Releasing the Value in Internal Audit
June 26, 2019
This article was provided by Steve Stanbury, chair of CHEIA, the Council of Higher Education Internal Auditors. This organisation was formed in September 1992 and has become the voice of internal audit in the Higher Education sector in the UK. CHEIA was established to provide a network for our members – the individuals who deliver internal audit services to universities, whether they are staff within in-house teams, consortia or external firms, as well as institutional staff who liaise with internal auditors - for the promulgation of best practice and for professional development. For 2015/16, members included 28 in-house internal audit services in England, Wales, Scotland and Ireland; 13 consortia and external providers and related bodies such as the four government funding councils, Research Councils UK and the Student Loans Company.
CHEIA aims to enhance the effectiveness of internal audit in the Higher Education sector by promoting good practice for internal audit providers to meet the needs of Higher Education Institutions and the sector's stakeholders and by promoting and developing the role and status of internal audit in Higher Education.
I wanted to share some thoughts, in no particular order, on what I think needs to be in place to release the value of internal audit within an organisation. I have been the Director of Internal Audit at City, University of London for 8 years, prior to that I spent 8 years at Deloitte where I trained and qualified and I am also an independent member of an Audit Committee of another London University. I have seen and experienced all methods of delivering an internal audit service, however the constant is that internal auditors should continuously add value to their organizations by providing assurance and recommendations on the effectiveness of risk management, controls and governance processes. This is the core role and function, but how much of this contribution is recognized as really being a value-add, and not just a required organizational functional process? How often does the corporate ‘Chief’ -suite and board or equivalent really notice and appreciate internal audit’s contribution?
By doing our job well, quite simply we can add value and we as a profession need to be confident in our ability to do this. I work within an organisation where internal audit is valued from the University Council (governing body) through to the management team, or so I am told!
Independence
Firstly, I want to stress the importance of independence as supported by professional audit standards set by the Chartered Institute of Internal Auditors (CIIA). This is both organisational independence and the individual objectivity of internal auditors. Within the organisation, I strongly believe that the Director of Internal Audit/Head of Internal Audit should report directly to the Chair of the Audit Committee but I acknowledge that there needs to be a dotted line to either a University Secretary/ Registrar/Chief Operating Officer type role. However, the hiring and firing of the Internal Auditor should be done by Council via the Audit Committee – i.e. not by the President or designate. Operationally, I report to the College Secretary's Office who is appointed by Council and has dual reporting to the Council and President.
As mentioned earlier, we as internal auditors provide assurance to the board (or equivalent) and management, so it’s vital that this assurance is focused on the areas of most risk. A robust risk based approach to planning and undertaking our internal audit work provides a sound basis for the Head of Internal Audit’s annual statement. This statement helps the Audit and Risk Committee to form its opinion on the effectiveness of the Higher Education Institution’s (HEI’s) risk management, control and governance arrangements.
Seat at the top table
At City I have free and open access to the President, our meetings are frequent and engaging and the President values the role internal audit can play in supporting City’s implementation of its strategic plan. Professor Sir Paul Curran tells me that “the independent and professional risk assurance provided by our Internal Audit, is an important component of the assurance framework for a complex and rapidly changing organisation”. Internal Audit needs to be visible within their organisation, the function should be visible to the top team and have access to them, to share and enable the exchange of advice and risk, such as data security and United Kingdom Visa and Immigration (UKVI) compliance. This engagement should take place on a one to one basis also, to facilitate the development of trusted relationships between internal audit and the executive team.
Audit Committee Support
Likewise, the Audit Committee is a key partner in the effective delivery of internal audit. This support should be defined in the internal audit charter, setting out the scope, purpose and authority of internal audit. The charter should be reviewed by the Chief Audit Executive on a regular basis and re-presented to the Audit Committee for their endorsement. As with the relationship with the executive team, it’s vital that the Audit Committee is assured by the work of internal audit. As an independent audit committee member myself for another university, I have seen first-hand the importance of the audit committee feeling that internal audit is focusing in the right areas and is really getting to the heart of the issues.
Engagement
As internal audit teams operate within a set resource level, but are expected to provide risk based audit coverage across the whole organisation, it’s absolutely vital that we make use of those around us. For example I have regular meetings with the President, Deputy President, Provosts and the Chief Finance Officer (CFO); I also meet with the Chair of the Audit Committee around eight times a year, as well as having regular phone calls. During the year, I also meet with the other members of the audit committee on a one to one basis at least twice a year. These meetings enable the role and approach of internal audit to be explained, upcoming reports to be discussed and to ascertain specific risk concerns the audit committee member may have.
Internal auditors should continuously add value to their organizations by providing assurance and recommendations.
Peer Reviews
A key component of development and improvement is the ability to reflect upon current performance and to take advice and guidance from your peers. Without internal auditors embracing this concept and being supported via their Audit Committees, internal audit functions will miss the opportunity to improve performance and therefore value. Within the HE sector, we have a sector interest group for internal auditors, the Council of Higher Education Internal Auditors (CHEIA) which facilitates an annual peer review exercise. CHEIA have developed a quality assurance tool, called the ‘Spider’ which is mapped to the IIA standards and Public Sector Internal Audit Standards, the tool is used as a self-assessment exercise, peer reviewed assessment or an evidence based self-assessment. Audit Committees should encourage their internal auditors to participate in either the CHEIA quality assessment or to engage with either external firms or consultants.
CHEIA Network
It’s vital to be part of a network of peers within the sector you operate in. Within the Higher Education sector, CHEIA has been in existence for almost 25 years and is invaluable in allowing Heads of Internal Audit and internal auditors to discuss and share work programmes, terms of reference and any issues that have a cross sector impact. In my experience, truly independent auditors can of course become quite lonely so my belief is that Internal Audit can be enhanced by active engagement within the HE internal audit community of whichever sector you work in. If you don’t have a sector network, I strongly urge you to create one.
In summary, there is much value in internal audit, if delivered and supported appropriately. Our role is delivering ‘an independent, objective assurance and consulting activity,’ as defined by the CIIA standards. By releasing the value in the ways described above, I believe that it can only enhance the systematic and disciplined approach to evaluating and improving the effectiveness of risk management, control, and governance processes; as always I’m happy to discuss!!
About the Author
Steve Stanbury
Steve Stanbury joined City, University of London in March 2008 as the Director of Internal Audit, having previously worked as a Senior Audit Manager within one of Big 4 international audit and advisory companies with focus on the public sector...
Read Full Author Bio
Steve Stanbury
Steve Stanbury joined City, University of London in March 2008 as the Director of Internal Audit, having previously worked as a Senior Audit Manager within one of Big 4 international audit and advisory companies with focus on the public sector. Steve has over 16 years of experience in internal audit, risk management and
corporate governance. In his previous role, Steve was involved in managing outsourced internal audit functions within the higher education sector, housing sector and within central government. Steve’s is also an audit committee member for Goldsmiths, University of London and the Chartered Institute of Internal Auditors (UK and Ireland). He has a BA in Politics and Management from Hull University and an MA in Criminology and Criminal Justice from City, University of London and is a Certified Internal Auditor (CIA), Certified Fraud Examiner (CFE) and holds a Certificate in Risk Management Assurance (CRMA).
Articles
Releasing the Value in Internal Audit