Often when we discuss the duties of various groups within an organization, there are clear, distinct functions. For example, there are distinct differences between accounting and operations. Even within departments, there are discreet boundaries between accounts payable and accounts receivable teams. Under the umbrella of corporate governance, however, we find overlapping responsibilities. Given the level of risk inherent to corporate governance, we can argue that the overlap is by design. Numerous departments within an organization contribute to corporate governance, including internal audit, compliance, environmental, health and safety (EH&S), legal, risk management, and many others. When we look closely at the functions of these departments, internal audit and EH&S audit stand apart as a natural partnership.
Internal Audit and EH&S teams are working toward a common goal. Based on the respective mission statements, both groups provide advisory services to management to support the decision making and risk mitigation processes. In an effort to streamline the efforts of both teams, and to enhance the organizational value of both audit and EH&S, we should consider combining our efforts, especially in audit planning and board reporting.
Every organization is asked to do more with less. Staffing levels often remain flat or are not increased to a level that would significantly alter the scope of the work we have the capacity to perform. By coordinating with other groups inside our organization, we have the opportunity to increase our audit coverage by leveraging the work already being completed. The IIA does provide guidance on this matter in Standard 2050 in the International Standards for the Professional Practice of Internal Auditing (IPPF). While the Practice Advisory (2050-1) is applied to reliance on work from external auditors, the standard is written to address coordinating “activities with other internal and external providers of assurance”, which would encompass groups like EH&S.
Based on this standard, the CAE should be reaching out to internal groups such as the EH&S team to ensure “proper coverage and minimize duplication of efforts”. During audit plan development, we should consider the scope and objectives of the work being performed by the EH&S team. In fact, in a comprehensive risk assessment, environmental risks, health risks, and safety risks should be considered, and the worked planned by the EH&S auditors can be relied upon for the audit coverage for these areas. Once the audit plan is drafted we can take the next step and combine the report process with senior management.
We can gain efficiency when reporting results to senior management and the board. During the beginning of the year, both the CAE and the Director of EH&S auditing should submit summaries of their respective planned audit activities, staffing plan, and budget to senior management and the board. By combining this presentation, we can help our stakeholders better understand the scope of the work and planned audit coverage.
The same holds true for interim and year end results reporting. By co-presenting internal audit and EH&S audit results, we can better help management focus and set priorities for the organization. We must be careful not to overwhelm the board with endless information. Always present summary information, ideally with visuals, and provide any details as an appendix to the summary. Remember that senior management has a very limited amount of time to dedicate to your data, so be succinct and provide your reports well in advance of any meetings.
In line with our respective audit processes, we should provide more risk information to the audit committee. When discussing EH&S, this will likely gravitate to compliance risk. In any case, instead of getting mired in the details, focus on trending information related to audit results. Our ability to present trends is more illustrative of the organization’s overall status.
As we all work toward providing our organizational management with useful and concise information for their decision making process, combining efforts between internal audit and EH&S will lead to improvement. We will better understand our audit coverage, and we will gain efficiencies in our audit planning and reporting activities. Ultimately, by strengthening the relationship between these similar functions, we will improve our ability to protect overall organizational value while raising our own internal value to senior management and the board.
Toby is a Certified Internal Auditor (CIA) who holds an MBA with an Internal Audit specialization from Louisiana State University. He is also certified in Control Self-Assessment (CCSA), Risk Management Assurance (CRMA), Internal Control (CICA), and Fraud Examination (CFE). His professional background includes identification and documentation of weaknesses that result in heightened business risk, while recommending solutions to such situations. Toby began his career in internal audit with Macy's Inc. He then worked as an implementation and training consultant for Wolters Kluwer. As a Senior Market Development Consultant at Wolters Kluwer, Toby works with organizations that are looking for software solutions to their audit, risk and compliance needs.
Throughout his career, Toby has assisted numerous internal audit departments create, perform, and supervise financial, operational, and compliance audits to evaluate control frameworks, financial systems and operating procedures.