The Accountant-May-June 2017
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Financial reporting and assurance<br />
<strong>The</strong> model distinguishes among three<br />
groups (or lines) involved in effective risk<br />
management:<br />
• Functions that own and manage risk<br />
by implementing corrective actions to<br />
address process and control deficiencies<br />
(operation management)<br />
• Functions that oversee risks and assist<br />
management in developing processes<br />
and controls to manage risks (risk<br />
management and compliance<br />
functions)<br />
• Functions that provide independent<br />
assurance on the effectiveness of<br />
governance, risk management and<br />
internal controls including the manner in<br />
which the first and second lines of defense<br />
achieve risk management and control<br />
objectives (internal audit function)<br />
<strong>The</strong> position paper goes on to state that<br />
the “three lines of defense” model is best<br />
implemented with the active support and<br />
guidance of the organization’s governing<br />
body and senior management. Separately,<br />
the IPPF recommends a dual reporting<br />
relationship for the head of the internal<br />
audit function; to senior management and<br />
the Board. In light of these authoritative<br />
views, are what we call internal audit<br />
failures in fact failures of management<br />
and the Board? Practice today is that the<br />
head of internal audit functionally reports<br />
to the Board’s audit committee. <strong>The</strong> IPPF<br />
describes functional reporting by way of<br />
examples to include:<br />
• Approving the internal audit charter;<br />
• Approving the risk based internal<br />
audit plan;<br />
• Approving the internal audit budget<br />
and resource plan;<br />
• Receiving communications from the<br />
head of internal audit on the internal<br />
audit activity’s performance relative to<br />
its plan and other matters;<br />
• Approving decisions regarding the<br />
appointment and removal of the head<br />
of internal audit;<br />
• Approving the remuneration of the<br />
head of internal audit; and<br />
• Making appropriate inquiries of<br />
management and the head of internal<br />
audit to determine whether there are<br />
inappropriate scope or resource<br />
limitations<br />
As functional supervisors of<br />
the internal audit function, should<br />
stakeholders start asking; where was<br />
the Board’s audit committee? Brown<br />
Governance Institute (BGI), a respected<br />
thought leader in corporate governance<br />
issued a publication in 2011 titled<br />
‘Boardroom Behaviour and Governance’.<br />
<strong>The</strong> publication explored the symptoms<br />
of good and bad boardroom behavior<br />
and recommended great tools and<br />
resources that can help Boards improve<br />
boardroom behavior and from these,<br />
strategies that can immensely assist Board<br />
audit committees to effectively supervise<br />
internal audit functions.<br />
<strong>The</strong> foregoing narratives do not<br />
seek to entirely absolve internal audit<br />
functions from internal control failures.<br />
<strong>The</strong> IPPF through its attribute standards<br />
requires internal audit engagements<br />
to be performed with proficiency and<br />
due professional care, and that internal<br />
auditors independence and objectivity<br />
must not be impaired in fact or appearance.<br />
In addition, the head of internal audit<br />
is required to develop and maintain<br />
a quality assurance and improvement<br />
program (QAIP) that covers all aspects<br />
of the internal audit activity. Specifically,<br />
external assessments must be conducted<br />
at least once every five years by a qualified,<br />
independent assessor or assessment team<br />
from outside the organization. When<br />
non-conformance with the Definition of<br />
Internal Auditing, the Code of Ethics,<br />
or the IPPF impacts the overall scope or<br />
operation of the internal audit activity,<br />
the head of internal audit must disclose<br />
the non-conformance and the impact to<br />
senior management and the board.<br />
In conclusion, it should not be lost on<br />
stakeholders and other interest groups that<br />
the organization’s management has the<br />
primary responsibility for managing risks.<br />
This means that operational and executive<br />
management is responsible for identifying,<br />
analyzing, evaluating, treating, monitoring<br />
and reviewing risks. <strong>The</strong> second and<br />
third lines of defense provide support to<br />
operational and executive management<br />
but must not accept responsibility for<br />
any of the risk management steps. <strong>The</strong><br />
Board’s audit committee or its equivalent<br />
is mandated to effectively supervise the<br />
internal audit function and is strategically<br />
placed to counsel executive management<br />
on risk management priorities and<br />
strategies. Board audit committees or<br />
their equivalent should consider assessing<br />
themselves against BGI’s ‘Boardroom<br />
Behavior and Governance’ standards.<br />
Finally, effective internal audit functions<br />
are those that fully comply with the IPPF.<br />
References:<br />
2013 International Professional Practices Framework (Institute of Internal Auditors website)<br />
Debra L. Brown and David A. H. Brown, Boardroom Behaviours and Governance (2011)<br />
2016 Report to the Nations on Occupational fraud and Abuse (Association of Certified Fraud<br />
Examiners website)<br />
IIA Position Paper, <strong>The</strong> Three Lines of defense in Effective Risk Management and Control (2013)<br />
MAY - JUNE <strong>2017</strong> 7