Internal Audit: Essential Questions for Board Directors in their Oversight Role

In today's rapidly evolving business landscape, the internal audit (IA) function's role has become more valuable in helping organizations create and sustain long-term shareholder value. IA provides objective assurance, advice, insight, and foresight leveraging a risk-based approach. Board oversight and support of the internal audit function is essential to its effectiveness. Listing standards and more recently, the update Global Internal Audit Standards™ issued by The Institute of Internal Auditors (IIA) provide a principles-based framework for the board to oversee the IA function and its performance.  

Below are some essential questions that boards of directors should consider in their oversight of the IA function:

Are the board and internal audit aligned on purpose, mandate, expectations, roles, and responsibilities? 

• Has the IA charter been authorized by the board, and is it aligned with the new global standards? 
• What is the IA mandate, and was it created, updated, and authorized in collaboration with stakeholders such as external auditors, management, and the board?
• Are roles, responsibilities, and expectations for IA, board, and management clearly defined in a charter including the scope and types of IA services to be provided?
• What is the process and frequency of updating the IA charter and/or mandate due to circumstances such as organizational changes, new laws and regulations, acquisitions, significant changes to strategy or risk profile, etc.? 
• Is IA organizationally independent and free from management influence (e.g., reporting directly to the board, positioned at an appropriate level of the organization, etc.)?

Are the board, internal audit, and management aligned on strategy and risk priorities?

• How does the IA function determine that its annual plan and performance objectives align with the overall strategy, risks, and objectives of the organization? Were efforts made to collaborate with the board, management, external auditors, and others, as appropriate?
• Does the CAE demonstrate a clear understanding and maturity of the organization’s governance, risk management, and control processes? 
• Has IA’s risk assessment process identified and assessed both the likelihood and potential impact of various risks to the organization?
• How does the IA function identify and evaluate internal controls for adequacy in reducing risk? 
• How do the CAE and IA function consider risks of fraud in its risk assessment and audit plan?
• What risks are not included in the IA plan and why? 
• What risk areas would be added to the plan if additional resources were available?
• What is the process and cadence for updating the internal audit plan for newly identified areas of risk? 
• Does IA communicate timely with both management and the board about noted governance, risk, control, and/or compliance deficiencies resulting from its testing of processes, procedures, and controls? What is management's remediation plan to address deficiencies and improvement opportunities identified by IA? Who is included in remediation efforts and how are their efforts monitored to resolve findings promptly?

How is quality assurance and performance being monitored and evaluated?

• What monitoring and evaluation techniques are being used by the board to help ensure  IA is fulfilling its mandate and performance objectives including conforming to standards, laws, and regulations?
• Does IA conduct annual assessments of its own quality and effectiveness through both ongoing internal monitoring and periodic self-assessments?
• Has the CAE established a Quality Assurance and Improvement Program (QAIP) to evaluate and work to ensure   IA conforms to the IIA Global Internal Audit Standards™, meets performance goals, and strives for continuous improvement? What are the results of the most recent internal quality assessment? Who performed the assessment? How is the board overseeing an action plan to address instances of nonconformance with standards or opportunities for improvement?
• When was the last external quality assessment performed? Was it performed by a qualified independent assessor or team?
• What is IA’s remediation plan to address identified deficiencies and opportunities for improvement, and how is the board tracking progress against that plan?

Does the IA team have the necessary resources and expertise to fulfill its current responsibilities and evolving needs?

• Has the board approved the CAE’s roles and responsibilities and identified necessary qualifications, experience, and competencies to conduct the identified roles and responsibilities in alignment with the requirements included in the IIA Global Internal Audit Standards™? 
• Has the board evaluated the CAE’s performance and approved the CAE’s compensation?
• When were IA job descriptions last reviewed, and do they align with the evolving team's expectations in terms of responsibilities, requirements, skills, and experiences?
• What additional professionals, skills, experiences, and capabilities does the CAE need to fulfill the IA mandate and plan? Does IA have the ability to attract and retain qualified professionals?
• Does IA have the necessary technology and technical skillsets to keep up with the rapid changes in the business and industry?
• How does IA utilize advanced tools and technologies (e.g., automation, data analytics, AI) to enhance its efficiency and effectiveness while mitigating risks associated with adoption of new technologies?
• What continuing education, training, and upskilling opportunities are being provided to the IA staff?
• Does the CAE and IA staff reference the International Professional Practices Framework (IPPF) in conducting their audit work? 
• How does the CAE oversee and evaluate IA staff to determine  adherence to the IIA's Global Internal Audit Standards™ and Code of Ethics and alignment with IA plan and mandate?
• Does the board support adequate funding of the IA function for the successful implementation of the audit strategy and achievement of audit plan objectives?
• Does the board support IA’s adoption and use of technology to enhance efficiency and effectiveness of processes and procedures (e.g., tools for automation, data analytics, and use of AI, etc.)? Does the board, management and IA understand the risks of utilizing these tools and have safeguards in place to mitigate these risks?
• Does IA have the necessary technology and technical skillsets to keep up with the rapid changes in the business and industry?
• How does IA utilize advanced tools and technologies (e.g., automation, data analytics, AI) to enhance its efficiency and effectiveness while mitigating risks associated with adoption of new technologies?

What is being done to ensure  the board and senior management support and collaborate with IA?

• What is being done to cultivate an inclusive and supportive culture within the IA team, and in interactions with the board and management?
• What actions has the board taken to champion the IA function and its value?
• What are the criteria and processes for determining which issues should be escalated to the board for discussion?
• Does the board have a regular cadence of meetings with the CAE and/or IA, and on occasion are these meetings without management present?
• Were there any disagreements with management or instances where IA access to information was restricted?  

Board oversight of the internal audit quality structure and function helps protect the integrity of operations and related financial reporting. Our Risk Advisory Services team offers a deep understanding of industry issues, and we help clients design and implement global compliance programs, and drive results through internal audit. 

Our team stands ready to help those in the internal audit function at public and private companies alike, learn more about BDO’s internal audit services.