Reviewing the governance framework for bank in BVI about 10 years ago, I noted that the most impressive governance review was performed by the internal auditor. It was concise, systematic, insightful, and up-to-date with the latest relevant national and international developments.
Working as a consultant to companies on strategy, compliance, audit, risk management and then with boards, I am often struck by the lack of realistic knowledge of many boards of what is really going in the organization.
Internal audit can provide an even stronger position than an external consultant.
Internal audit functions are instrumental in closing the gap between strategic planning and real-world application. The core function of internal audit, according to the International Professional Practices Framework (IPPF) as promulgated by the Institute of Internal Auditors (IIA), is to “enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight”.
This mission statement encapsulates the essence of what internal audit aims to achieve within an organization. It highlights the dual role of internal audit in not only assessing and improving the effectiveness of risk management, governance, and control processes but also in providing valuable insights and advice to further organizational objectives.
Therefore, whenever you have the large disconnects between board, internal audit, and executives, as unveiled by a recent IIA OnRisk study in 2022, this is pointing towards unrealized potential (as well as risks to achieving even that which the organization is already committed to).
More than that – it speaks to some fundamental approaches to management, governance, and good delegation in general. Any time someone or a body delegates to or enters into agreement with another party for the performance of activities, generation of outputs and outcomes, the party that is delegating and accountable for the results, should not only rely on the reports of those to whom it has delegated, but it needs to have a direct view onto what is going on – it requires an audit function.
In larger organizations this function is performed for the board by internal audit, that it is necessary aspect for effective governance.
So what does regional corporate governance guidance say about the role of and relationship with internal audit?
Integrated Governance requires Internal Audit Functions
Let us step aside for a moment to look at the IIA OnRisk 2022 report on and ask ourselves what is essential to Integrated Governance. Among the key insights in the report are the following:
There are notable variations on key risk areas showed up among risk management players: for example Boards were significantly more likely to rate Disruptive Innovation as a highly relevant risk (77%) than were senior executives (50%).
Significant gaps existed between their assessment of the organizational capability to respond to risks that they consider to be highly relevant for their organizations. For example, Cybersecurity had an average rating of 87% in terms of relevance to the organization, but organizational capability only 42% rating, and average personal knowledge only 31%. Perceptions of risk relevance vary greatly across the ESG components.
Organizational Governance dominated in terms of relevance over Social Sustainability and Environmental Sustainability in the minds of survey participants.
ISO 37000 as National Organizational Governance Standard
ISO 37000:2021 provides comprehensive guidance on the governance of organizations, underscoring principles such as social responsibility, risk governance, and long-term viability.
Caribbean standardization bodies, and through them experts and stakeholders from across industry and different types of organizations across Trinidad & Tobago, Saint Lucia and Jamaica were actively involved in developing the ISO 37000 standard between 2017 and 2021.
For Caribbean entities, the adoption of ISO 37000 as the national standard in Trinidad and Tobago, Saint Lucia and Jamaica signifies a commitment to not just regulatory compliance but to sustainable, ethical, and effective governance.
This global and now also national standard applies to all organizations, irrespective of size or sector, and offers a blueprint for Caribbean corporations aiming to align with international best practices while catering to regional demands.
Assurance in Oversight: Actionable Strategies for Caribbean Enterprises
ISO 37000 underscores the governing body’s responsibility for effective oversight of the organization. This includes ensuring that an internal control system is implemented and functioning as intended. The standard clarifies the nature and elements of the internal control system and assurance processes, integrating them into the organization’s governance framework.
The oversight responsibility encompasses several key actions:
• Implementation of an Internal Control System (ICS): This system should include risk management, compliance management, and financial control systems to help the organization manage its risks and comply with legal and ethical standards.
• Assurance of Governance System Design and Operation: The governing body must assure itself that the governance system is appropriately designed and operating effectively. This involves a continuous assessment of the system’s effectiveness in achieving the organization’s objectives
• Direct Verification and Reporting: The governing body should engage in direct verifications and receive direct reports from independent control functions, including risk management, compliance management, and internal audit. These reports provide the governing body with insights into the effectiveness of the governance processes and the internal control system.
Role of Internal Audit Function
The internal audit function plays a pivotal role in the assurance process within the governance framework of ISO 37000. It acts as an independent provider of assurance to the governing body, focusing on the effectiveness of governance processes, risk management, and compliance management. Key aspects of the internal audit function include:
• Independence and Objectivity: Internal audit must operate independently from management to provide objective assurance on the effectiveness of the organization’s governance, risk management, and control processes
• Reporting to the Governing Body: Internal audit reports directly to the governing body, typically through the audit committee. This reporting structure ensures that the governing body receives unbiased information about the organization’s internal controls and risk management practices
• Enhancing Risk Management Processes: By providing objective assurance and guidance, the internal audit function helps to enhance the organization’s risk management processes, ensuring that risks are appropriately identified, assessed, and managed
In summary, ISO 37000:2021 places significant emphasis on the role of the Internal Audit function in providing assurance to the governing body regarding the effectiveness of the organization’s governance, risk management, and control processes. The standard outlines a clear framework for oversight and assurance, highlighting the importance of an independent and objective internal audit function in supporting good governance practices.