It is often said that the internal audit function (IAF) is the eyes and ears of the audit committee. What does this exactly mean when we deal with the public sector environment for members of audit committees?
Each entity in the public sector sphere must have an internal audit function (IAF) that has primary reporting responsibilities to the audit committee but functionally reports to the accounting officer. How does the IAF ensure that they become the eyes and ears of the audit committee to enable them to execute on their mandate and become a valuable tool in the public finance management cycle?
Several guidelines and papers have been issued by the Public Sector Audit Committee Forum (PSACF), an initiative established by National Treasury, the Auditor-General of South Africa, the Institute of Internal Auditors (IIA), SAICA, the Institute of Risk Management of South Africa, the Institute of Directors and the Development Bank of Southern Africa to assist audit committees. A series of these guidelines are specifically focused on oversight of the internal audit function.
The Public Sector Audit Committee’s role in overseeing internal audit
This guidance paper focuses on the minimum requirements that have to be met in terms of the Public Finance Management Act 1 of 1999 (PFMA) and the Municipal Finance Management Act 56 of 2003 (MFMA), together with the International Standards for the Professional Practice of Internal Auditing issued by IIA. It focuses on requirements such as:
- An internal audit charter or terms of reference that should be approved by the audit committee
- Responsibilities with regard to the IAF which should be included in the audit committee charter
- The audit committee should play a role in the appointment of the chief audit executive (CAE) or IAF
- The audit committee should approve the three-year rolling plan, as well as the one-year plan to ensure that the controls to mitigate the significant risks have been assessed by the IAF
- Review quarterly progress reports against achievement of the audit plan
- Review specific reports from internal audit with specific reference to the findings, management comments and action plans
- Reviewing internal audit’s role in terms of the combined assurance plan/ framework of the entity
- Assessing the capacity of IAF to deliver against the plan, and
- Assessing the performance of the IAF
The role of audit committees in relation to the external and internal audit
The guidance paper provides guidance for the audit committee in the internal and external audit cycle. Although a continuous cycle, it is important that there be coordination between internal audit and external audit and that they are not auditing the same cycle at a simultaneous time. Typically, external audit is focused on the year-end financial reporting and performing reporting as required by the various public finance legislation. Internal audit will be focused on assessing controls throughout the year.
The audit committee should approve the internal audit plan before the commencement of the financial year and will continuously monitor it based on what transpires during the year. This may entail the approval of each scope of the planned activities. The audit plan should be risk based and include follow-ups required for the implementation of both internal and external audit findings action plans. Probably the most crucial activity is to ensure that where there is planned reliance on the work of internal audit by external audit, the timing as well as the scope are appropriate, not only to achieve the external audit objectives but also to improve internal controls. Examples of these are the timing on the review of performance reporting and the financial statements.
The PSACF has also developed two additional guidance papers that assist the audit committee in the evaluation of the internal audit function, namely:
- ‘Evaluation of the IAF’ and
- ‘Overseeing and Evaluating an IAF’s Effectiveness’
‘Evaluation of the IAF’ provides a questionnaire template for the members of the audit committee, management, external auditors and the CAE to assess internal audit’s performance for any given year against the mandate approved by the audit committee.
‘Overseeing and Evaluating an IAF’s Effectiveness’ provides detailed guidance for the members of the audit committee to evaluate the effectiveness of the IAF. It recognises that the maturity and understanding of the IAF are evolving from what was an assessment of key risks to a crucial role-player in assisting organisations to improve their service delivery to the public. Although IAFs are varying in terms of their maturity based on factors such as qualifications, experience, skills and capacity, ultimately they need to be in a position to independently assess and assist management to improve internal controls and mitigate strategic risks so that service delivery is improved given the limited resources entities are finding themselves with.
One of the aspects the guidance further assists audit committees with is to assess whether the CAE has been placed at the correct level in the organisation to effectively deliver his/her mandate. The guidance enhances the questionnaire from the ‘Evaluation of the IAF’ so that audit committees can also assess the strategic impact that the IAF has on an organisation.
The aspects of reporting of the activities of the IAF are covered by the audit committee reporting paper. The paper covers all aspects of reporting by audit committees and while aimed at the annual report process, it can also be used for the quarterly reporting process. The paper provides guidance on the reporting responsibilities with regard to the IAF including:
- The capacity of the IAF
- The role of the IAF within the organisation
- The activities of the IAF, including achievement of the internal audit plan
- Summarised findings from the reports, and
- Any results of quality assessments of the IAF
These papers are designed to assist the members of the audit committee to use the IAF as a crucial tool in the executing of its mandate. However, an aspect that often gets overlooked is the professional relationship between the audit committee and the IAF to ensure that the function is effective. There must be trust, honesty, integrity, professionalism and objectivity between the audit committee and internal audit so that both parties mutually benefit from the relationship. This would enable all parties to assist the accounting officer or accounting authority in improving the financial and reporting controls so that service delivery can be improved.
About the PSACF
The objectives of the PSACF are as follows:
- To raise awareness of matters that relate to the function, duties and composition of public sector audit committees
- To provide a database of individuals who are experienced and qualified to serve as public sector audit committee members
- To be alert to and consider matters concerning public sector audit committees in the public domain
- To provide thought leadership on the function, duties and composition of public sector audit committees by discussing, researching, developing and disseminating position papers and good governance guidance
- To embark on initiatives that address the development of current or potential public sector audit committee members
- To support public financial management, governance, risk and control initiatives to improve audit outcomes across all spheres of government
Author: George Higgins CA(SA), IDG Consulting and Chairperson of the Public Sector Audit Committee Forum working group