This website uses cookies

This website uses cookies to ensure you get the best experience. By using our website, you agree to our Privacy Policy

Sign Up for our Free Newsletter
Solictors Journal logoSolictors Journal logo
Jean-Yves Gilg

Editor, Solicitors Journal

Why law firm managing partners need internal auditors

News
Share:
Why law firm managing partners need internal auditors

By

By Louise Fleming, Partner, Aretai Consulting

Most likely, if you are a relatively risk-aware managing partner, you will have your law firm's risk governance pretty much sorted. You will have a board in place which sets out the firm's strategy and articulates clear objectives and your firm's risk appetite. You will have set the tone from the top and be proud of the culture you have instilled in your firm.

What's more, you will have identified the top ten risks facing your business and prioritised them according to their impact and the likelihood of occurrence. You will have reported these risks to your partners and assigned each risk an internal owner for management purposes.

After you completed your risk mapping exercise, you will have identified a number of controls to mitigate the key risks facing your business. And, relying on these controls, you will be satisfied that risks are being managed within your firm's risk tolerance. Job done.
Or is it? On what basis are you relying on these controls?

The theory

A control reduces the impact and/or likelihood of a risk from its inherent position to a residual level. So, a risk that might be high likelihood without controls in place may be reduced to within risk tolerance thanks to the controls identified. There are two key elements to consider:

  1. Is the control designed effectively? Is the control you are relying on actually going to do the job of reducing risk to an acceptable level?

  2. Is the control operating effectively? It's all very well identifying a control, but what's more important is identifying whether it is being well implemented. In my experience, this is where many businesses fall down.


So for example, let's say a managing partner has a strategy to grow the business through lateral hires. A key risk to manage would
be the recruitment of the best people.
This is done by having a robust recruitment policy that states who should be involved in the recruitment process, the key criteria for screening candidates, which types of interview should be used and how references should be taken up. The first question appears to have been answered: yes, the control is designed effectively. But, is it operating effectively?

The managing partner can wait and find out 18 months down the line, at which point management will realise some recruitment errors took place. The risk will have crystallised and, in the investigation to find out what went wrong, they may discover that the hiring partners were not in fact following the recruitment policy set out by HR and signed off by the board.

Another approach would be to seek some independent assurance that the control is operating effectively from the start and thus avoid putting the firm's reputation, financial results and people engagement
at risk. The board could ask internal auditors to test the controls.
 

Internal audit's role

An internal audit function is absolutely fundamental to a sound system of governance and risk management. In fact,
it is hard to see how firms in England
and Wales can meet the Solicitors Regulation Authority's Principle 8 without having assurance that controls are
operating effectively.

Under the principle, solicitors are required to "run your business or carry out your role in the business effectively and in accordance with proper governance and sound financial and risk management principles".

In a small firm, line of sight over
controls is possible without a team of internal auditors. But, in larger firms, internal audit should not be limited to performing file reviews. The role of internal audit should be to test the internal controls that are in place to mitigate the key risks faced by the business. The scope of internal audit's remit should include everything from reputational to financial risk, from client service to information security.

Using the Chartered Institute of
Internal Auditors' definition, "the role of internal audit is to provide independent assurance that an organisation's risk management, governance and internal control processes are operating effectively".

And so, internal audit is not about inspection or trying to catch people
out, but is focused on protecting the business by providing board members
and senior management with risk assurance that helps them to fulfil their duties to
the firm and its stakeholders. If internal control processes are not operating effectively, internal audit can identify gaps and work with management to recommend control improvements.

Managing partners need an internal audit function because, without them, the governance job is only part complete. An effective risk governance framework encompasses risk, control, monitoring and reporting. All too often, professional service firms fall down at the monitoring stage.

As managing partner, you may know what your risks are and you may know the controls you need to rely on to mitigate the risks but, without testing those controls, you don't really know whether they are operating effectively in the business. If they are not, the whole governance and risk management framework will be undermined, leaving your firm exposed.

Louise Fleming has 20 years' experience working with professional and financial services firms in business and risk management (www.aretai.net)