Olga, thank you so much for accepting the invitation to ESG 12on12!
You have more that ten years of experience in an internal audit. You are a holder of a certificate for internal auditors as well as the validator’s certificate, issued by The Institute of Internal Auditors (The IIA) , which entitles you to perform the assessment of the audit quality in an organization. So let us start from the basis and explanation what exactly is internal audit and what are its tasks.
According to The IIA’s Definition of internal audit “Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”
Like the role of the statutory auditor (biegły rewident) is to issue an opinion on financial statement, the role of an internal auditor (IA) is issuing opinion about the process, that is being audited (e.g. purchases, IT, ethics maturity, vindication / debt collection). Also the role of an internal auditor is to issue a general opinion for the Board / Audit Committee on management systems in the organization.
If we want to actually talk about the internal audit, its operation must be based on Code of Ethics and The IIA’s International Standards for the Professional Practice of Internal Auditing (Standards). The certificates confirming the knowledge of the Standards are CIA® (Certified Internal Auditor®) and CGAP® (Certified Government Auditing Professional®). The chief audit executive (CAE) should hold such a certificate, and it would be best if most of the audit team would hold such certificate. There is already over 200 thousand auditors in the world. In Poland The IIA is represented by the Institute of Internal Auditors IIA Poland. The Polish Institute associates both certified auditors as well as the sympathizers of the profession.
How a day of an internal auditor looks like? Is it more like investigation of current problems in companies or planned going through key topics? Is it one person job or a whole team is needed?
From an administrative point of view, an auditor’s day of work is not much different from any other employee in on organization. The same laws and rights apply to us and to other employees, but we have different tasks and different way of reporting the results.
The auditor’s work is based on an orderly and methodical approach. Those are no the investigative actions. The most interesting element of IA work is diversity because each audit engagement refers to a different process. That said an IA in one month or quarter may audit distribution, production or financial area, and in next let’s say marketing.
It is advisable that an internal audit function had a set working strategy, to which the annual audit plan is implemented. The audit plan is prepared based on an annual risk analysis. Areas selected in this process are agreed with the Management and the Board and then should be communicated to the organization.
Three basic phases of an internal audit are:
- initial review with risk analysis for the specific task,
- realization of the task and
- reporting of the results.
The report includes an audit opinion. Then if the recommendations were issued, the internal auditor also verifies the implementation of those recommendations. The COVID-19 pandemic showed that we have to react to new risks, that a change of plan or a task out of the plan is always possible. During the pandemic the demand for consulting assignments rose. The auditors should be agile in answering the organization’s demands although it is not the first thing that comes to mind while thinking about audit.
Moving to an individual audit engagement the auditor first assess the adequacy of governance, the way of risk management and internal control. In second step their effectiveness, efficiency and compliance.
So as we can see an IA is not a detective hired by the Management but a person who applies a structured approach to the audit of management systems. Based on its work the internal audit issues an annual opinion on the operation of management systems and communicates it to the Board / Audit Committee.
A single person internal audit function is a big challenge. First of all none of us is a specialist in every field. Second, it significantly limits the advisory activities (lack of time, the risk of limiting the objectivism). Thirdly, a single person internal audit function may have an effect on efficiency and extend the audit cycle so the time that is needed to audit all processes in an organization. Fourthly, endangers the continuity of an audit function in an organization. Fifth, reduces regularity and effectiveness of monitoring of the corrective actions implemented by management.
Working as a team gives a synergy effect; not only increase diversity of approach to the audited areas but also increase the effectiveness and efficiency of the activities carried out by the audit.
How the structure of an internal audit department should look like? Is the 3 Line Model (of defense) the best practice? How does it work exactly?
The purpose of the three lines is to create and protect value.
The model clearly sets out the expectations of different groups within the organisation.
Accountability – the governing body; typically, the board and its sub-committees ie audit committee is accountable to stakeholders for oversight.
Actions – management; first and second line are responsible for managing risks.
Assurance – internal audit – third line; independent function reporting directly to the highest point of authority in the organization board/audit committee – providing assurance and advice sevices, insight, and continuous improvement, but at the same time supporting management in their role
The updated version of the 3 Line Model was published at the beginning of 2020. The update was preceded by a series of meetings, I had a privilege and pleasure to represent Poland during one of the stages of the work. The consultations took place on all continents and the comments were sent a lot of international organizations. We believe, that the new model is better suited to answer the challenges of 21st century. The model is widely applied in the world for over 20 years, and what interesting, many organizations doesn’t even know they use it, as for years it managed to fit in for good into the management theory.
The main goal of implemented updates was to make the model more progressive, to support coordination and communication and to eliminate silos in the organizations. I hope we’ve managed to achieve our goal. What is essential there are three basic values implemented to the Model, the values on which the governance should be based: responsible / thought leadership, transparency and honesty.
The IIA’s 3 Lines (of defense) Model is an important part of good practices. The Model is mentioned among others in the Good Practices for Listed Companies as well as in The Polish Financial Supervision Authority (UKNF) recommendation for financial sector.
How important for internal auditor is the independence? Is it even possible if an internal auditor is a full time employee? Maybe it would be better to outsource an internal auditor?
Independence and objectivity is the base of the internal auditor’s work. Without independence and with a wrong placement of the audit function it is difficult to protect auditors from pressures and unethical expectations. But even with keeping the independence such situations my occur. So internal auditor should have their safety assured. Outsourcing of the internal audit function is acceptable and allowed in Standards. But we have to bare in mind that if an internal auditor does not work full time at the company, IA may loose an access to valuable information from inside the organization, has limited possibility of building relations and most of all hindered possibility of ongoing support for the organization. It may also have influence on independence and objectivism of an internal auditor.
For example the banking law prohibits to outsource the internal audit function because it may cause losing the independence and objectivism by IA. An external internal auditor is a bit like the statutory auditor in a setting outside the scope of the Statutory Auditors Act.
Personally I prefer a smaller audit team but with a budget for employing external experts where IA need specialistic support e.g. in scope of ESG. At least till IA will gain necessary competences.
How the relations between an internal auditor, the management, the Board, and especially the Audit Committee should look like?
There should be partnership relations but at the same time everyone should know their scope of responsibilities and actions. The Chief Audit Executive (CEA) should report organizationally to the Board President and functionally to the chairman of the Audit Committee or the Chair of the Board if the Board acts as the Audit Committee. It is important the CAE has an access to the Board / Audit Committee and was able to meet with those bodies without presence of the Management. The Board / Audit Committee should decide about employment and termination of employment of CAE, about the renumeration system, which may be dependent on short term goals of the company. From the internal audit function point of view, except of course presenting audit plans, results and annual assessment of management system, CAE should inform about results of quality assurance and improvement program of internal audit function and, within this program, plan at least once every five years, more often if necessary, the external quality assessment of the internal audit function.
What is the difference between the work of an internal an external, statutory, auditor, and how this difference impact the work in context of an annual financial statement?
From the point of view of the methodology of work, all these functions work very similarly. It’s based on risk analysis. We use the same sampling methods, we must collect reliable proofs to confirm our findings. The main difference is the aim of the work, the role, competences area and the way of reporting the results.
In this situation the internal auditor has the widest scope of audit; actually audits the whole organization.
In specific areas the internal audit may use external experts, but in such a case the owner of the process chooses a firm / an expert, which will audit the process, but the internal audit uses the help of external auditors / experts.
The huge advantage of the internal auditor is that IA knows the organization, may combine different sources of knowledge, e.g. From committee meeting in which the IA attend as an advisor.
The statutory auditor is chosen by and reports to the Board. The results of a statutory auditor provide an important information for stakeholders and potential investors. The statutory auditor audits the financial statement and the elements of internal control, which, in the auditor’s opinion, have impact on the statement and on the possibility of continuing the activity. The statutory auditor during his work, cooperates, or at least should, with the internal audit. Except for the internal and statutory audit in an organization may also additionally be working so called expert audit. The external audit is hired when a company / an organization feels it’s needed or when a specific knowledge to assess / optimize a specific area is necessary. But mainly those are advisory services.
The trail of an external auditor’s reporting often ends with Management. The external auditor’s renumeration is approved by the same person who orders the service, e.g. IT director.
We have already mentioned the many benefits of internal audit. It is also seen by institutional investors who indicated it as an important element in the corporate governance survey I conducted in September 2020. So what is the reason that listed companies rarely have an internal audit? In in the Good Practices for Listed Companies, it is indicated as a rule for 140 largest companies.
In my opinion, there are several sources of this phenomenon. First, there is a lack of knowledge of what internal audit is and the benefits of having it in the organization. The second is the information confusion introduced by pseudo audit experts, who explain during the training that internal audit is the same as control and that the second and third line of assurance are actually the same. Isn’t true. Audit profession exist from the time of ancient Rome. The Institute of Internal Auditors IIA itself also has a very rich tradition – it has been operating for over 80 years. The contemporary shape of this profession has evolved from financial control.
Currently, we provide assurances for all processes in the organization, we run audit function based on IIA Globa International Standards, so we should be ensured organizational independence.
Thanks to our special location, we can deliver to the Board the overall opinions of systems and functions. While the inspections set up by internal control units in the second line are intended to verify information on irregularities, there are no generally applicable standards in the private sector. The control units are more dedicated to investigative activities and compliance testing. Their actions are often forced by the materialization of a specific risk.
Unfortunately, a common practice is to change the position of the audit manager with a simultaneous change of C-level member of mangment, which then recommend a trusted but not necessarily competent person for the position of the auditor. In such a situation it is difficult to provide the organization with value. It must also be admitted that Audit Committees do not always fulfill their role in relation to auditors.
It is worth noting that the International Standards present an option (in smaller organizations) for entrusting the CAE with other tasks (not related to the operational activity or the financial sector in Poland), such as the coordination of risk management or compliance functions. However, to make it possible, the CAE – as placed on the third line – should supervise the all entrusted tasks.
So far we have talked rather about „hard” elements, but internal audit is also about „soft” elements. You specialize in in the audit of organizational culture. What does it look like and what is the influence of the organizational culture on the scale of committed crimes or irregularities?
Peter Drucker said, „Culture eats strategy for breakfast.” And it can be seen in the work of the internal auditor. Sometimes we have well-designed controls, but for some reason the goals are not being met. So should take a look the culture of the organization. Of course, you do not need to conduct an entire organization survey, you can focus on a particular department or a group of people involved in a given process. Or you can run survey in whole organization but only on specific are like risk culture or ethics maturity.
Sometimes irregularities or abuse are the result of putting a lot of pressure on the achievement of the intended result, which in turn is the result of poorly set short-term goals. From here it is only a step to a catastrophe, especially nowadays. Of course, this is just an example. The fact is that the COVID-19 pandemic has put business ethics to a very difficult test.
Nowadays, ESG (environmental, social, governance) issues are gaining in importance. Reporting environmental, social and governance issues often presents businesses with greater challenges than financial ones. It often requires data from outside the company itself. How does it look from the perspective of an internal auditor?
In my opinion, this is still a topic not fully recognized by internal auditors, because reporting itself or ESG areas are still not a priority in many organizations. Obtaining data from contractors in the supply chain is a separate broad topic. Firms not always include in their contracts an obligation to provide certain information, and also there is lack of possibility to run the audits. Consciousness is growing. Internal audit can support this process, provides assurance service, but also at an earlier level of maturity of the reporting system – advisory services. On the other hand, the internal auditor can never be responsible for the final solutions or assume responsibility for risk management.
Currently in Poland only selected largest entities are required to report non-financial data, and the NFRD, ie the EU Directive on non-financial reporting (implemented in Poland through the Accounting Act) is not too demanding. She says, inter alia o a description of the key policies for the five reporting issues. What is, in your opinion, the minimum scope of such policies? Which are „must have” and which are „nice to have”?
In my opinion, risk management policies are crucial. Risk identification helps in determining the most priority areas and activities in ESG areas. Climate, human rights and procurement policies are important, taking into account responsible supply chain management and anti-fraud.
Looking at the research devoted the impact of diversity on organizational effectiveness, I would also add diversity policies to this list.
„Nice to have” is more a matter of the culture of the organization and the branch in which organization operates. I also recommend to describe due diligence issues.
Much in terms of ESG data reporting will change from 2024, i.e. after the introduction of a new European Union directive, the so-called CSRD (Corporate Sustainability Reporting Directive). In addition to the significant increase in the scope of entities to be covered by the new obligation and the implementation of the EU reporting standard, the mandatory verification of information will most likely be introduced. How will this affect the work of internal auditors?
I remember my first conversations with one of the heads of the Audit Committee on non-financial reporting, it was 2017, he said: „do not confuse auditors with this non-financial reporting issue, they have enough work resulting from the recommendation of the Polish Financial Supervision Authority.
I must admit that I was shocked a bit. However, I do not give up and for 5 years I have been educating internal auditors in this area, raising awareness of the importance of these issues, whether on my blog or at #Audittalks over coffee webinars.
The obligation of sustainable reporting and, what is more, the obligatory independence assessment of the reports will change a lot. To this should be added very positive changes regarding ESG in Good Practice for Listed Companies 2021. This will increase the information needs from the supervisory board about how the company / group is prepared for reporting, and if there are systems ensuring data reliability, risk managment in these areas, or if we respond in proper way to the needs of our stakeholders. This topic will be at the center of attention of the Management Boards, because the company’s advantage and competitiveness will depend on it. I am convinced that soon internal auditors will have a lot of work in this area. The scope of the directive is very wide. Reporting obligation will be held also on companies who don’t have internal audit. In such a situation, it is worth cooporate with an external auditor. However, it should be remembered that the entity that advises on ESG issues management and support organization in creating the report, cant not carry out assurance services later.
You have been supporting climate and diversity issues for years. You are incl. Ambassador of 30% Club Poland, a social campaign aimed at increasing diversity in the management of the largest companies in Poland. How important is the diversity of opinions and experiences in the work of an internal auditor?
Diversity make a huge difference. By definition, the internal auditor should have a broad view of the examined areas, combine different perspectives, communicate in a constructive manner, sometimes even easing tensions, and often need to have the courage to question solutions that are inadequate. The more diverse, open and innovative the internal environment we work in is, the easier is to introduce changes resulting from audit recommendations and the more willingly the responsible persons introduce such changes. At the end, this is what internal audit is all about – delivering value to the organization.