A red flag 

In a recent article Richard Chambers Global President and CEO of The Institute of Internal Auditors rightly described the lack of an internal audit function as a ‘red flag that should cause an investor’s antenna to go up’.

In the UK, fully listed companies are not obliged to have an internal audit function, but if they don’t have one they must explain their reasons in their annual report. However the take up of internal audit isn’t great in smaller UK quoted companies, including those on the AIM market, although it does seem to be improving.

AIM is interesting, as the size of companies varies dramatically and in my mind internal audit probably isn’t appropriate for many of the very smallest ones.   However, at the upper end of the spectrum they include international, multi-location organisations with hundreds or even thousands of employees.  Instead of internal audit it is common for audit committees to rely on ‘management reports’ about the effectiveness of controls.

What are the risks?

While UK quoted companies set out their identified key business risks in their annual reports, I believe the risks of not having internal audit should be carefully considered and specifically addressed in the annual report.  Factors for consideration might include the degree of decentralisation, staff & management skills as well as the nature of risks that the business faces.  Other considerations are the seniority, available time and skills of the people preparing the management reports as well as their objectivity. While a relative lack of size may be one reason for not having internal audit, it is far from the being the only consideration.

It’s about the business and not just controls

I believe too many people view internal audit as being just about checking controls. I see the value add as being much broader.  Its existence helps improve accountability and encourages staff to stand back and look objectively at the way they are doing things. It should help inculcate a culture of improvement and ‘buy in’.  I see internal audit as ultimately helping answer the question ‘are our working practices truly supporting the business?’, it also has strategic and forward looking dimensions.  It should genuinely add value and result in improved performance.

The need for a proper business case

The article seems to advocate NASDAQ in the US making internal audit mandatory.  I am not convinced that mandatory internal audit is the best answer for smaller companies – to be effective internal audit really needs board backing, which in turn requires a business case.  Having said that I feel that many smaller UK quoted companies are probably not seriously evaluating the risks of not having internal audit and the business case. 

Wrapping up

For many companies it may be a case of ‘what you’ve never had you’ve never missed’ – if you aren’t aware or mindful of the benefits (see above), the business case will be weak.

Realistically, many smaller companies genuinely can’t justify the cost of employing an in house auditor – outsourcing on a project basis can be a good solution and can also be a great way of dipping your toe in the water.

If this article was food for thought, then do feel free to get in touch, I‘d be happy to discuss further.    

Further reading

If you found this article helpful you may also like 10 internal audit qualities for smaller businesses.

Here is a link to Richard Chambers’ article No Internal Audit Function? Investors Beware!