Internal Audit is key to Combined Assurance
King III Chapter 7 is merely titled “Internal Audit” and stresses the need for companies to have internal audit capacity.
Emphasis On Risk
Of the 5 principles contained in this chapter, 3 emphasize risk:
“1. The board should ensure that there is an effective risk based internal audit”
“2. Internal audit should follow a risk based approach to its plan”
“3. Internal audit should provide a written assessment of the effectiveness of the company’s system of internal controls and risk management”
Audit Committee Guidance
This chapter starts with noting that the board should ensure that the company undertakes effective risk based internal audit activities. Further than this, the board is not mentioned. The Audit Committee, rather is tasked with the primary responsibility for directing the internal audit activities.
“The audit committee should be responsible for overseeing internal audit”
One would expect details pertaining to this responsibility to be dealt with in the Audit Committee charter.
Combined Assurance
Aligning with Chapter 3, Audit Committees, the combined assurance model is referenced.
Internal Audit, together with the Audit Committee and the external audit provider, create a coordinated approach to providing assurance to the board.
Internal Audit Function
King III recommends that an internal audit function be established. Guidance is provided regarding the activities such an internal audit function should be undertaking. King III also refers to the standards and code of ethics of the IIA (The Institute of Internal Auditors: www.theiia.org).
It is noted that internal audit should function independently from management and should be “strategically positioned to achieve its objectives.”
One could consider the demonstration this independence by a company, through, not only charters (job descriptions and the like), but also the organisational reporting structures.
King III refers to a CAE (Chief Audit Executive) as the leader of this function and recommends that this role report directly to the Audit Committee.
King III provides details of the expectations of such a CAE role.
Internal Audit Plan
A key governance instrument used by the Audit Committee in guiding internal audit is the internal audit plan.
One of the Chapter 7 principles notes that: “Internal audit should follow a risk based approach to its plan”
This pointer has several advantages. One of the advantages is to limit the scope of the internal audit activities to the only the “most important” (as defined by the risk assessment). This then provides limits to the effort and associated cost of the internal audit activities.
The company’s ability to achieve strategic objectives is also considered well within the scope of the plan.
Internal Audit Report
The key deliverable of the Internal Audit function is reporting, specifically:
“…a written assessment of the effectiveness of the company’s system of internal controls and risk management”.
This is a management-level instrument which, from a governance perspective, is used to close the feedback loop.
This ensures that both the expectations of the function are being met as well as providing the results of the associated activities.
Management is responsible for internal controls
The Internal Audit function is expected to report on the company’s internal controls, amongst other things.
It stands to reason then, that management must be directed to maintain such controls.
One could expect these requirements to be detailed in the company’s role charters and delegation of authority.
“Companies should maintain an effective governance, risk management and internal control framework.”
King III provides a brief description of the content of such a framework and associated activities.
Governance instruments
> Internal Audit and associated Charters
> Internal Audit Plan
> Internal Control Framework
> Internal Audit Report
GovN provides you with everything you need to apply King III !
Contact us to find out more!
NOTE: The comments in this page are to be read within the context of the candor legal notices which can be found at this web site. The Institute of Directors in Southern Africa’s ownership of the copyright in the publications “King Report on Governance for South Africa 2009” and “King Code of Governance for South Africa 2009” is hereby acknowledged.
