internal audit as an independent, objective assurance and consulting activity, designed to add value and improve an organisation’s operations. Internal audit supports the actualisation of corporate objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of the governance process. It provides independent assurance on the management of risk and the effectiveness of the controls designed to mitigate identified risks. The contemporary internal audit can be described as the “eyes and ears” of the board of directors.
The NCCG requires the board to oversee and approve the establishment of an internal audit framework that provides assurance on the effectiveness of the governance, risk management and internal control systems. To achieve this, the function should be a strategic business unit of the company and not a mere support function as it’s typically the case. The unit should be headed by a competent, experienced and sufficiently senior management staff who will report directly to the audit committee, “with a line of communication” to the MD/CEO.
There is a debate as to which is more effective – insourcing or outsourcing the internal audit function. The suspended FRC code (which the NCCG replaces) clearly stated that the function should not be outsourced. If the role is to function as a strategic business unit, it is expected that significant knowledge of the company’s operations will engender effectiveness. Concerns of independence and undue influence where the role is insourced can be addressed by hiring right, significant seniority for the chief internal auditor as well as periodic rotation of the internal audit team.
Where the board decides not to establish the internal audit function, internally or outsourced, the code requires that sufficient reasons should be disclosed in the company’s annual report with an explanation as to how the board has obtained adequate assurance on the effectiveness of the internal processes and systems such as risk management and internal control.
For the internal audit unit to effectively contribute to good corporate governance, the board should set the right tone at the top and ensure support for the internal audit at all levels of the organisation. The effectiveness of internal audit depends largely on the level of independence and the quality of resources allocated to the audit function. It is therefore in the board’s interest to protect the independence of the internal audit and to allocate adequate resources – including staffing, access to appropriate technology tools and training.
The code advocates for a proactive internal audit function that adopts a risk-based audit process as opposed to a compliance approach which is limited to the evaluation of adherence to procedures. The board, through the audit committee, should refine the scope of work of internal audit and ensure that the purpose, authority and responsibility of the internal audit function are clearly defined in an internal audit charter approved by the board.
The code requires that the internal audit function is independently assessed at least once every three years by qualified professionals. The evaluation of the Head of internal audit function shall be performed by the audit committee, and he/she may only be removed by the board on the recommendation of the committee.
A healthy relationship with the audit committee is critical in ensuring a clear understanding of the specific needs of the audit committee. The audit committee also discharges its responsibilities better with the support of an independent internal audit function.
The Head of internal audit is required to report at least once every quarter to the audit committee, on the adequacy and effectiveness of management, governance, risk and control environment, deficiencies observed and management mitigation plans. The reports should include recommendations for enhancement or improvement. The Head of the unit should liaise with other internal and external providers of assurance on regular basis in order to ensure proper coverage and to minimise duplication of efforts.
There is no gainsaying that the internal audit function is exposed to dilemmas and threats to independence and objectivity. These threats include self-review, social pressure, economic (or self-interest), familiarity, intimidation and personal relationships. It is however, possible to maintain the level of independence required to carry out their functions efficiently whilst not betraying the loyalty expected of them as employees, matched with the duty to disclose information in the interest of the enterprise.
Strategies for achieving this balance include having in place a comprehensive audit charter that defines roles, responsibilities and reporting lines. The internal auditor should not assume management responsibilities; an active, supportive and knowledgeable audit committee; rotating audit assignments; avoiding self-audit; disclosure where independence or objectivity is impaired (in appearance or in fact); direct and unrestricted access to the board and above all, professionalism – the hallmarks of which are integrity, competence and a duty of care.
BISI ADEYEMI
Bisi Adeyemi is the Managing Director, DCSL Corporate Services Limited. Kindly forward comment(s) and reaction(s) to [email protected]. DCSL provides governance advisory, corporate restructuring & board evaluation, board & senior management training, retreats & strategy sessions, executive talent recruitment, HR outsourcing, company secretarial services.
