Internal audit in integrated governance

Reviewing the governance framework for a bank in the British Virgin Islands about ten years ago, I noted that the most impressive governance review was done by the internal auditor.

It was concise, systematic, insightful and up-to-date with the latest and relevant national and international developments.

Working as a consultant to companies on strategy, compliance, audit, risk management and then with boards, I am often struck by the lack of realistic knowledge many boards have of what is going on in their organisations.

Internal audit can provide an even stronger position than an external consultant. Internal audit functions are instrumental in closing the gap between strategic planning and real-world application.

The core function of internal audit, according to the International Professional Practices Framework (IPPF), as promulgated by the Institute of Internal Auditors (IIA), is to enhance and protect organisational value by providing risk-based and objective assurance, advice and insight.

This mission statement encapsulates the essence of what internal audit aims to achieve within an organisation.

It highlights the dual role of internal audit in not only assessing and improving the effectiveness of risk management, governance and control processes but also in providing valuable insights and advice to further organisational objectives.

Therefore, whenever you have large disconnects between board, internal audit and executives, as unveiled by a recent IIA OnRisk study in 2022, this points towards unrealised potential (as well as risks to achieving even that which the organisation is already committed to).

More than that, it speaks to some fundamental approaches to management, governance and good delegation in general.

Any time someone or a body delegates to or enters into an agreement with another party for the performance of activities, generation of outputs and outcomes, the party that is delegating and accountable for the results should not only rely on the reports of those to whom it has delegated, but it needs to have a direct view of what is going on – it requires an audit function.

In larger organisations, this function is performed for the board by internal audit. This is a necessary aspect of effective governance.

So what does regional corporate governance guidance say about the role of and relationship with internal audit?

Integrated governance requires internal audit functions

Let us step aside for a moment to look at the IIA OnRisk 2022 report and ask ourselves what is essential to integrated governance.

Among the key insights in the report are:

– There are notable variations in key risk areas shown up among risk-management players.

For example, boards were significantly more likely to rate disruptive innovation as a highly relevant risk (77 per cent) than were senior executives (50 per cent).

­­ ­– Significant gaps existed between their assessment of the organisational capability to respond to risks that they consider highly relevant for their organisations.

For example, cyber security had an average rating of 87 per cent in terms of relevance to the organisation, but organisational capability had only a 42 per cent rating, and average personal knowledge only 31 per cent. Perceptions of risk relevance vary greatly across the ESG components.

– Organisational governance dominated in terms of relevance over social sustainability and environmental sustainability in the minds of survey participants.

ISO 37000 as a national organisational governance standard

ISO 37000:2021 provides comprehensive guidance on the governance of organisations, underscoring principles such as social responsibility, risk governance and long-term viability.

Caribbean standardisation bodies, and through them, experts and stakeholders from various industries and organisations across TT, St Lucia and Jamaica, were actively involved in developing the ISO 37000 standard between 2017 and 2021.

For Caribbean entities, the adoption of ISO 37000 as the national standard in TT, St Lucia and Jamaica signifies a commitment not just to regulatory compliance but to sustainable, ethical and effective governance.

This global and now also national standard applies to all organisations, irrespective of size or sector, and offers a blueprint for Caribbean corporations aiming to align with international best practices while catering to regional demands.

Assurance in oversight: Actionable strategies for Caribbean enterprises

ISO 37000 underscores the governing body's responsibility for effective oversight of the organisation. This includes ensuring that an internal control system is implemented and functioning as intended. The standard clarifies the nature and elements of the internal control system and assurance processes, integrating them into the organisation's governance framework.

The oversight responsibility encompasses several key actions:

Implementing an internal control system (ICS): This system should include risk management, compliance management and financial control systems to help the organisation manage its risks and comply with legal and ethical standards.

Assuring governance system design and operation: The governing body must assure itself that the governance system is appropriately designed and operating effectively. This involves a continuous assessment of the system's effectiveness in achieving the organisation's objectives

Direct verification and reporting: The governing body should engage in direct verifications and receive direct reports from independent control functions, including risk management, compliance management and internal audit. These reports provide the governing body with insights into the effectiveness of the governance processes and the internal control system.

Role of internal audit function

The internal audit function plays a pivotal role in the assurance process within the governance framework of ISO 37000.

It acts as an independent provider of assurance to the governing body, focusing on the effectiveness of governance processes, risk management and compliance management.

Key aspects of the internal audit function include:

Independence and objectivity: Internal audit must operate independently from management to provide objective assurance on the effectiveness of the organisation's governance, risk management and control processes.

Reporting to the governing body: Internal audit reports directly to the governing body, typically through the audit committee. This reporting structure ensures that the governing body receives unbiased information about the organisation's internal controls and risk management practices.

Enhancing risk-management processes: By providing objective assurance and guidance, the internal audit function helps to enhance the organisation's risk-management processes, ensuring that risks are appropriately identified, assessed, and managed.

In summary, ISO 37000:2021 places significant emphasis on the role of the internal audit function in assuring the governing body regarding the effectiveness of the organisation's governance, risk-management and control processes. The standard outlines a clear framework for oversight and assurance, highlighting the importance of an independent and objective internal audit function in supporting good governance practices.

Dr Axel Kravatzky is managing partner of TT-based Syntegra-360 Ltd, vice-chair of ISO/TC309 Governance of Organizations and president of EUROCHAMTT.

He enables companies to flourish through integrated governance, certified management systems and transformational leadership.