Is your Internal Audit Function King IV compliant?

Principal 15 of King IV Report on Corporate Governance for South Africa 2016 states that the Governing Body should ensure that assurance services and functions enable an effective control environment, and that these support the integrity of information for internal decision-making and of the organisation’s external report.

Recommended practices 48 to 61 relate to the Internal Audit function and are the subject of this article.

The following represent some of the recommended practices that appear to be overlooked by organisations to their own detriment as they affect their ability to fully leverage their internal audit functions to contribute to the achievement in the effectiveness of governance, risk management and control processes:

• The Internal Audit Charter not clearly addressing the role of Internal Audit in Combined Assurance (Recommended practice 49). This can create conflict between the assurance providers in the organisation and results in combined assurance not being fully implemented in the organisation.
• The Internal Audit Charter not explicitly adopting internal audit standards (Recommended practice 49). This creates space where compliance with the standards of Internal Audit is optional and provides room for Internal Audit leaders to deviate from what is considered best practices in Internal Auditing.
• Not ensuring that the person who fills the position of Chief Audit Executive (CAE) has the necessary competence, gravitas and objectivity (Recommended practice 52). Organisations continue to appoint CAEs who are not certified in Internal Audit and are not members of the profession and thus do not abide by the code of conduct of the profession. This also means that when they are not required to maintain their professional competence and should they breach the code, no action can be taken against them.
• Not ensuring that an External Independent Quality Review is conducted by the Internal Audit Function at least once every 5 years (Recommended practice 60).

The International Standards for the Professional Practice of Internal Auditing require that the chief audit executive must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity. (IPPF Standard 1300)

A quality assurance and improvement program is designed to enable an evaluation of the internal audit activity’s conformance with the Standards and an evaluation of whether internal auditors apply the Code of Ethics. (IPPF Standard 1300)

IPPF Standard 1310 requires that the quality assurance and improvement program must include both internal and external assessments.

Internal assessments must include Ongoing monitoring of the performance of the internal audit activity and Periodic self-assessments or assessments by other persons within the organization with sufficient knowledge of internal audit practices.

External assessments must be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the organization.

IPPF Standard 1310 provides that those external assessments may be accomplished through a full external assessment, or a self-assessment with independent external validation.

IPPF Standard 1321 clarifies that indicating that the internal audit activity conforms with the International Standards for the Professional Practice of Internal Auditing is appropriate only if supported by the results of the quality assurance and improvement program.

Conclusion:

The mission of Internal Audit is to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight. For this to be possible, the best practices for Internal Audit must be adopted by organisations.