I have recently been attending a training course provided by the Institute of Chartered Accountants Australia and New Zealand. The course has focused largely on recent company collapses in the UK and the role of the company's management, the accountants, the external auditor, and the regulator during the demise of some high profile businesses. The course has also touched on the Business, Energy and Industrial Strategy Committee (BCIES) inquiries into Carillion and Thomas Cook.
I've personally found the course very interesting, as well as validating; confirming many of my own personal opinions. There has been one notable exemption from the course however; the internal auditor. Given the nature of the course and it's intended audience, I'll cut the ICAANZ some slack, but it did provoke a lot more thinking into the role of Internal Audit in all of these companies. After all, if the board, management and external auditor must all face the wrath of a government inquiry and the Financial Reporting Council (FRC), why should the internal auditor get off scott free?
It's probably worth looking into Corporate Governance arrangements in the UK and whether legally, businesses are required to have an internal audit function. The ICAS has a great article about internal audit and its role in corporate governance. You can read the full article here. At present, there is no law requiring businesses in the United Kingdom to have an internal audit function. The same situation applies to businesses in Australia. In both Australia and the UK, businesses listed on the relevant stock exchange are required to either have an internal audit function or explain why they don't have one.
The 2018 Deloitte, Annual Report Insights: Surveying FTSE Reporting identified that 81% of listed companies had an internal audit function (93% FTSE 350, 65% smaller companies). For these companies, the FRC have published the UK Corporate Governance Code. The Code is applicable to all companies with a premium listing on the LSE, whether that company is incorporated in the UK or elsewhere.
So if these businesses, such as Carillion and Thomas Cook, who have an audit function, should they have been scrutinised more by Rachel Reeves and her team during the inquiries?
For Carillion, they used Deloitte as an outsourced internal audit provider. Deloitte's name was thrown around at times, particularly in the media, however this was more likely as part of the 'Big 4' bashing rather than interrogation of their work.
Following the collapse of both Carillion and Thomas Cook (and a string of others), the Chartered Institute of Internal Auditors released the Internal Audit Code of Practice, aimed at strengthening current governance arrangements and responsibilities. The Code of Practice compliments the commonly recognised International Professional Practices Framework (IPPF) Standards.
Even with all these governance arrangements, from both regulators and the Institute, it could still be argued that the role of internal audit should have been more scrutinised in these high profile collapses.
As noted in the Standards, Internal auditors must have an impartial, unbiased attitude and avoid any conflict of interest. To achieve this, they must report to a level in the organisation which allows this independence to be achieved. However, we note that in many organisations still today, internal auditors may report to the CFO. In such situations, does this really encourage or allow for independence?
For the audit committee who is responsible for monitoring the performance of the internal audit function, how effective and indepth is the monitoring? Whilst external assessor may be bought in (as required by the Standards should an audit function wish to say they are compliant with the Standards), or peer reviews may be performed, it would be fair to say that audit committee assessments are generally performed based on what they see presented to them at an Audit Committee or discussions with other higher level executives. When an audit committee doesn't even receive a copy of the audit report, but rather a summary of the report, is the audit committee able to justify the quality of the work being prepared by the audit team?
Even before we make it to the audit report tho, we should start at the beginning with the annual plan. It would be expected that the audit committee should review and approve the annual plan, however as per the Deloitte report, 52% of listed companies stated in their annual report that internal audit annual plans were set with clear reference to the risks of the business. Whilst this statistic is based on disclosures only in the annual report, it questions how much these disclosures differ from reality.
As we move onwards to the the actual fieldwork, the quality of the work is only reviewed internally (if at all). Unlike external auditors, the work of internal auditors is not subject to external regulators. Continuing with Carillion and Thomas Cook as our examples, where part of their downfall was attributable to aggressive accounting practices (which may have been highlighted through any internal review of journal entries or management reporting), it questions whether the internal auditor should have done more. As they are based in the business and would have been privy to the businesses day to day operations and financial results, was an appropriate risk based plan built, and if so, was the audit work performed internally sufficient. Any work performed by the internal auditor should compliment the technical work performed by the external auditor who only ever looks at the business at a point in time (i.e. reporting date).
When monitoring the performance of audit teams, its largely based on output KPIs, such as the timeliness of reporting and satisfaction survey's from report recipients. Again, are such metrics really ensuring the quality of audits work, or the ability for the function to deliver reports on time which keep the stakeholders happy?
Despite all the best efforts of the regulators (such as the FRC) and the Institute, through the development of Codes and issuing of guidance, there are multiple fronts where the quality of internal audit can be lacking. Ensuring a good culture and tone from the top will go a long way in ensuring that the audit team continues to be a trusted and respected function of the business, however internal audit teams should be open to more scrutiny. Whether this is from the Institute itself or from regulators, Internal Audit is a valuable member of the business, and as such, should be help more accountable. In situations such as Carillion, Thomas Cook and even further back to the Tesco accounting scandal, I believe that Internal Audit should have been held more accountable.
What do you think?