FOCUSING THE INTERNAL AUDIT FUNCTION ON VALUE CREATION
Traditionally, internal audit (IA) has served as the independent eyes and ears of boards and management in terms of risk oversight and compliance. But given the deluge of risks companies now face along with continuously evolving regulations, there is an opportunity for IA to move beyond its scouting role and serve as an integral part of the team for identifying and combating enterprise risk. Given its cross-functional lens, IA is in a position to do just that. However, effectively leveraging innovative techniques, such as data analytics and predictive modelling, to identify emerging risks and allocate resources to maximise coverage. In addition, IA needs the support of management and the audit committee to move to a higher-value role and the talent to deliver more than customary audit findings.
The benefits of a highly evolved IA function are multiple. With IA, process costs are not inexpensive, so extracting greater value from such an investment is paramount. Moreover, since many chief audit executives still report administratively to the CFO, it behoves finance to equip the function with capabilities to deliver more-informed audit reports.
Internal audit has undergone several evolutions in recent years. In the mid-2000s, corporate adherence to the Sarbanes-Oxley Act increased demand for many internal auditors—and their focus on compliance testing and financial controls. Since then, many companies have tended to see it as both a risk and a business consulting function. Two forces are pushing the transformation forward.
As in most areas of an organisation, new technologies are increasing the speed of delivery and allowing better insights. In IA, technology is expanding the impact of audit findings through, for example, data visualisation. In addition, other techniques are making reports more timely and accessible. Team collaboration tools have become much more powerful, facilitating rapid and effective communication among team members. As an automated approach, continuous auditing enables auditors to continually gather critical data that supports and enhances the audit, rather than the historical norm of examining limited samples. That means executives can pinpoint and act on issues in real-time instead of inferring potential problems based on aged data.
The data captured by new technologies can help IA and the business know where the risks are, prioritise them, and better focus audits and management’s efforts to mitigate risks. Advanced analytic and data-modelling techniques that use self-learning algorithms can automatically categorise anomalies within a wide range of variables to identify higher-risk audit entities. Analysis of this nature can then help direct audit activity toward areas of most significant risk.
STRENGTHENING THE VALUE OF INTERNAL AUDIT
When it comes to IA, specific attributes are table stakes. For example, one of the internal audit’s main jobs is to execute a robust risk-assessment process that drives its audit process and resource allocation. And it is the audit committee’s job to ensure IA is appropriately funded and resourced as effectively as possible. But there are questions CFOs can ask to help guide IA to becoming a more value-creating function.
Have the audit committee, senior management, and Internal Audit reconciled their expectations for internal audit?
IA can’t evolve into a higher-level organisation without support. If the board wants IA to focus solely on financial controls and compliance, and management wants it to focus on finding process improvement, there is obviously a role gap. Consequently, it is crucial to clarify the role through direct dialogue so IA knows how much of its time and resources to focus on basic block-and-tackle versus consulting-type activities, such as emerging risks and efficiencies.
Are internal audit personnel experts in their field, and can they proactively consult on internal controls and risk management?
With the introduction of Sarbanes- Oxley, IA specialists became some of the most sought-after talents in the business. But to add additional value, IA needs to team with others in risk management, including legal and IT, to monitor whether management is tackling risk-mitigation plans proactively. In addition, IA has to have the flexibility—and the resources—to bring in appropriate specialists to supplement their teams as needed.
Is the internal audit process designed to identify whether the organisation is controlling those critical areas and not just what is easy to control?
Because IA is one of the only functions with a companywide perspective, it can access all aspects of the organisation and identify anomalies. By working closely with finance and the business units, IA can prioritise which risks to deal with first and create resource allocation plans to ensure that the most significant risks are properly mitigated
Is internal audit focused on the right risk areas?
The internal audit team should go beyond focusing primarily on financial reporting risks and evaluate current and prospective risks, including strategic, reputational, operational, financial, legal, IT, and compliance risks.
How does internal audit relate to, and interact with, other risk-related functions, such as Risk Management
To truly create value, IA must work cross-functionally with the right subject-matter specialists related to the particular risk. In addition, IA needs to be aligned with the executive team, the chief risk officer (if the organisation has one), and the overall risk management organisation. Where IA focuses on assessing the robustness and effectiveness of the organisation’s programs around risk, teaming with the appropriate risk function can lead to more-holistic audits and better risk mitigation.
Is the internal audit department viewed as objective and competent by management and the independent auditors?
AI’s internal reputation and effectiveness can be enhanced through effective technology. For example, new forms of communication that capture the company’s most significant risks on one page will be embraced by both boards and senior executive teams. They want to know the substantial risks and which ones to act on, not a 30-page report filled with details that get in the way of action. Working with an IA organisation that roots out and controls emerging risks for external auditors can lead to more efficient audits and better working relationships.
CHOOSING TO BE VALUE CREATING
In Internal Audit, delivering audit “findings” has typically been a measure of success. But preventing those findings from occurring in the first place should be just as valued. However, getting to that mindset requires more than leveraging technology and data to better partner with finance; it also requires added IA skills and sometimes a culture shift.
Specifically, to be a command centre for risk, IA has to add the necessary modelling and analytical skills to its working knowledge of internal controls and risk management approaches. In addition, IA professionals need to move out of their comfort zone and focus on identified risks and resolve not to be satisfied with average performance. Moreover, finance and the audit committee should expect IA to perform at a higher level and equip it with the resources and the mandate to do so.
Audit committees and senior management rely on internal auditing for objective assurance and insight on the effectiveness of risk management and internal control processes. Armed with their support, IA can better partner with finance in identifying and mitigating key enterprise risks.
You can find more articles on our website, at Phundex Resources, on LinkedIn at Phundex LinkedIn, or for other questions, please email us at: firstname.lastname@example.org.
To book a demo or do a trial, you can either use the link on our website or email email@example.com and they will be happy to set it up for you.