The web site is now storing only essential cookies on your computer. If you don't allow cookies, you may not be able to use certain features of the web site including but not limited to: log in, buy products, see personalized content, switch between site cultures. It is recommended that you allow all cookies.

What to do about Internal Audit

What to do about Internal Audit

Louw van der Merwe

Most organisations are currently looking at their internal resources and cost-effectiveness in these turbulent times. Presumably, one of their conundrums will be whether or not to retain the internal audit function.

It should, according to us, come down to two questions only:
   
  • Has my internal audit function been adding more value than its cost over the last two years?
  • Am I involving them now in my effectiveness and efficiency decisions with regards to other departments or functions?
If your answer is “no” to both of the above, the resultant action is easy. Why would you keep a function that is not adding more value than its cost, and is not envisioned to help you in your operational and strategic decision-making?
 
If you are in the private sector and it is because of King, or the JSE, or the Companies Act, rest assured; none of them enforces the appointment and use of a separate function. The closest is probably the King report, and its “apply and explain” concept enables justification.

If we look at a risk management function in an organisation, the same questions as above could be asked, using the same reasoning.
 
So, which companies will use their risk management and internal audit functions in these times, and rely on them as their trusted advisors? Quite obviously it is those organisations that have experienced value beyond the costs.
 
In our experience, these organisations have in common the fact that they have a risk assurance function, and not “just” an internal audit or compliance function. This means that their risk management and internal audit functions are inextricably linked, with risk assurance performing a performance improvement and streamlining function, as well as a compliance function. Risk assurance functions like these are needed now, more than ever.
 
Companies are critically looking at themselves. Practically, this means two things:
  
  • They may be downsizing, both in personnel and functions.
  • They may be relooking at the amount of risk they are willing to take to make a profit. In other words, they are lifting their risk appetite.
Risk assurance should be vital in making both of the above decisions. It is fundamental that the decision-making process does not involve knee-jerk reactions, but rather keeping in mind the long-term sustainability of the business, as well as the low likelihood of near-extinction level events occurring in the future. The risk register, as well as its commensurate mitigating measures, should be an integral part of these decisions.

To illustrate, key questions should include:
   
  • If we increase tolerance of this risk from 9 to 11, which actions are not necessary anymore?
  • Who is responsible for those actions?
  • Do those actions affect the management of any other key risks remaining?
  • Can we, therefore, stop performing them?
Organisations may also want to establish two distinct phases. What do we need to do now, to survive in the short term? And then how do we anticipate operating in the longer term, in the new normal? Again, these decisions have to be taken in a systematic manner, utilising the risk register and risk assurance functions. Otherwise, why have them?