The role and significance of an internal audit, unlike a statutory audit, has not received the attention that it deserved in the debates and reforms that followed cases of corporate collapses in India and other countries. The cases of corporate collapse like Satyam in 2008 or cases of material failure or errors as admitted in financial reporting in the recent case of GoMechanic could have been averted or at least forewarned if a strong internal audit mechanism was in place.
Conceptually internal audit has evolved from being merely a watch-ward function for the effectiveness of financial controls and compliance mechanisms to become much wider. It now embraces within its scope strategies, operations and policies in order to respond to risks that an organisation is exposed to in a highly complex business environment. It is now increasingly considered a highly value-added service for the board of directors, statutory auditors and management at all levels.
Historically, the Companies Act merely required companies to have internal audits commensurate with the nature and size of the organisation. The Companies Act 2013, and the Listing Obligations and Disclosure Requirement (LODR) of the Securities and Exchange Board of India (SEBI) now also require the audit committee to review the adequacy of the internal audit function including the structure of the internal audit department, reporting structure, and its coverage and frequency.
Need To Evolve
Has internal audit changed in practice over the years? The answer – as experience and surveys available suggest – is no. At the best, it is evolving. It still does not have cutting age independence from the management for being effective. In many companies, the role of the internal auditor is confined to reviewing internal control in accounting and finance functions. It is considered by the auditee as a stereotype and devoid of having a broad picture. Top management hardly interacts with internal auditors or discusses their role in achieving organisational goals and objectives. On their part, internal auditors in general have not realised their full potential as they have not become multi-disciplinary professionals who can adopt an enterprise-wide risk-based approach.
The audit of financial records and reporting on adequacy and effectiveness of financial controls remains core to internal audit in most companies. Its role has not evolved to its potential in strategic and emerging high-risk areas like data privacy and security, cyber security and technology disruptions. There are wide variations in the concept and practice of internal audit across different companies and in the approach, tool and techniques adopted by internal audit professionals.
Image Makeover
Internal auditors can truly act as a friend, guide, and philosopher in addition to being a watch-ward and an investigator for frauds. For boards and directors, internal audit can be the first line of defence that they can rely on and use as a shield to prevent and detect fraud.
This would also change their image of being a fault-finder or a poor cousin of statutory auditors. They should engage and communicate well with the auditee at various levels on value addition that can be made in improving economy and efficiency. In order to ensure that they are not reviewing the same areas or subject matter, the internal auditor should discuss the scope of their respective audit with the statutory auditor.
For embracing a larger role, internal auditors need to leverage technology to conduct field work or to create audit plans and audit schedules. Innovative tools including data analytics, visualisation and artificial intelligence (AI) should be adopted for making continuous auditing easier and to provide a broader perspective on risks and challenges.
Redefining The Role
Further, the Companies Act, 2013 and the LODR of SEBI need to provide for expanding the scope of the internal audit rather than leaving it for management and/or audit committees to determine. The audit committee should also be made responsible for monitoring the independence and effectiveness of the internal audit function and reporting on that in the annual report of the company. This would position the internal audit function in a position that effectively serves the interest of internal and external stakeholders. In order to deliver quality in internal audits, internal auditors need to be remunerated at par with those in the frontline operations of the company.
Internal auditors, on their part, need to make significant investments in acquiring domain expertise to understand end-to-end business processes and complexities associated with the relevant industry. They also need to adopt and adapt to changing professional standards and newer methodologies, tools and techniques for internal audit.
Ashok Haldia is the past secretary of the Institute of Chartered Accountants of India. Views are personal and do not represent the stand of this publication.
