Role of internal auditor assignment

Internal audit’s role in modern corporate governance Thought leadership series Risk and Advisory Services Internal audit’s role in modern corporate governance Recent events have highlighted the critical role of boards of directors in promoting good corporate governance. In particular, boards are being charged with ultimate responsibility for the effectiveness of their organisations’ internal control systems. An effective internal audit function plays a key role in assisting the board to discharge its governance responsibilities.

Yet how does the board – and its audit committee – satisfy itself that internal audit is functioning effectively and efficiently? The board’s responsibility for internal controls Through working with a broad range of organisations in Hong Kong and internationally, KPMG has identified a number of best practices in relation to the role played by the board audit and/or risk management committees. s Recent events have highlighted the critical role of boards of directors in s s s s s s s

Assessing the scope and effectiveness of the systems established by management to identify, assess, manage and monitor the various risks arising from the organisation’s activities. Ensuring senior management establishes and maintains adequate and effective internal controls. Satisfying itself that appropriate controls are in place for monitoring compliance with laws, regulations, supervisory requirements and relevant internal policies. Monitoring and reviewing the effectiveness of the internal audit function.

Reviewing and assessing the internal audit plan and its progress. Ensuring that the internal audit function is adequately resourced and enjoys appropriate standing within the organisation. Considering management’s response to major internal audit recommendations and progress in their implementation. Approving the appointment or dismissal of the head of internal audit. promoting good corporate governance. I n t e r n a l a u d i t ‘ s r o l e i n m o d e r n c o r p o r a t e g ove r n a n c e page 1

Internal audit assists the board discharge its corporate governance responsibilities Corporate governance developments both locally and around the world have reaffirmed the board’s responsibility for ensuring the effectiveness of their organisation’s internal control framework. These developments have highlighted the key role that internal audit can play in supporting the board in ensuring adequate oversight of internal controls and in doing so form an integral part of an organisation’s corporate governance framework.

The structure and reporting lines adopted for the internal audit function should promote independence, objectivity, consistency and business understanding. The key role of internal audit is to assist the board and/or its audit committee in discharging its governance responsibilities by delivering: s An objective evaluation of the existing risk and internal control framework. s Systematic analysis of business processes and associated controls. s Reviews of the existence and value of assets. s A source of information on major frauds and irregularities. Ad hoc reviews of other areas of concern, including unacceptable levels of risk. s Reviews of the compliance framework and specific compliance issues. s Reviews of operational and financial performance. s Recommendations for more effective and efficient use of resources. s Assessments of the accomplishment of corporate goals and objectives. s Feedback on adherence to the organisation’s values and code of conduct/code of ethics. However in attempting to adequately discharge their responsibilities, internal auditors often find themselves in an anomalous position.

They report to senior management within the organisation, yet are expected to objectively review management’s conduct and effectiveness. The only satisfactory solution to this problem is for internal audit to report primarily and directly to the board and its audit committee rather than to senior management. The remainder of this discussion paper considers why this is a desirable step if the board is to strengthen its supervision of internal control systems, and suggests how it might be achieved. page 2 I n t e r n a l a u d i t ‘ s r o l e i n m o d e r n c o r p o r a t e g ove r n a n c e

Governing internal audit Amidst all the debate over corporate governance and the board’s supervision of internal control mechanisms, surprisingly little attention has been given to the role of internal audit, and particularly to whom it is ultimately responsible. While several high level reviews by regulators and others have acknowledged that the internal audit function and the oversight of internal controls has become an important responsibility of boards, the implications of this for internal audit have not always been followed through.

Thus in the US, the Sarbanes-Oxley Act of 2002 makes no mention of internal audit, or of any equivalent role other than the board’s role generally in the preparation of the accounts and the setting of accounting standards. Critical success factors for an internal audit function Is internal audit strategically positioned to contribute to business performance? – The mission and role of internal audit are defined within a wider governance framework and are effectively communicated. – The structure of internal audit promotes objectivity, consistency and business understanding. Internal audit is funded in a way that promotes objectivity and consistency in the quality of services it provides across the organisation. – Internal audit contributes value to the business as defined by appropriate success criteria. Are internal audit’s processes enabling and dynamic in meeting business needs? – Internal audit has a strong risk identification and planning methodology and delivers a high quality service. – Technology is used appropriately to enhance the provision of internal audit services. – An appropriate framework is in place to measure internal audit’s performance. Internal audit develops and manages appropriate relationships with its key stakeholders. Does internal audit have the right people strategy to deliver its mission/objectives? – Internal audit’s core competencies are directly related to its mission, role and scope of work. – Internal audit’s staffing strategy reflects its mission, role and required competencies. – The strategy is sufficiently flexible to respond to changes in demand. I n t e r n a l a u d i t ‘ s r o l e i n m o d e r n c o r p o r a t e g ove r n a n c e page 3

In the UK, a recent report by Sir Robert Smith on the Combined Code Guidance for Audit Committees (the Smith Report) states that “…management is responsible for the identification, assessment, management and monitoring of risk, for developing, operating and monitoring the system of internal control, and for providing assurance to the board that it has done so – except where the board is expressly responsible for reviewing the effectiveness of the internal control and risk management systems. ” 1 In Australia, the ASX Principles of Good Corporate Governance has a bet each way.

It recommends that internal audit “…should report to management and should have all necessary access to management and the right to seek information and explanations. ” However, the ASX Principles then go on to suggest that “…companies should consider a second reporting line from the internal audit function to the board or relevant committee. ” Under the ASX Principles it is also recommended that the audit committee have access to internal audit without the presence of management, and that “ the audit committee should recommend to the board the appointment and dismissal of a chief internal audit executive. 2 If we look to the financial services industry, we also find that the Basel Committee makes no distinction in its guidelines as to the natural reporting line for the internal audit function except to note that “…the principle of independence entails that the internal audit department operates under the direct control of either the organisation’s CEO or the board of directors or its audit committee”. 3 Before deciding the reporting lines for internal audit, it is critical to consider the fundamental distinction between the respective roles of the board (oversight) and management (decision making and the execution of those decisions).

Key activities which fall within the definition of effective oversight include listening, asking questions, assessing and challenging answers. In many respects this is exactly what an effective internal audit function does. 1 Smith, Sir Robert; “ Audit Committees Combined Code Guidance”, January 2003. 2 ASX Corporate Governance Council; “ Principles of Good Corporate Governance and Best Practice Recommendations”, March 2003. 3 Basel Committee on Banking Supervision; “ Internal Audit in Banks and the Supervisor’s Relationship with Auditors”, August 2001. age 4 I n t e r n a l a u d i t ‘ s r o l e i n m o d e r n c o r p o r a t e g ove r n a n c e The structure and reporting lines adopted for the internal audit function should promote independence, objectivity, consistency and business understanding. This can be achieved by combining the concept of a clear reporting line to the board/audit committee with an organisational structure that allows internal audit to operate independently of other functions within the organisation. Effective reporting lines for internal audit

KPMG believes that the internal audit function should report functionally to the chairman of the audit committee, recognising that on a day-to-day basis it should report administratively to the CEO of the organisation. The Institute of Internal Auditors also suggests that regardless of the reporting relationship the organisation chooses, there are key measures that will ensure that the reporting lines support and enable the effectiveness and independence of the internal audit function. These key measures are summarised below: s The head of internal audit should meet privately with the board/audit committee without the presence of management. This will reinforce the independence and direct nature of the reporting relationship. s The board/audit committee should have the final authority to review and approve the annual audit plan and all major changes to the plan. s The board/audit committee should review the performance of the head of internal audit and the overall internal audit function at least once a year, as well as approve the compensation levels for the head of internal audit. The charter for the internal audit function should clearly articulate both the functional and administrative reporting lines for the function as well as its principal activities. s The reporting line should be to someone with sufficient authority to provide internal audit with sufficient support to accomplish its day-to-day activities. s The reporting line should facilitate open and direct communications with the CEO, the senior executive group and line management. The reporting line should enable adequate communications and information flows so that internal audit receives adequate and timely information concerning the activities, plans and business initiatives of the organisation. s Budgetary controls and considerations imposed by the administrative reporting line should not impede internal audit in accomplishing its brief. 4 The Institute of Internal Auditors, “ Practice Advisory 1110-2: Chief Audit Executive Reporting Lines”, December 2002. Independence guidelines for internal audit

When considering the reporting lines for internal audit it is prudent to keep the following independence guidelines in mind: – The internal audit function must be independent of the activities being audited and must also be independent from everyday internal processes. – The internal audit department must be able to exercise its assignment on its own initiative in all departments, establishments and functions of the organisation. – Internal audit must be free to report its findings and appraisals and to disclose them internally. The head of the internal audit department should have clear authority to communicate directly and on his or her own initiative to the board, the chairman of the board, or the chairman and members of the audit committee. I n t e r n a l a u d i t ‘ s r o l e i n m o d e r n c o r p o r a t e g ove r n a n c e page 5 Benefits and challenges of internal audit reporting directly to the board audit committee Benefits Ability to transcend all departments without fear of limitation of scope by being tied to, for example, the finance department. Challenges

Internal audit may not be privy to all sources of information throughout the company if seen as “ outside” the management structure. The board and audit committee know that the information they are receiving on the internal controls and risk management systems reflects a true description and has not been “ watered-down” or filtered by management beforehand. The chairman of the audit committee may not have allocated sufficient time, or have adequate resources/capacity to deal with the oversight of the internal audit function. It would be necessary to set up a The independence of the internal audit function is absolute. pecific charter outlining the roles and responsibilities of the board in relation to internal audit, as separate from The funding of the internal audit function is outside the normal process of budgeting thereby allowing resources to be allocated by the assurance needs of the organisation as assessed by the board/audit committee. The audit committee would be assuming Enables the board/audit committee to directly and critically analyse and evaluate the internal audit function in its contribution to the fulfilment of the board’s responsibility for internal controls.

Potentially restricts the ability of the CEO Reinforces the board/audit committee’s knowledge of the business and its risk profile when dealing with management and stakeholders. to use internal audit as a tool to reinforce control principles, or in special projects. more responsibility and therefore, perhaps, more liability in relation to the adequacy of the internal control and risk systems of the organisation. management. For example, who would look after the HR administration, including personnel evaluations, compensation and career planning for the head of internal audit? age 6 I n t e r n a l a u d i t ‘ s r o l e i n m o d e r n c o r p o r a t e g ove r n a n c e Bibliography ASX Corporate Governance Council, KPMG Flash Report 03FR-006: “ Principles of Good Corporate Governance and Best Practice Recommendations”, April 2003. KPMG’s Audit Committee Institute, “ Basic Principles for Audit Committees: A Framework for Best Practices”, 2002. KPMG’s “ Audit Committee Toolkit”, December 2002. KPMG “ Critical Success Factors for an Internal Audit Function”. KPMG LLP, “ Sarbanes-Oxley: A Closer Look”, 2002. KPMG “ Toolkit for the Company Director”, www. pmg. com. au. Basel Committee on Banking Supervision, “ Internal Audit in Banks and the Supervisor’s Relationship with Auditors”, August 2001. Basel Committee on Banking Supervision, “ Internal Audit in Banks and the Supervisor’s Relationship with Auditors”: A Survey, August 2002. Kohler, Alan, “ Directors Face D-Day as Old Rules Go By the Board”, February 2003. Ramsay, Ian, “ Independence of Australian Company Auditors: A Review of Current Australian Requirements and Proposals for Reform”, October 2002. Smith, Sir Robert, “ Audit Committees Combined Code Guidance”, January 2003.

The Institute of Chartered Accountants in England and Wales, “ Internal Control: Guidelines for Directors on the Combined Code”, September 1999. The Institute of Internal Auditors, “ Practice Advisory 1110-2: Chief Audit Executive Reporting Lines”, December 2002. The Institute of Internal Auditors, “ Practice Advisory 2110-2: Assessing the Adequacy of Risk Management Processes”, March 2001. The Institute of Internal Auditors, “ Practice Advisory 2060-2: Relationship with the Audit Committee”, December 2002. I n t e r n a l a u d i t ‘ s r o l e i n m o d e r n c o r p o r a t e g ove r n a n c e page 7

Contact information If you would like further information about our services or to discuss your Corporate Governance needs, please contact the following individuals at our KPMG Hong Kong and China offices. Hong Kong office: Carlson Tong Partner in charge Audit and Risk Advisory Services Tel: (852) 2826 7235 Fax: (852) 2845 2588 Email: carlson.[email protected]com. hk China offices: David Ko Partner Risk Advisory Services, Beijing Tel: 86(10) 8518 9234 Fax: 86(10) 8518 5111 Email: david.[email protected]com. cn Stephen Lee Partner in charge Risk Advisory Services Tel: (852) 2826 7267 Fax: (852) 2845 2588 Email: stephen.[email protected]com. hk Alvin Wai Partner Risk Advisory Services, Shanghai Tel: 86(21) 6288 1922 Fax: 86(21) 6288 1889 Email: alvin.[email protected]com. cn Michael Lai Director Risk Advisory Services Tel: (852) 2978 8943 Fax: (852) 2845 2588 Email: michael.[email protected]com. hk Harry Yu Partner Risk Advisory Services, Guangzhou Tel: 86(20) 8732 4393 Fax: 86(20) 8732 2883 Email: harry.[email protected]com. cn The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity.

Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation. 8th Floor, Prince’s Building, 10 Chater Road Central, Hong Kong Tel : +852 2522 6022 Fax : +852 2845 2588 www. kpmg. com. hk ©2003 KPMG, the Hong Kong member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Hong Kong.