Setting up a new internal audit function

Do you need an internal audit function?

If your organisation accesses or is responsible for significant public money you’ll want a sound approach to internal control.

Internal audit is the mechanism that gives the board comfort that the internal control approach and management systems are sound and that the board can rely on what they are being told by management.

When done well is also a source of improvement in the organisation’s management systems and can drive improved performance through better process and less unwanted variation. Good ones also reduce leakage and improve your bottom line.

As a rule of thumb, if your revenue is more than $200m you’ll want regular internal audit approach in place.  In most sectors this is mandated. Smaller organisations will also benefit from these sort of reviews.

ASX Recommendation 7.3

From July 2014, ASX listed companies are required to either establish an internal audit function or provide a public explanation of an alternative approach. 

Our standing advice has always been that most cases, if done well, establishing an internal audit function is a better investment than attempting to adopt and explain an alternative approach.  Conversely doing a “tick and flick” or a “comply or spin” exercise is a waste of company resources and should be avoided.  It is also met with increasing scepticism from institutional investors and proxy advisors.

In the modern landscape, particularly in life after the APRA CBA report, having a sound internal audit function in place is essential. It’s a sign of good governance on many of the things of concern to investors and is potentially worthy of a share price premium.  The converse is also true, particularly in 2019.  Not having a good one also increases Director exposure when mishaps happen and internal control systems are found wanting.

Where should you start?

The market for internal audit services continues to evolve. A myriad of different combinations of in-house, virtual, contracted and outsourced services are available.

The right approach really depends on your circumstances.  Like any internal or contracted service, the key is putting arrangements in place that are fit for purpose for your circumstances and putting mechanisms in place so that they remain relevant, value adding and cost effective.

Todd Davies and Associates does not provide internal audit services or receive commissions from recruiters or providers. We help to set you up for success.

We generally start in one of two ways:

  1. Performing an initial diagnostic that determines where the greatest need is, determines an appropriate budget and the most appropriate models for those circumstances
  2. We then work with organisations on implementation – either assisting with designing and helping to fill in-house roles, or to source external provider(s).

From there we support in-house team or relevant executives and Audit/Risk Committee as required.

For an obligation free discussion please contact us.