In recent weeks, major supermarket chain Tesco found itself penalised after a two-year probe carried out by the Serious Fraud Office (SFO), resulting in an agreement to pay a fine of £129 million for overstating profits in 2014. The shock admission by the leading retailer revealed that it had identified an apparent £250 million overstatement of its profits.
The result of the SFO’s large-scale investigation led to subsequent financial and reputational damage, as well as the supermarket chain being faced with significant share-price falls and the intervention of regulators when the admission was made.
David Haylor, Managing Director at Internal Audit Connections (IAC), specialist recruiters of internal audit and enterprise risk staff, provides Lawyer Monthly with insight into how an effective internal audit strategy can help to safeguard an organisation against falling victim to huge financial losses and the subsequent reputational damage.
An Effective Internal Audit Function
In reality, the discovery of a major fraud is rarely a direct result of scheduled internal audits. The scale and resources of the internal audit team do not provide the coverage to ensure all fraud and malpractice can be eliminated. If the fraud involves collusion amongst senior management, it is particularly difficult to unravel the issue with a standard audit approach because the audit trail of individual transactions may well have followed the documented processes and procedures and be compliant.
These types of fraud become apparent only when individuals with a deep insight into a particular area of the business or someone operating at a strategic level notices an inconsistency in the numbers. They may not fully understand the implications of their discovery, but in a well-governed environment these concerns should be passed on to the internal audit team either formally through the “whistleblowing” helpline, which can be anonymous, or – more usually – through an informal conversation where the concern is raised with audit, which may then lead to a more formal audit or investigation.
Mitigating Risks
Time and again, we hear organisations talk about “company culture”, and this remains the most important influence on the successful running of an organisation. Culture permeates all aspects of the organisation’s relationship with the internal audit function. If the audit team faces a “blame” culture, fear and a lack of communication, transparency and accountability, you have the ingredients that can foster negative behaviours and enable fraud and malpractice to thrive.
Themes you consistently observe in top-calibre internal audit functions include:
Strategic Vision – Does the function interact at the strategic level with the C-Suite Executives and is it privy to key decision-making conversations?
Suitable Audit Director – Do you hire an Audit Director with the attitude, abilities and experience to balance the commercial priorities of the organisation whilst also being able to really understand the business and speak truth to power?
Reporting Structure – Do you create a reporting structure that creates genuine independence? This includes the strengths of your non-execs, Board structure, audit leadership and communication and reporting structures.
Empowerment – Do you empower that individual and their team to create their plan on well-assessed risk, or do you push them down a narrow, pre-programmed path?
Value – Do you value your audit team by fully backing their reports, recommendations and talent progression?
If organisations do not see assurance from the perspective described above, they are more likely to be put at risk. If not followed, that business will also miss out on the dissemination of best practice, the ability to take risks that are well understood and a trusted partner able to prevent damage to the organisation.
In summary, a well-led, well-resourced and well-supported internal audit function, combined with assurance centred on empowerment, structure and values, will safeguard an organisation from financial risk. This will also lead to well-understood risk-taking and best practice filtering through an organisation.
However, whilst internal audit does serve to raise red flags, spread best practice and protect an organisation, the scope of internal audit is far broader than just the prevention of financial losses.