The Board’s Utilization of Internal Audit
Too often boards segment the function of internal audit into one solely of financial reporting. In this world of fast-paced change, this perspective severely limits the opportunity for effective risk mitigation. Internal audit can position the Board to assess risk more effectively. While boards typically rely on management for risk information, internal audit plays an essential, but too often an underutilized role in the information flow between senior management and the board.
Limiting the function of internal audit to financial risk reporting, leaves the board vulnerable to missing threats from other risks such as data privacy and cyber security. Internal audit brings value in its ability to provide assurance as to the accuracy, completeness, or transparency of all information sent by management to the board. Yet, boards rarely utilize internal audit for assurance of the information they are given. In a recent study nearly 60% of chief audit executives indicated that internal audit “rarely or never provides assurance on the quality of information given to the board nor does internal audit have formal discussions about the information with the board and management.” Nearly one-third reported providing assurance to boards “only for unusual situations.”
Analysts and those who critique governance are beginning to take note. Certainly the seeming rise in governance failures that have made headlines recently begs the question, did the board not have the right information to know what was going on? If they had had the right information, could the risk have been mitigated? Because the board’s risk oversight role requires directors’ close attention to the accuracy of all information provided to them, boards must commit to utilizing internal audit to provide assurance consistently for all information, and to asking these pertinent questions to make certain the information provided to them is reliable.
- Is the financial information accurate?
- Are business and strategy plans realistic?
- Who is managing third-party risk and is it being updated regularly?
- Are management and the board aligned on addressing fraud opportunity risks?
- Does the company culture breed integrity?
- Who is responsible for protecting the company’s crown jewels and what are the threats?