First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Internal audit: Essential to minimizing risk


Times have changed – so has risk management

Managing risk in today’s business environment has become a far more complex process than it ever has been. This can be attributed to a number of factors, such as increased government regulation and cyber-based issues. Other factors include uncertain political and economic situations that can arise, sustainable development and environmental concerns. These issues can have a substantial impact on small, medium and large organizations.

Higher expectations

Due in part to these factors, there are higher expectations for management to not only continue to create and sustain value for stakeholders, but to also have the capability of adapting to these constantly evolving concerns.

Twenty questions

Risk management specialist Bruce Webster recently updated his 20 Questions Directors Should Ask About Internal Audit to meet the new complexities of business risk. The CPA Canada publication also reflects the potential value of the internal audit function and its increasing importance in organizational compliance, governance and risk. Even smaller organizations that don’t necessarily require an internal audit function can benefit from discussing these questions and considering the value that independent assurance provides in helping them discharge their governance responsibilities and controls.

As Mr. Webster indicates:

“The questions and responses are designed to comply with IIA’s Standards for the Professional Practice of Internal Auditing (IIA’s Standards), as well as leading internal audit practices. They are meant to be the basis for an informed discussion amongst Board members, management, and the internal audit function itself about the aspirational concepts underlying how internal audit can adapt to the new expectations that are being created for the profession.”

Beyond discussion

The document is only a starting point for managing internal audit. Developing or enhancing internal audit requires policies, procedures and other controls. For any of Webster’s 20 questions, you can find essential controls and guidance in Finance & Accounting PolicyPro®, authored by Jeffrey D. Sherman and Apolone Gentles and co-published by First Reference and CPA Canada.

Take a look at some of the internal audit questions below. I’ve noted where you can find relevant compliance information and policies in Finance & Accounting PolicyPro.

If you are currently not using FAPP, you can download a free trial here to view the policies and procedures being referenced. If you’re interested in learning how the other questions relate to policies in FAPP, please let us know in the comments!

What is the Board’s role and responsibility with Internal Audit?

When it comes to internal audit, directors should have a clear understanding of the function’s expectations, all while facilitating the internal audit team’s need to remain independent and objective. Typical responsibilities of the Board include approving and reviewing the audit plan, provide direction to the internal audit manager, and routinely reviewing audit results.

These items are defined under the Responsibilities section of Policy GV 1.08 – Relationships with Internal Auditors.

What type of relationships should Internal Audit develop with its stakeholders?

The internal audit function is required to balance the needs of several different stakeholders, including the Board of Directors (or Audit Committee), senior management and the external auditors. It’s critical that these relationships are clearly defined and established in a manner which allows the internal audit team to work objectively and independently.

The scope and purpose of Policy GV 1.08 – Relationships with Internal Auditors establishes the reporting relationships for internal auditors of the company.

How does Internal Audit anticipate and adapt to emerging or changing risks?

Internal auditors should maintain a regular dialogue with management and other stakeholders about the latest external and internal events that could affect the business. Doing so will create a comprehensive and better overall understanding of which risks are a priority for review.

The procedures listed in Policy GV 5.01 – Risk Assessment define which stakeholders should be engaged by the internal audit team.

How should management be held accountable to address/resolve audit findings?

It is senior management’s responsibility to employ sound risk management tactics based on the recommendations of the internal audit team. The risk management program should be reviewed and updated by senior management when required, as well as on a regular basis.

Policy GV 5.02 – Risk Management details the expectations of directors and the best practices and procedures senior management should implement in their action plans.

What content should Internal Audit communicate in quarterly reports to the Board?

Internal audit should present content to directors in a clear and high-level format, similar to an executive summary. Typically, these reports include information on observations and findings, performance metrics, risk assessment, management requests and quality assurance. Results should be reviewed by the Board, followed by their recommendations, with senior management implementing these recommendations in their action plans.

These procedures are outlined in the Internal Audit Results section of Policy GV 1.08 – Relationships with Internal Auditors.

For the complete list of CPA Canada’s 20 Questions Directors Should Ask About Internal Auditclick here.

Finance-Accounting-Policy-Pro-print-software-manual-180pxFind out more about Finance & Accounting PolicyPro and take a trial here.

Fred Stewart, Copywriter and researcher

Copywriter and researcher at First Reference Inc.
Fred Stewart, BBA, is a copywriter and researcher at First Reference. He is a contributor to Inside Internal Controls and First Reference Talks. One of the topics Fred covers is the Not-For-Profit sector, a sector he has previously worked in. Some of the other areas he writes on include internal controls, employment law and accessibility. Read more here

, , , , ,

Comments are currently closed.