What is internal audit?
Internal audit aims to provide assurance that an organisation’s risk management, governance and internal control processes are operating effectively by undertaking an independent risk-based objective assessment.
Internal audit is undertaken by staff from within organisation, internal auditors, but who are independent from the operations which are being assessed. Internal auditors should have unfettered access to information to undertake their work and to the highest levels of management in the organisations to report their findings and recommendations.
Internal audit is the third line of defense providing as independent assurance as possible from within the organisation. The first line of defence relate to functions that own and manage risks; the second line of defense are functions that oversee or specialise in compliance and management of risk.
Larger organisations are likely to have in-house team of internal auditors. However, SMEs often may outsource internal audit functions to an independent professional service provider. Of course, these would be separate from their external auditors to avoid conflict of interest.
Internal auditors take a risk-based approach to providing their assurance over the internal controls of an organisation. Using the Board agreed-upon organisational strategy, internal auditor evaluates the key controls risks faced by the organisation to target their assessment on the various functions of an organisation.
Such internal audit plans are continuously considering economic and market conditions which could determine the need to focus on particular operation and/or control areas to ensure operational efficiency. Such rolling internal audit plans forms part of an agile internal audit strategy.
Shift towards sustainability
No doubt as the social and market conditions moves toward driving organisations to pursue ESG-friendly and sustainable business practises, the role of internal auditors is critical. Internal auditors are well placed to guard against greenwashing practises of organisations while recommending controls improvement to accelerate ESG-friendly and sustainable business practises. Of course, internal auditors cannot execute recommendations, but they can be vocal advocates of such positive business practises.
While the world is yet to truly develop and agree upon an internationally recognised standard for sustainability reporting, the Global Reporting Initiative (GRI) aims to do just that. GRI is an independent, international organisation that helps businesses and other organizations take responsibility for their impacts.
The drive for greater reporting on sustainability and ESG factors can be influenced by both internal and external stakeholders. Employees can drive change in organisations which has a positive impact overall. For example, worker unions in the 1950s and 1960s such as the International Brotherhood of Electrical Workers in the US invested considerable capital in developing affordable housing projects, whilst the United Mine Workers invested in health facilities. These are early example of ESG in action.
External influences from customers and more recently social media influencers also have a huge role in driving the ESG agenda. For example, the most recent PR disaster suffered by some of the larges UK Premier League football clubs. For their role in wanting to establish a European Super League, is an example of how external stakeholders like club fans, drove club owners to do a quick U-turn on their plans.
Role of Internal Auditors
Tone at the top
Internal auditors play a critical role in driving the ESG and sustainability agenda. Internal auditors are well placed to ensure that Board members and senior management of organisations are prioritising ESG factors in all activities. Internal audit plan should specifically incorporate an ESG Internal Audit review. This is not to say that ESG will be considered as part of all existing internal controls reviews, but to have a specific internal audit plan for accessing and making recommendations on ESG activities and initiatives.
Such an ESG internal audit plan may include the following.