The role of internal audit within a business has undergone dramatic changes in recent years, writes Niall May.
Internal audit activities are today considered tools for value addition in the forms of assurer, assessor and advisor. It is well recognised by many senior business leaders that internal audit has an increasingly important role in the overall assessment and risk management of any business; in achieving its business objectives; and as an advisor to the business and its key stakeholders.
Internal auditors are now expected to play a key role through the provision of guidance to the business in addressing strategic and emerging business risks. This is particularly evident in the wide range of audit activities now undertaken by internal audit, moving from the standard operational and financial audits to now including business strategy, risk management effectiveness, value for money and governance audits.
Achieve internal audit success
Today, its evolution from oversight to insight and foresight, internal audit has become a competent and valuable tool. While assurance will always be the primary function of internal audit, advisory services are essential to the effective implementation and execution of business processes. It is therefore essential that internal audit is perceived to be proactive in providing strategic advice so that it becomes a trusted advisor and not just a watchdog to the business. This can be achieved through the following strategies.
Align goals with those of key stakeholders: internal audit covers every aspect of the business from the boardroom to the frontline. Such a broad landscape makes it increasingly likely that gaps exist when it comes to stakeholders’ expectations. This could relate to the audit plan coverage or the necessary subject matter expertise, for example. It is well-recognised that internal audit is most effective when it is focused on the critical risks to the business – including key operational risks and related controls – and not just compliance and financial reporting risks. Setting the tone with stakeholders is key and an internal audit charter should be used to establish priorities and expectations.
To improve alignment and expectations with key stakeholders, it is essential that the internal audit team presents a strategic internal audit plan for a three- to five-year period where possible. This plan should cover both the financial and non-financial strategic and business risks. It is important that this document is revised on an ongoing basis as different risks and business issues emerge. It is also important that the plan demonstrates the potential for a reduction in assurance services and an increase in advisory services as the internal control structures permit. The internal audit team should demonstrate in detail how these services will be performed and how they link into the company’s business plan.
Use KPIs to report progress: once stakeholder expectations are identified, internal audit should develop Key Performance Indicators (KPIs) that report on the value being delivered on a timely basis. KPIs could include:
- Business coverage (what has been audited/not audited over an agreed period);
- Stakeholder feedback on the quality of internal audit;
- The significance of the findings using a predetermined grading system;
- Rate of clearance of issues raised and level of overdue issues;
- Length of time post completion of work to when the reports are issued; and
- Number of performance improvement opportunities identified by internal audit and adopted by management.
Assume a leadership role: great stakeholder management, excellent communication, and the development of trust between internal audit and the stakeholder group underpins all discussions relating to value. It also creates an open, constructive environment in which internal audit can seek feedback and continue to look for opportunities to improve and add greater value.
It is important that the key stakeholders have a detailed knowledge of the three lines of defence, which are: management controls within the business; risk management and internal audit. It is also important that there is sufficient clarity between the roles and responsibilities of internal audit and the businesses management, risk, compliance and control functions. Insufficient clarity can lead to inefficiencies, duplication of effort or gaps in coverage.
Internal audit can take a key step towards enhancing its value to the business by improving cooperation and efficiency among these lines of defence. By establishing distinct roles for each, and in an effort to improve collaboration, businesses can vastly improve their ability to identify and manage risks across the full scope of the business. Most importantly, they can minimise gaps in coverage, avoid duplication and deploy resources more efficiently. The following points will be central to any successful implementation:
- Involvement of frontline operational personnel in the identification of potential risks;
- Regular meetings with internal audit and risk management groups in the first and second line to share information and align key risks; and
- An integrated view of risk across the business.
Build a high-performance team: businesses need to have the right resources to audit strategically. There are four main ways for internal audit to attract and retain the right capabilities:
- Internal auditor rotation programme: this allows internal auditors to rotate to other positions within the businesses for a period of time;
- Guest auditor programme: this provides an opportunity for high performing employees from other parts of the business to gain internal audit experience, providing the function with specialised skills that may reside elsewhere in the business;
- Third party service provider: use a third party professional services firm; and
- Recruitment: auditors today are required to have advanced analytical skills as well as problem-solving skills.
Invest in technology: internal audit functions utilise technology to improve productivity and the overall businesses risk management process. Technology can help automate activities, such as ongoing monitoring of certain internal controls, and thereby free internal audit professionals to lend their expertise to other high impact areas.
One of the most significant changes in this area is the extent to which the profession has recognised the importance of data analysis and automation of audit and control testing procedures through continuous auditing and monitoring. While the use of general purpose software to support internal audit has undoubtedly created efficiencies, it has not changed the fundamental approach to auditing.
On the other hand, data analysis technology has brought about fundamental changes in audit’s approach by allowing entire populations of financial and operational transactions and other data to be comprehensively tested and, where appropriate, analysed close to real time on an automated basis.
It is vital that organisations invest sufficiently in technology. Through efficiencies, the integration of data analysis and continuous auditing into the audit process, the audit department is better positioned to complete its audit plan. This can be a significant challenge for many internal audit departments.
Become a trusted advisor: given the role of internal auditors, they are well placed to develop advisor relationships with stakeholders and, more importantly, educate them about emerging risks and mitigation activities. As part of their role, it is essential that they are actively involved in the business and – when new changes are being considered – internal auditors are the first port of call for real-time risk assessment. This will help internal audit further develop its advisory reputation within the business.
To ensure alignment with the goals and objectives of executive management and the audit committee, it is essential that internal audit meet both groups on a regular basis to assess risks and develop the advisory relationship.
Niall May FCA is an Audit, Advisory and Assurance Partner at Baker Tilly Ryan Glennon.
This article was originally published in the October 2015 edition of Accountancy Ireland.