The role of internal audit within a business has undergone dramatic changes in recent years. Today, internal audit activities are considered as tools for value addition in forms of assurer, assessor and advisor.
It is well recognised by many senior business leaders that Internal Audit has an increasingly important role in the overall assessment and risk management of any business, in achieving its business objectives and as an advisor to the business and its key stakeholders. Internal auditors are now expected to play a key role through the provision of guidance to the business to address strategic and emerging business risks. This is particularly evident in the wide range of audit activities now undertaken by Internal Audit, moving from the standard operational and financial audits to now including business strategy, risk management effectiveness, value for money and governance type audits.
Strategies to achieve Internal Audit Success?
Today with the evolution of audit activities from assessing oversight to delivering insight and foresight towards a business’s functions and performance, internal audit has become a competent tool of value addition.
Whilst assurance will always be the primary function of internal audit, advisory services are
essential in enabling a business implement effectively and efficiently run processes.
It is therefore essential that Internal Audit is perceived to be proactive in providing strategic advice so that it becomes a trusted advisor and not just a watchdog to the business. This can be achieved by the following strategies which are discussed in further detail below:
- Aligning the goals of Internal Audit with the Key Stakeholders
- Regular reporting and the use of KPI’s to report progress
- Assuming a leadership role in coordinating the second and third lines of defence
- Building a high performance team
- Investing in technology
- Becoming a Trusted Advisor to the Audit Committee and Executive Management
1. Aligning the goals of Internal Audit with the Key Stakeholders
Internal audit covers every aspect of the business from the boardroom to the frontline. Such a broad landscape makes it increasingly likely that gaps exist with stakeholder expectations – whether with regard to the audit plan coverage or the necessary subject matter expertise.
It is well recognised that internal audit is most effective when it is focused on the critical risks to the business, including key operational risks and related controls and not just compliance and financial reporting risks.
Setting the tone with stakeholders is key and an Internal Audit Charter should be utilised to establish priorities and expectations.
In order to improve alignment and expectations with key stakeholders it is essential the internal audit team present a strategic internal audit plan for a three to five year period (where possible) which should cover both the financial and non-financial strategic and business risks. It is important that this document is kept ‘live’ and is revised on an ongoing basis as different risks and business issues emerge.
It is also important that the plan shows that there will be a reduction in assurance services and an increase in advisory services as the internal control structures permit. It is important that the Internal Audit team can demonstrate in detail how these services will be performed and how they link into the company’s business plan.
2. Regular reporting and the use of KPI’s to report progress
Once stakeholder expectations are identified Internal Audit should develop Key Performance Indicators (KPI’s) that report on the value being delivered on a timely basis. Some KPI’s that can be considered, depending on the focus agreed with stakeholders, include the following:
- Business coverage (what has been audited/not audited over an agreed period);
- Stakeholder feedback on the quality of internal audit;
- The significance of the findings using a pre-determined grading system;
- Rate of clearance of issues raised and level of overdue issues;
- Length of time post completion of work to when the reports are issued; and
- Number of performance improvement opportunities identified by Internal Audit and adopted by management
3. Assuming a leadership role in coordinating the second and third lines of defence
Underpinning all value discussions are great stakeholder management, excellent communication and the development of trust between Internal Audit and the stakeholder group. It also creates an open, constructive environment in which Internal Audit seeks feedback and continues to look for opportunities to improve and add greater value.
It is important that the key stakeholders have a detailed knowledge of the three lines of defence which are:
- Management controls within the business
- Risk management and
- Internal audit
It is also important that there is sufficient clarity between the roles and responsibilities of internal audit and the businesses management risk, compliance and control functions. Insufficient clarity can lead to inefficiencies, duplications of effort or gaps in coverage.
Internal audit can take a key step towards enhancing its value to the business by improving cooperation and efficiency amongst these lines of defence.
By establishing distinct roles for each and in an effort to improve collaboration, businesses can vastly improve their ability to identify and manage risks across the full scope of their business. Most importantly they can minimise gaps in coverage, avoid duplication and deploy resources more efficiently.
The key to implementing this will be to:
- Involvement of frontline operational personnel in identification of potential risks;
- Hold regular meetings with internal audit and risk management groups in the first and second line to share information and align key risks; and
- Create an integrated view of risk across the business.
4. Building a high performance team
Businesses need to have the right resources to audit strategically.
There are four main approaches internal audit can take to attract and retain the right capabilities:
- Internal Auditor rotation program – this allows internal auditors to rotate to other positions within the businesses for a period of time
- Guest Auditor Program – this provides an opportunity for high performing employees from other parts of the business to gain internal audit experience, providing the function with specialised skills that may reside in other parts of the business
- Third party service provider – use a third party professional services firm
- Recruitment – auditors today are required to have advanced skills, superb analytical skills as well as problem solving skills.
5. Investing in Technology
Internal audit functions are utilising technology as a way to improve productivity and the overall businesses risk management process. Technology can help automate activities, such as ongoing monitoring of certain internal controls, and thereby free internal audit professionals to lend their expertise to their businesses in other high-impact areas.
One of the most significant changes is the extent to which the profession has recognised the importance of data analysis and automation of audit and control testing procedures through continuous auditing and monitoring. While the use of general-purpose software to support internal audit has undoubtedly created efficiencies, it has not changed the fundamental approach to auditing. On the other hand, data analysis technology has caused fundamental changes in audit’s approach by allowing entire populations of financial and operational transactions and other data to be comprehensively tested and, where appropriate, to be analysed close to real time on an automatic basis.
It is therefore important that sufficient investment in made in technology. Efficiencies created by the use of technology and by integrating data analysis and continuous auditing into the audit process, also mean that the audit department is better positioned to complete its audit plan, which can be a significant challenge for many internal audit departments.
6. Becoming a Trusted Advisor to the Audit Committee and Executive Management
Given the role of internal auditors, they are well placed to develop advisor relationships with stakeholders and more importantly educate them about emerging risks and mitigation activities. As part of their role, it is essential that they are actively involved in the business and when new changes are being considered, Internal Auditors are the first choice by the business to do a real time risk assessment so as to develop the ‘advisor relationship’.
In order to ensure alignment with the goals and objectives of Executive Management and the Audit Committee it is essential that Internal Audit meet them regularly to assess risks and to develop the advisory relationship.
In response to the increased role and challenges of Internal Audit, we are seeing an increase in companies partnering with professional firms to deliver this role as it can be more efficient and cost effective. By doing this it allows companies meet the challenges of their business while leveraging off a broader skill set when and where needed.