The internal audit process
- The audit committee should monitor and review the effectiveness of the entity’s internal audit function. Where there is no internal audit function, the audit committee should consider annually whether there is a need for an internal audit function and make a recommendation to the board and executive management, and the reasons for the absence of such a function should be explained in the relevant section of the annual report.
- Senior management and the board require objective assurance and advice on governance, risk and control. An adequately resourced internal audit function shall provide such assurance and advice. There may be other functions within the entity that also provide assurance and advice covering specialist areas such as health and safety, regulatory and legal compliance and environmental issues.
- When undertaking its assessment of an internal audit function, the audit committee should also consider whether there are any trends or current factors relevant to the entity’s activities, markets or other aspects of its external environment that have increased, or are expected to increase, the risks faced by the entity. Such an increase in risk may also arise from internal factors such as organisational restructuring or from changes in reporting processes or underlying information systems. Other matters to be taken into account may include adverse trends evident from the monitoring of internal control systems or an increased incidence of unexpected occurrences.
- In the absence of an internal audit function, management needs to apply other monitoring processes in order to assure itself, the audit committee and the board that the system of internal control is functioning as intended. In these circumstances, the audit committee will need to assess whether such processes provide sufficient and objective assurance.
- If the external auditor is being considered to undertake aspects of the internal audit function, the audit committee should consider the effect this may have on the effectiveness of the entity’s overall arrangements for internal control and stakeholder perceptions in this regard. Stakeholder perceptions are likely to be influenced by:
- the rationale set out in the annual report for the work being performed by the external auditor;
- the nature and extent of the work performed by the external auditor;
- how the independence and objectivity of the external auditor and internal audit function have been safeguarded; and
- Whether, in the absence of internal audit work, the audit committee is wholly reliant on the views of the external auditor about the effectiveness of its system of controls relating to core activities and significant locations.
- The audit committee should review and approve the internal audit function’s remit, having regard to the complementary roles of the internal and external audit functions. The audit committee should ensure that the function has the necessary resources and access to information to enable it to fulfil its mandate, and is equipped to perform in accordance with appropriate professional standards for internal auditors.
- The audit committee should approve the appointment and/or termination of appointment of the head of internal audit with sufficient reasons provided for the same.
- The performance assessment of the head of Internal Audit should be driven by the Audit Committee and should not be left at the discretion of the management.
- In its review of the work of the internal audit function, the audit committee should:-
- ensure that the internal auditor has direct access to the board chairman and to the audit committee, and is accountable to the audit committee;
- review and assess the annual internal audit work plan;
- receive a report on the results of the internal auditors’ work on a periodic basis;
- review and monitor management’s responsiveness to the internal auditor’s findings and recommendations;
- meet with the head of internal audit at least once a year without the presence of management; and
- Monitor and assess the role and effectiveness of the internal audit function in the overall context of the entity’s risk management system.