Cross-sector internal audit standards will improve the way public bodies manage risk
By: Ian Peters, Guardian Professional

The need to manage risk in the austerity-driven public sector has never been greater. By adopting the new public sector internal audit standards, the public sector is setting higher expectations for the role and scope of internal audit and giving it a consistent, cross-sector framework.

Changes to processes and jobs as public bodies pursue expense reduction and efficiency gains can open up weaknesses in risk management and control systems that can be overlooked in the attention on cutting costs. One need look no further than the crisis at Mid Staffordshire NHS foundation trust to see the very worst consequences of poorly-managed cost cutting.

But cost cutting is not the sole cause of poor risk management and internal control. Last year, for example, poor project governance processes, alongside numerous senior management changes, were to blame for a flawed bidding process for the west coast main line rail franchise, which has cost taxpayers nearly £10m. Previous risks have included data security issues, such as HM Revenue & Customs losing 25m records in the post in 2007 and the loss of memory sticks and laptops at the Ministry of Defence in 2008.

Managing risk is as much a concern in public organisations as in any other sector. It requires attention that starts at the very top of the organisation and permeates throughout it. Internal audit can and should be an essential part of the process of supporting boards and executives to improve how they identify and set risk management policies and how they direct employees to manage risk.

Government watchdog the National Audit Office thinks there is still some way to go for internal audit in playing this role. The 2012 NAO report on internal audit concluded that it could be better supported, the scope of its work broadened, the standards by which it works more consistently applied across the public sector and its skills and resources improved.

That report underlined work already begun by the Chartered Institute of Internal Auditors (IIA) and the Chartered Institute of Public Finance and Accountancy (CIPFA). Our collaboration, based on our shared interest in public financial control in the public sector and its broader good governance, has culminated in the publication of the new public sector internal audit standards, which came into effect on 1 April 2013.

Internal auditors work independently of line managers, which enhances their objectivity. But to be fully effective in helping to protect their organisation and enabling it to achieve its objectives, they rely on the support of senior executives and non-executives. They also need a remit and resources which give them the scope to review any area where there may be concerns about the control of risks.

Internal auditors must assess how well risks are being identified and how effective the subsequent controls put in place to manage those risks are. But they don't have the resources to look everywhere at all times. They need to focus on the most crucial risks and rely on management to manage other risks effectively – a risk-based approach. They report their findings to those responsible for governance, principally the accounting officers and audit committees in Whitehall departments, non-departmental public bodies, the NHS, local authorities and other public service delivery organisations. Internal auditors are effectively the eyes and ears of the board.

The new standards encourage a step change in the contribution internal auditors make to improving how effectively risk is managed and controls operated around vital systems. Importantly, they also create a clearer basis for assessing the performance and development needs of internal audit teams.

The new standards are aimed at accounting officers, audit committees and others who influence the scope, resources and remit of internal audit. While risk and control failure cannot be eradicated completely at all times, these new standards help them shape their internal audit function to be a more effective tool.