In Industry Insights

By Sophie Cisler

Internal Audit has long been an integral function in financial services firms, but there is also growing awareness of its value in law firms.

I spoke to Mark Penlington, Head of Risk, Resilience and Internal Audit at Irwin Mitchell to get an understanding of what an Internal Audit function looks like within a law firm, how to develop one and how to persuade your senior management team of its importance.

Mark has over 20 years of experience in assurance and Internal Audit, primarily in financial services and insurance. His expertise spans large and small audit teams, entrepreneurial and highly regulated businesses.

Mark joined Irwin Mitchell three years ago to establish their Internal Audit function and has since taken on leadership of the combined Risk, Resilience, and Internal Audit team. His experience provides a valuable perspective on the evolving landscape of Internal Audit in the legal sector.

So, what is Internal Audit and (how) is it different to general risk and compliance?

Mark explained that Internal Audit is an independent, objective, and systematic assessment of governance, risk, and controls within an organisation.

It involves understanding the organisation’s operations, risk profile, and risk appetite, then evaluating the gap between the desired risk profile and the current reality. Internal Audit supports the business in closing this gap by driving actions to improve governance, controls, and risk identification processes.

Contrary to common misconceptions, Internal Audit’s purpose isn’t to find fault. Instead, it aims to identify areas needing support and provide a mechanism for departments and functions to receive that support.

Sounds familiar?

Of course, much of this will resonate certainly with more generalist risk and compliance professionals. We laugh (or grimace) about the fact that we are brought in to opine on all sorts of areas, including those where no-one else wants to answer the question.

What could be the slight distinction is that Internal Audit is the pro-active business decision to encapsulate, as a foundational part of the overall business strategy, all of the tasks or questions which might, eventually, fall to the risk and compliance team.

Defining risk appetite

A crucial aspect of Internal Audit is aligning the organisation’s activities with its risk appetite. Internal Audit helps determine if a department or function operates within the defined risk appetite, avoiding excessive risk-taking or overly cautious approaches that can hinder efficiency and customer satisfaction.

In law firms, we talk a lot about the business’ risk appetite in terms of anti-money laundering, for example making it clear that you won’t accept instructions connected to certain higher-risk industries, or maybe from clients connected to certain jurisdictions.

But perhaps the risk and compliance team isn’t always involved in such discussions (if indeed they take place) in terms of other areas of business or strategic risk and how these fit into defining the firm’s overall risk appetite.

Rather, we are often brought in much later in the discussion: how can the business make a certain proposal work, rather than, fundamentally, should they?

Internal Audit swings the pendulum back to the latter question, enabling the risk and compliance team to be involved from the beginning, and at the top level.

Internal Audit in the legal sector

While Internal Audit is well-established in financial services, government, and listed companies (Mark tells me that businesses in these areas will often have large, well-resourced teams, reflecting the function’s crucial role in the business), it’s still developing in the legal sector.

Many firms think about Internal Audit in respect of file reviews only. But the tasks that Internal Audit can perform can and do go much wider.

Developing an effective Internal Audit function starts with understanding the firm’s key risks and strategic goals and working with the senior management team to define the business’ responses to them.

Common risks in law firms include anti-money laundering (AML), sanctions compliance, and data protection. However, each firm should tailor its Internal Audit programme to address its specific risks, including those related to technological transformation, financial processes, and people management. These are areas of risk which are common to all types of business, not just law firms.

Remember: a law firm is a business, so looking more widely into what is called “enterprise risk management” is key. We need to appreciate that there is a huge amount of risk management which is common across different sectors and industries, and seek to learn from these where it can help.

In particular, Internal Audit can provide valuable support in project management and governance.

For some law firms, even thinking about “project management” could be a bit of an alien concept. But it happens all the time. Thinking about opening a new office, changing your case management system, or recruiting someone to spearhead a new sub-speciality of work? All of these are “projects”, and should involve your risk and compliance team from the very beginning.

By reviewing the planning, who sits on the steering and testing committees, and ensuring that decisions are made within the parameters agreed upon, Internal Audit can identify weaknesses and recommend improvements to increase the likelihood of successful implementation.

Does size matter?

Mark is clear: no. Internal Audit is valuable for firms of all sizes. For smaller firms, there might be just the one person who deals with risk and compliance overall. If you’re that person reading this, you might be gulping at the suggestion that your role could possibly become even wider than it is.

For those who specialise more generally in risk and compliance though, embedding Internal Audit might just be a matter of tweaking how the risk and compliance function is seen within the firm, not least by codifying that it is integral to the firm’s risk appetite and therefore business strategy.

So it starts from the top and at the beginning, rather than being brought in later.

For larger firms, there is scope for dedicated Internal Audit teams to manage all the different parts of the business, whether that’s workstreams, locations or other. This tracks with a more developed risk and compliance function overall, with specific areas of responsibility in conflicts, business acceptance or AML.

Getting management on board

And yet, we in law firm risk and compliance are well aware that persuading everyone else in the business, particularly senior management, that our function is critical is already a challenge. Can we really make a successful pitch to widen our remit, particularly if that requires further resourcing?

Mark makes the point that Internal Audit is all about identifying and mitigating risks that could hinder strategy execution. Ergo, it’s key to ensuring the business’ success, whether that’s in terms of overall strategy or a specific project.

This should be music to the ears of the senior management team, as well as to shareholders and insurers.

I’m interested: tell me more!

The Chartered Institute of Internal Auditors provides valuable resources for those interested in learning more about Internal Audit.

Mark has also set up a LinkedIn group, The Legal Head of Internal Audit Forum, which offers a platform for discussion and knowledge sharing among Internal Audit professionals in the legal sector.

If you’re not an Internal Auditor per se, but someone who works more generally in risk and compliance, don’t be put off: you don’t have to be an Internal Auditor to join. In fact, Mark is keen to get people from all sorts of professional backgrounds aware and involved. Hopefully, this article shows you that Internal Audit is not reinventing the approach to legal risk and compliance, but perhaps developing, honing and supporting it.

There will be lots to learn, and lots to share.

Recent Posts

Start typing and press Enter to search

Get your FREE COLP Insider email delivered fortnightly

We’ll never share your email address and you can opt out at any time, we promise

 

wellbeing law firmstick box compliance