Vanessa Clark (CIAN) and Jonathan Orchard (Sayer Vincent)
2020 has brought the importance of strong systems of risk and control into focus. Assurance has rarely been more in demand as organisations across the globe ask themselves whether their risk management systems, governance and control environment are strong enough to survive a pandemic.
With this backdrop it was jarring to hear of some charities furloughing internal audit in the first wave of COVID. While many looked to their internal audit function to provide assurance on preparedness for working from home or found themselves grateful for last year’s internal audit recommendations on the business continuity plan; others spoke about their need to understand key risk areas of the organisation and identify which processes were most important and then sent home the very individuals who already had that knowledge: internal audit.
And don’t just take our word for it; Rob George, RSPB’s Head of Corporate Governance and Risk says “our Internal Auditor acted as a critical friend for the Covid Programme…It was particularly valuable to have a member of the team with a comprehensive view of the whole organisation without the added pressure of operational responsibility.”
So why did some organisations embrace internal audit and others not? You could say that internal audit has an image problem, in the third sector at least. Bizarrely, despite internal audit being mandatory for public sector organisations and financial services regulators explicitly demanding “robust internal audit functions”, charity regulators haven’t yet made the same demand. In fact, it’s a struggle to find any reference to internal audit at all on the Charity Commission website. If you know where to look though, internal audit does get a brief mention in the Commission’s internal financial controls checklist – and interestingly, in the report from their 2019 Oxfam Inquiry the Commission says “internal audit, meaningful briefing and reporting by the executive and other assurance mechanisms are critical.”
However, in the absence of clear and prominent guidance on internal audit from charity regulators, it feels as though internal audit has a lower profile than it deserves and in turn there is understandably a lack of awareness of the role and value of internal audit amongst charity leaders.
What is the role and value of internal audit?
Internal audit is an assurance process which gives senior leaders confidence that the charity has the processes, controls and assurance mechanisms in place to deliver its objectives and manage key risks. It provides a safety net and takes a risk-based approach to determine the controls the organisation is most reliant on and can provide comfort that these are working as expected or can identify gaps in these vital controls. As a role that has a view across the organisation, internal audit can identify pervasive issues and investigate the root causes.
Where known issues aren’t being escalated or addressed, they can shine a light. They can be a critical friend and they can provide that oh so valuable perspective of a fresh pair of eyes on the processes you see day in day out.
For audit committees in particular, internal audit is invaluable. The committee (or trustees if there is none) are necessarily limited in how much information they receive about the day-to-day operations. As a committee tasked with ensuring that sufficient internal controls are in place and the charity’s risk management system is appropriate, internal audit are the eyes and ears on the ground.
But there is a caveat here. These benefits can only be fully realised if you have effective internal audit. Many – the current Governor of the Bank of England included – have highlighted that internal audit needs to be properly resourced and taken seriously by senior leaders to be effective. The consequences of not having effective internal audit provision can be grave. Whilst internal audit do not have responsibility for the implementation of controls and processes, they can often be the first to spot where something is going wrong. If the charity sector wants to be resilient and successful going forward, it cannot afford not to have effective internal audit.
A responsibility of the audit committee
It falls to the audit committee (or trustees in the absence of an audit committee) to ensure internal audit is effective. Audit committees have a number of responsibilities when it comes to internal audit – from ensuring they are able to exercise independence to reviewing the function’s resourcing and performance. Of course, this can be a challenge if your audit committee members have limited experience of overseeing or running and internal audit function. The good news for the charity sector – and charity audit committees especially – is that 2020 also brought us the Internal Audit Code of Practice – Guidance on effective internal audit in the private and third sectors. Published in January 2020 by the Chartered Institute of Internal Auditors, this Code of Practice sets out clear expectations for internal audit functions in the charity sector, with a focus on proportionality.
The Code of Practice is very clear that the approach an organisation should take to internal audit will depend on the size and complexity of the organisation. Although certain principles like the independence of internal audit are necessarily inflexible, the guidance on resourcing of internal audit rightly focuses on internal audit provision having skills and experience commensurate with the scale of operations and risks of the organisation. There are different models for resourcing internal audit which mean that charities of any size can benefit. Dr Angela Hind, CEO of the Medical Research Foundation notes that “Medical Research Foundation is a relatively small organisation – but we find having an internal resource to draw on is immensely valuable. It provides much needed confidence to our trustees that we are managing risks effectively while supporting our staff team in continually striving to learn and improve processes. I am a huge fan of internal audit and have always found the reviewing process to be developmental for our business and for me personally. It supports our continuous improvement and I couldn’t recommend it more highly.”
So what can Leadership and audit committee members do to make sure your charity is getting the benefits they should from internal audit? The first question to ask is: now that a clear set of principles for charity internal audit exists for the first time, has your organisation adopted the Internal Audit Code of Practice yet – and do you know where there are gaps between its recommendations and your charity’s approach?
If you are considering internal audit for the first time, aren’t sure the current model of internal audit is right for your organisation, or want to know more about how internal audit works in other charities; support is available. The free to join Charities Internal Audit Network (CIAN) is open to all UK charities and provides its members with internal audit resources and benchmarking, amongst other benefits. Has your charity signed up to CIAN to make the most of this free resource? For those looking for more information on the role of internal audit and how to support it, the Chartered Institute of Internal Auditors has plentiful information on their website, including guidance on the role of the audit committee. And if you want to talk about options for internal audit in your organisation do get in touch with Jonathan Orchard at Sayer Vincent (email@example.com).
Vanessa Clark is chair of the Charities Internal Audit Network (CIAN) and senior internal auditor at the Wellcome Trust. CIAN is a free-to-join network for charity and not-for-profit organisations. Members benefit from free professional development and networking sessions, internal audit resources, benchmarking data and discounted training courses. Visit www.cian.org.uk for more details.
Jonathan Orchard is a partner at charity-specialist audit and advisory firm – Sayer Vincent. He leads the firm’s work in the areas of risk and internal audit. He co-authored the publication Re-thinking Risk and is a Special Adviser to CIAN.