Guidance for audit committees

The internal
audit function

March 2004
The Combined Code on Corporate Governance – July 2003

C.3 Audit Committee and Auditors

Main Principle: The board should establish formal and transparent arrangements for considering how they
should apply the financial reporting and internal control principles and for maintaining an appropriate
relationship with the company’s auditors.

Code provisions
C.3.1 The board should establish an audit committee of at least three, or in the case of smaller companies
two, members, who should all be independent non-executive directors. The board should satisfy itself
that at least one member of the audit committee has recent and relevant financial experience.
C.3.2 The main role and responsibilities of the audit committee should be set out in written terms of
reference and should include:
• to monitor the integrity of the financial statements of the company, and any formal announcements
relating to the company’s financial performance, reviewing significant financial reporting judgements
contained in them;
• to review the company’s internal financial controls and, unless expressly addressed by a separate board
risk committee composed of independent directors, or by the board itself, to review the company’s
internal control and risk management systems;
• to monitor and review the effectiveness of the company’s internal audit function;
• to make recommendations to the board, for it to put to the shareholders for their approval in general
meeting, in relation to the appointment, re-appointment and removal of the external auditor and to
approve the remuneration and terms of engagement of the external auditor;
• to review and monitor the external auditor’s independence and objectivity and the effectiveness of
the audit process, taking into consideration relevant UK professional and regulatory requirements;
• to develop and implement policy on the engagement of the external auditor to supply non-audit
services, taking into account relevant ethical guidance regarding the provision of non-audit services
by the external audit firm;
and to report to the board, identifying any matters in respect of which it considers that action
or improvement is needed and making recommendations as to the steps to be taken.
C.3.3 The terms of reference of the audit committee, including its role and the authority delegated
to it by the board, should be made available. A separate section of the annual report should describe
the work of the committee in discharging those responsibilities.
C.3.4 The audit committee should review arrangements by which staff of the company may,
in confidence, raise concerns about possible improprieties in matters of financial reporting or
other matters. The audit committee’s objective should be to ensure that arrangements are
in place for the proportionate and independent investigation of such matters and for appropriate
follow-up action.
C.3.5 The audit committee should monitor and review the effectiveness of the internal audit
activities. Where there is no internal audit function, the audit committee should consider annually
whether there is a need for an internal audit function and make a recommendation to the board,
and the reasons for the absence of such a function should be explained in the relevant section
of the annual report.
C.3.6 The audit committee should have primary responsibility for making a recommendation on
the appointment, reappointment and removal of the external auditors. If the board does not accept
the audit committee’s recommendation, it should include in the annual report, and in any papers
recommending appointment or re-appointment, a statement from the audit committee explaining
the recommendation and should set out reasons why the board has taken a different position.
C.3.7 The annual report should explain to shareholders how, if the auditor provides non-audit services,
auditor objectivity and independence is safeguarded.
Introduction
This publication is part of a series which has been prepared by the
Institute of Chartered Accountants in England & Wales to assist non-
executive directors on audit committees to gain an understanding
of the provisions of the Combined Code on Corporate Governance –
July 2003 (The Combined Code) relating to Audit Committees and
Auditors and the guidance set out in Guidance on Audit Committees
(The Smith Guidance). The Guidance is based on the proposals
set out in the report of the FRC-appointed group chaired by
Sir Robert Smith.

The internal audit function

One of the Combined Code provisions (C.3.2) is a requirement that
the audit committee:
‘monitor and review the effectiveness of the company’s internal
audit function.’

It further requires that (C.3.5):

‘The audit committee should monitor and review the effectiveness of the
internal audit activities. Where there is no internal audit function, the audit
committee should consider annually whether there is a need for an internal
audit function and make a recommendation to the board, and the reasons
for the absence of such a function should be explained in the relevant
section of the annual report.’

This publication provides a brief background to internal audit and

explains how an internal audit function might operate in an
organisation, what standards internal auditors may follow and
how the function might interact with the audit committee.

The Audit and Assurance Faculty of the ICAEW published The Power
of Three: understanding the roles and relationships of internal and
external auditors and audit committees in May 2003 and Evaluating the
Effectiveness of Internal Audit in November 2003. Both publications
provide further practical guidance on the internal audit function.

Each company is unique and audit committees will need to apply

the Smith Guidance in a manner that is appropriate to them.
This publication does not provide guidance on how to deal with
individual situations and reference may need to be made to the
various pronouncements mentioned in the text for further
information and guidance.

The internal audit function 1

 Background
Risk is inherent in the decisions that an organisation takes to manage
and run its business and in the business processes established to
assist in the achievement of its business objectives. Changes in the
way organisations carry out their normal activities resulting from,
for example, expansion of the business or changes in the regulatory
framework, can place enormous strain on an organisation’s control
mechanisms and become major sources of risk. That is why establishing,
implementing and embedding effective risk and control elements of the
overall corporate governance framework are of fundamental importance
to all organisations.

Internal audit can play an important assurance role in an organisation’s

governance processes, particularly in the area of risk management and
control. In many organisations, the expectations placed upon internal
audit have increased and the function is being relied on to make a
significant contribution.

With the introduction of the revised Combined Code and the Smith
Guidance, audit committees are expected to take a more focused
oversight role in respect of risk management and internal control.
They need assurance from management and independently that good
internal controls are in place and operating effectively. Internal audit can
contribute to independent assurance on the overall risk management,
control and corporate governance processes. It can also be a useful
catalyst for change and improvement within the organisation.

It is important therefore for the audit committee to distinguish between

the role of management and that of internal audit. Management has
primary day-to-day responsibility for managing risk and for the operation
of internal controls within an organisation. Internal audit’s role is
separate and independent from management.

‘Independence’ has a different meaning for internal audit than it does

for external audit.(1) The internal audit function is generally considered
independent when it can carry out its work freely and objectively.

What is internal audit?

A commonly used definition for internal audit is:

‘An independent, objective assurance and consulting activity designed

to add value and improve an organisation’s operations. It helps an
Independence in the context of external audit is explained in Reviewing auditor independence
(1)

in this series.

2 Guidance for audit committees

organisation accomplish its objectives by bringing a systematic, disciplined
approach to evaluate and improve the effectiveness of risk management,
control and governance processes’.(2)

This definition recognises two roles for internal audit:

• to provide an independent assurance service to the board,

audit committee and management, focusing on reviewing the
effectiveness of the governance, risk management and control
processes that management has put into place.

• to provide advice to management on governance risks and controls,

for example, the controls that will be needed when undertaking
new business ventures.

Professional guidance is available from a number of sources. Building

on the definition above, the Institute of Internal Auditors (IIA) has
issued professional standards for both assurance and consulting work.
Public sector organisations are likely to follow internal auditing
standards and guidance set by HM Treasury and other public sector-
related bodies such as the Chartered Institute of Public Finance and
Accountancy (CIPFA).

The audit committee might wish to consider:

• How does the head of internal audit view the role of internal audit?

• What standards and guidance does the internal audit function follow?

Whether to have an internal audit function

Having an internal audit function is not mandatory for listed
companies, although it is for certain public sector organisations.
Therefore the board of a smaller listed company may decide that it
already gains sufficient assurance on risk, control and governance from
other assurance activities within the organisation, for example, directly
from regular management information and self-monitoring, from
other assurance functions such as security or health and safety or from
its external auditors. In short, a company may conduct internal audit
activities even though there is no internal audit function.

The Smith Guidance calls upon the audit committee to recommend

to the board whether there should be an internal audit function.
In such a situation, the audit committee needs to be satisfied that
all arrangements that the board has put into place are sufficient
and appropriate for the organisation.

This definition of internal audit is taken from the International Standards for the Professional
(2)

Practice of Internal Auditing of the Institute of Internal Auditors.

The internal audit function 3

 Internal audit is a source of independent and objective assurance.
Therefore when making the decision not to have an internal audit
function, the board and the audit committee must be in a position
to demonstrate that the assurance it is already receiving is sufficient.
Paragraph 4.9 of the Smith Guidance requires the audit committee
to explain this in its report to shareholders so it must also be in a
position to demonstrate to external parties that an internal audit
function is not necessary.

The audit committee might wish to consider:

• Where there is no internal audit function, what are the sources

of assurance within the business?

Status of internal audit

Where there is an internal audit function, its status and remit derives
from the needs of the organisation and should be set at the top of the
organisation, i.e. by the board and the audit committee. There is no
single model for internal audit and each organisation will determine
what is appropriate to suit its requirements. In general, internal audit
could, if agreed by the audit committee, seek assurance that:

• The organisation has a formal governance process which is operating

as intended: values and goals are established and communicated,
the accomplishment of goals is monitored, accountability is ensured
and values are preserved.

• Significant risks within the organisation are being managed and

controlled to an acceptable level as determined by the board.

In addition, internal audit can be used to facilitate the strengthening

of the governance and risk framework within the organisation.

The audit committee will need to consider the role that has been set
for internal audit within the organisation’s overall assurance
framework.(3) It will, on an ongoing basis (at least annually), wish to
challenge the organisation’s decisions in relation to the role that has
been set for internal audit and question whether its scope, authority
and resources are adequate and consistent with the risks that the
organisation faces and the effectiveness of the internal controls that
are in place to address those risks.

(3)
The overall assurance framework is defined in the ICAEW’s publication The Power of Three:
understanding the roles and relationships of internal and external auditors and audit committees.
It is the process through which senior management and those charged with governance
assess the organisation’s various assurance needs and identify at a strategic level, how it will
meet those needs.

4 Guidance for audit committees

The audit committee might wish to consider:

• Does the status and remit of internal audit that has been set by the
board reflect the requirements of the organisation?

• Does the remit fit clearly within the overall assurance framework?

Terms of reference
The overall status and remit of internal audit should be formalised in
terms of reference, often referred to as an audit charter, and approved
by the board, normally through the audit committee. These should
then be communicated to relevant people within the organisation.

Internal audit’s terms of reference or charter should provide clarity

about its:

• strategy and objectives;

• role and responsibilities within the organisation;

• scope of work;

• accountability to the audit committee;

• reporting lines for line management purposes;

• accessibility to the board and the audit committee; and

• unfettered access to all information, people and records across the

organisation.

The terms of reference should make it clear that internal audit should
not be put in a position where it has to review its own work.

The audit committee might wish to consider:

• Are there formal terms of reference/an audit charter that are approved
by the board?

• Have they been communicated to relevant people within the

organisation?

• How frequently are the terms of reference refreshed?

• What safeguards protect the independence of internal audit and

the position of the head of internal audit?

The internal audit function 5

 Audit approach
The audit approach taken by internal audit will largely depend on
its remit and the objective assurance that the board requires.

Audit plans
Internal audit should, on at least an annual basis, develop a plan of
work that it will cover to provide the required assurance to the audit
committee and the board. This plan should retain some flexibility
to enable internal audit to respond to new issues as they arise.

The audit plan should identify how internal audit will:

• obtain assurance on the effectiveness of the governance and

risk management processes;

• support the development and maintenance of governance and

risk management processes;

• challenge the board’s assessment of risk and the controls in place

to manage the identified risks;

• evaluate and test the effectiveness of controls in place to manage

the identified risks; and

• co-ordinate with other sources of assurance, e.g. health and safety,

external auditors, etc.

In setting the audit plan, there should be effective dialogue between

the audit committee, management, internal audit and external
auditors to ensure that there is adequate assurance from all sources
to cover all key business risks. Audit committees need to make clear
their expectations that both internal and external auditors will
communicate effectively with each other about how their respective
audit plans and objectives will cover these key business risks.

The IIA’s Performance Standard 2201, Planning Considerations, states

that internal auditors, in planning their work, should consider the
objectives of the activity being reviewed, the risks related to that
activity, the adequacy and effectiveness of the activity’s risk
management and control systems and the opportunities for making
significant improvements to those systems.

Skills and resources

Internal audit needs to have adequate budget and resources to
complete its work plan and fulfil its remit. In achieving appropriate

6 Guidance for audit committees

coverage of the agreed risk areas, it will need to have staff with
the right skills and expertise. It may also require access to specialist
resources which might include using staff from elsewhere in the
organisation or external resources. Paragraph 4.10 of the Smith
Guidance requires the audit committee together with the head
of internal audit to ensure that the current complement of staff
is sufficient and appropriate to achieve the audit plan.

The audit committee might wish to consider:

• Is the resourcing of internal audit sufficient to meet current needs;

or is the scope of its work being reduced to fit the available budget?

Sourcing of internal audit

There is no requirement for internal audit to be provided by an
organisation’s own employees. The organisation may choose to have
the service provided fully from within, may outsource it entirely to an
external provider or may consider a mixture of internal and external
sourcing. However the service is provided, it needs to fit into the overall
remit and scope that has been set and its effectiveness needs to be
monitored and reviewed on a regular basis by the audit committee.

Performing the audit work

In order to perform its work efficiently and effectively, internal audit
will need to have unfettered access to necessary information, people,
records and outsourced operations across the organisation. IIA
Performance Standard 2300, Performing the Engagement, states that
internal auditors should identify, analyse, evaluate and record sufficient
information to achieve the engagement’s objectives. The head of
internal audit will need to determine how internal auditors carry
out their work and the level of evidence required to support
their conclusions.

Evaluation of findings
Internal auditors will normally evaluate the findings of each
engagement. They should assess whether the actions adopted by
management address risks in the manner and to the extent intended
and identify and report any weaknesses.

Communication of results
Under the IIA’s Performance Standard 2400, Communicating Results,
it is recommended that internal auditors report internally to the board,
the audit committee and management on a regular basis.

The internal audit function 7

 Internal audit’s reports, opinions and any recommended management
actions need to be communicated in a clear, concise, reliable and
constructive way. They should demonstrate a clear understanding of
the organisation and its objectives. All significant actions need to be
communicated to the audit committee regularly, together with dates
of implementation. Where key agreed actions are not appropriately
implemented by management, there needs to be a mechanism for
internal audit to investigate the reasons why and, if necessary, escalate
matters to the audit committee.

It is important for both internal and external auditors to co-operate,

communicate and share their evaluations and the results of their audit
work when relevant and subject to any confidentiality requirements.
This dialogue should take place regularly throughout the year.

The audit committee might wish to consider:

• Is there a schedule of actions together with agreed implementation dates?

• Can management provide adequate explanations for situations where

actions have not been implemented?

• Does internal audit have confidential access to the audit committee?

Effectiveness of internal audit

Internal audit activities play an important part in the effective
governance and risk and control framework of any organisation.
As required by code provision C.3.2, the audit committee should
monitor and review the effectiveness of the internal audit function.
It should provide feedback and guidance to internal audit to help it
provide the assurance service the audit committee needs.

Reviewing internal audit reports will help the audit committee assess
the quality of internal audit’s work during the course of the year.
Building on this ongoing review, an annual review may involve
obtaining feedback from management, external auditors and other
stakeholders.

In addition to these ongoing and annual reviews, IIA Performance

Standards recommend that a quality review of the internal audit
function should be carried out by an independent qualified reviewer
at least every five years.

The audit committee might wish to consider:

• Are there adequate procedures in place to evaluate the effectiveness

of internal audit within the organisation?
8 Guidance for audit committees
Additional copies may be obtained by calling: +44 (0)20 7920 8634
or downloaded by visiting www.icaew.co.uk/technicalpolicy.

ISBN 1 84152 203 1

© Institute of Chartered Accountants in England & Wales

Dissemination of the contents of this publication is encouraged.

Please give full acknowledgement of source when reproducing
extracts in other published works.

No responsibility for loss occasioned to any person acting or

refraining from action as a result of any material in this publication
can be accepted by the publisher.

March 2004

TECPLN2893(ii)
Guidance for audit committees
The Institute of Chartered Accountants in England & Wales
has issued a series of publications to assist non-executive
directors on audit committees to gain an understanding
of the guidance included in the revised Combined Code
on Corporate Governance as ‘Audit Committees: Combined
Code Guidance’. This is closely based on the proposals
originally set out in the report of the FRC-appointed group
chaired by Sir Robert Smith.

The following titles are available:

• Company reporting and audit requirements

• Monitoring the integrity of financial statements
• The internal audit function
• Evaluating your auditors
• Reviewing auditor independence
• Working with your auditors
• Whistleblowing arrangements

Chartered Accountants’ Hall PO Box 433 Moorgate Place London EC2P 2BJ
Tel 020 7920 8100 Fax 020 7638 6009 www.icaew.co.uk