Solution Briefs
Understanding, experience and technology for success

 

Effective Internal Audit Management

Get the flexibility and end-to-end functionality you need

With economic slowdown predominating throughout this year, the boards and audit committees are focusing to leverage the internal audit function to mitigate a wide array of risks associated with liquidity, cash management, and market volatility. Auditors today need to vigilantly track the company's debt situation including debt maturities, access to capital markets, and the impact of the recession on the company's supply chain and distribution channels. The pressure to maintain performance and meet expectations during the economic downturn has necessitated corresponding increase in the knowledge, skills, and expertise of internal audit professionals.

Internal auditors are expected to maximize the assurance provided to the Board, the Audit Committee and Management, and contribute to the continuous improvement strategies of the organization without impairing its objectivity and independence. Internal auditor’s role involves providing guidance and expertise in areas including, but not limited to, corporate governance, ERM, fraud policies and prevention, and information technology systems, in addition to the traditional area of internal controls. Audit departments are realizing that paper-based systems, software point solutions, and electronic processes are inadequate to handle the rising number and types of audits.

The MetricStream solution for Internal Audits provides dependable automation and protection from risk management perspective and regulatory standpoint. The solution ensures effective compliance, creates opportunities for cost savings, brings operational efficiencies and above all, gives the true status of a company’s exposure to risk.

Internal Audit Management - The Challenges

A survey by Ernst & Young titled 'The Shifting Internal Audit Landscape' reveals that:

Stakeholder expectations are increasing with greater focus on enterprise-wide risk assessment and business and operational risk.

In implementing enterprisewide risk assessments, as well as covering of key risk areas, there is an opportunity for Internal Audit to improve coordination
with other risk management groups within the company.

There is an opportunity for Internal Audit to better leverage technology and knowledge collection and sharing tools to improve effectiveness and
efficiency significantly.

The current business environment has turned the spotlight on the role that a robust internal audit system must play within the larger drive towards effective governance, risk, compliance and quality management. An internal auditor has to work as a savvy in-house cop who not only reports problems, but also gives constructive suggestions to line managers about how to
improve the performance of the business. As a result, the internal auditing and corporate control environment are receiving increased attention and resources, necessary to comply with the regulations.

Despite the increased exposure and buy-in from executive management, internal audit departments face many challenges. A few of them have been discussed below:

Immature Implementation of Risk Strategies: The credit crisis and resulting uncertain economic conditions have forced organizations to scrutinize their risk exposures in greater detail. Most of the organizations, however, support perfunctorily developed risk management strategies. According to a survey of audit committee members attending the 4th Annual Audit Committee Issues Conference , 44% of conference attendees said that their company's processes to identify significant business risks need improvement, and 18% said the risk reports that management provides to the audit committee are not meaningful/useful. "Audit committees are taking a hard look at risk management processes, with a particular focus on the quality of risk inventories and assessments, as well as the usefulness of management's risk reports," said one of the directors at the conference. He says, "Key challenges include identifying risks early-on, and maintaining a 'big picture' view of the risks facing the business."

Top-Down View: A careful analysis of frauds, which led to the genesis of SOX legislation, exposed major weaknesses in the top management and the control environment. This put spotlight on internal auditors to view the business from the top-down, and increase scope of reviews at corporate offices. The purview should not only include day to day transactions, but specific monthly, quarterly, and yearly management processes that strongly influence the financial statements.

Complex Financial Disclosures: The board shoulders the ultimate responsibility for the integrity of the corporation's financial disclosure. The challenge for internal auditors is to identify if there are discrepancies in company’s financial statements, confirm whether they are abiding by the financial reporting standards, verify whether sufficient controls are in place, and affirm whether shareholders or potential investors or lenders have sufficient information to make informed decisions. The Management is responsible for a fair presentation of the financial statements but the internal audits department must ensure that the financial statements do pass the litmus test.

Complex Business Models: The board and management are responsible for ensuring the integrity of the business, while the internal auditor is responsible for validating, directly or indirectly, whether the company's business model is sound. Internal audits confront issues like: “Will the company be able to survive, or compete in the market?” “Does it adhere to sound business practices?” “Does it have appropriate place for risk management and corporate governance programs in organization?” Moreover, with communication shrinking the world, and global economies growing ever more intricately connected, organizations operate in a far more complex fashion than before. This increases the potential for negative circumstances like inconsistency in enforcing audit processes across business units, erroneous data collection, and various gaps that result from isolated silos of information. It is difficult to gain the comprehensive visual map of the entire business, essential to effective management of risk, governance, compliance and quality issues. The audit lifecycle can often meet a variety of roadblocks that drag deadlines and jeopardize the quality and legal safeguards.

Growing Regulatory Guidelines and Compliance Demands: The global regulatory environment is in an arena of constant change. Stipulations and guidelines are regularly reviewed and refined to retain their effectiveness. Very often, different countries may have distinct recommendations or legal expectations that can complicate the role and consistency of internal audit process across a geographically spread enterprise. Whether it is ISO, SEC or SOX guidelines, companies are now expected to proactively initiate internal, IT-enabled enterprise-wide audit solutions that ensure compliance.

Risk Quantification: Risk is an integral part of any endeavor. The risk management unit and the risk management committee are responsible for risk management, but it is the internal auditor's task to ensure the risk management program works. An effective internal audit management system depends on the ability to build process cycles against an accurate matrix of assessed risk. However, given the dynamic regulatory environment and the complex inter-connectedness of business functionalities, it is often extremely difficult to assess the multi-faceted nature of business risk.

Governance: An ideal corporate governance framework consists of seven entwined elements: the board and its committees, legal and regulatory concerns, business practices and ethics, disclosure and transparency, ERM, monitoring, and communication. It is the task of internal auditors to review each of these elements, and report their findings on a scorecard, rating their maturity along a scale as "compliant", "developed", or "advanced." At the outset, the CAEs need to review key organizational documents such as articles of incorporation, board and committee minutes, the annual report, investor relations policy, code of conduct and ethics, shareholder rights, and board calendar of events.

According to PwC research, internal
auditors will be sharpening their
focus on continuous auditing between
now and 2012 in an effort to
streamline the audit process. As risk
assessments and risk monitoring
assume a more real-time dimension,
audit timing will become more
dynamic. Audits will be conducted on
an as-needed basis, triggered more
by changes to organizational risk
profiles than by set plans.

Tone- at-the- Top: Top-to-down ‘buy in’ for internal audit is something that can only be achieved when the leadership of the company is sensitized to and convinced of the vital impacts it has on compliance, quality, business continuity, and operational profitability. Internal auditors should work closely with the audit committee to establish the audit department's responsibilities, and the board and management should support those duties. However, internal audit processes can sometimes be ignored by the top management, who may chose to focus time and resources on areas they deem to be more pressing to bottom lines.

Monitoring and Oversight: Most organizations expect internal audits department to provide additional input to management, the board of directors, and the audit committee in form of monitoring and oversight; ensuring compliance monitoring and enforcement of essential requirements. To address the issue of weaknesses in oversight programs, the department needs to establish the minimum standards for monitoring compliance and risk management programs. These standards should address compliance monitoring activities; technical assistance; enforcement; and documentation, analysis, and reporting of results. Stiff penalties for non-compliance have prompted employers and employees to take a proactive approach to reduce the risks of fraud within their organizations. With an increase in awareness and interest in corporate governance, the audit function faces rise in the number of special requests.

In addition to this ascend in demand for services, implementing a system to evaluate and prioritize the nature and timing of reviews will provide an additional challenge for businesses and their audit function.

The survey by Ernst & Young ('The Shifting Internal Audit Landscape') reveals that when asked how they expect their Internal Audit function will expand the use of leading practices and benchmarking data to support audit activities, 47% of respondents indicated that they maintain a library of leading practices. Thirty-six percent indicated that they maintain industry-based business rocess models.

Information Sharing and Communication: Although some companies, primarily in financial services, incorporated the COSO (Committee of Sponsoring Organizations) framework model into their audit process over a decade ago, many companies are still working towards implementing COSO or a similar model into their organization. The length of COSO implementation should be reduced by sharing information and communicating throughout the industry. Organizations assist each other by sharing experiences and lessons. It would also be advantageous for boards and executive management to drive the implementation of such a model throughout the business. This should provide those who lag behind with a better perspective on risks and controls and what areas need to be considered in the everyday conduct of business to allow employees to take a proactive approach in enhancing the control environment.

Progressive companies are increasingly seeing the answer to these challenges in a unified approach that integrates the audit cycle within closed loop systems and affords end-to-end functionality across the board.

Overcoming Challenges
To address the rising expectations of chief stakeholders, internal audit needs to find new ways to deploy its risk and control-based skills to help the organization achieve its strategic objectives and enable value creation. That effort extends to activities such as:

Board of Directors and Senior Management Oversight: Internal Auditor’s assessment of the role of the top management in overseeing a company’s efforts should address objective considerations, such as whether the necessary resources (people and otherwise) and tools have been dedicated to the compliance and risk management effort, whether the tone-at-the-top is inclined towards having tighter internal controls, and whether the board of directors and senior management, through their words and actions, are communicating the importance of risk awareness across the company. This also includes instituting communication channels, including a whistleblower hotline to encourage reporting of compliance issues and risk concerns. Here the internal audit department should evaluate the processes in place to establish and enforce accountability for compliance deficiencies. If evidence suggests that there are discrepancies in internal controls and risk management structure, this should be a cause for concern.

Risk Identification and Assessment: The audit should examine whether the risk assessment process synchronizes with latest changes in the organization, addresses all activities conducted by the company, includes all applicable regulatory requirements, and documents the methodology used to conduct the risk assessment.

Role Accountability and Responsibility: During this part of the evaluation, it is important to consider the credibility, qualifications, and experience of key personnel who have been assigned the critical tasks. Internal auditors are charged with the responsibility of assuring the board of directors that management, financial systems, and processes are working effectively. In all other matters, the CEO represents management to the board of directors. However, in this case, the CEO belongs to the group that is being audited, so it is important for the internal auditors to have direct reporting channels to the board.

The audit should examine the plan these individuals have developed for directing the company’s Compliance effort. This plan should be updated on regular basis, should set forth the goals of compliance and its tactics, including monitoring, training, policy and procedure review and updating, for realizing these goals.

Policies and Procedures: Internal Auditor’s assessment should focus on the company’s process for ensuring that policies and procedures are comprehensive, reviewed and updated on a periodic and reasonably frequent basis as well as accessible and understandable. This should also verify that the company has a process in place for communicating important changes between periodic updates. In forming this assessment, internal auditors can test the process by selecting a significant and relatively new regulatory requirement and determining how effectively and efficiently the requirement has been incorporated into policies and procedures and communicated to affected personnel.

Internal Controls: Consideration of whether or not there is a system of adequate internal controls should be second nature to any internal auditor. The considerations are much the same as they would be in any other auditable area: separation of duties, access limitations, second review processes and proper documentation of review and approval, etc. Another consideration would be whether the controls are manual or automated. Where internal controls are manual, internal auditors need to inspect whether the controls are addressing the requirements of the organization. On the other hand where they are automated, the internal auditors need to confirm that the workforce understands the technology.

Self-Monitoring and Remediation: Internal auditor’s evaluation of a company’s self-monitoring and remediation activities should begin with verifying that the monitoring program incorporates requirements specifically mandated by laws or regulations, and that it is appropriately aligned with Compliance’s risk assessment.

Reporting and Record Keeping: IA should also review how the company manages the myriad of reporting and record keeping requirements faced by financial services companies. This requires validating that all such applicable requirements have been identified, responsibilities are assigned, and controls are put into place to ensure required information is retained and retrievable for prescribed periods.

Need of the hour is an internal audits framework that provides a strategic model, for internal auditors and stakeholders, to understand the elements necessary to achieve a high quality and effective internal audit function.

Internal Audits Framework
Ever growing complex regulations have had significant implications on Internal Audits function – changing the environment within which the rules for security, reliability, and permissible margin of inaccuracy were formed. Internal auditors, today, need to adopt an integrated auditing approach while evaluating the internal controls, processes and procedures of an organization. The COSO while defining internal control, in its report titled “Internal Control- Integrated Framework”, emphasized on the role of internal audits to help management monitor the control system and make them aware of its strengths and weaknesses. It holds internal auditors as a form of internal control that functions by evaluating other forms of internal controls. Similarly there are other generic frameworks that internal auditors can use to determine the scope of the audit, including: the Federal Sentencing Guidelines, the Basel Committee principles on compliance (as documented in its publication entitled The Compliance Function in Banks), in addition to general guidance published by various other sources. While none of these frameworks is identical, there is a high degree of commonality among them suggesting a number of key program elements that should be included in an effective internal audit program. Each of the following is a key area to address:

Structure and Resources: Before embarking upon the auditing process, internal auditors establish the structure of the internal audit function and assess the key internal audit personnel to be audited, and their respective roles and responsibilities. Where the function is outsourced, the focus includes the terms of the outsourced arrangement and how this is monitored.

Independence: The board should ensure that the independence of the internal audit function is maintained. The internal auditor should maintain dual reporting relationship to management and the organization's most senior oversight group. The internal auditor should report to executive management for assistance in establishing support, and administrative interface; and typically to the audit committee for strategic direction, reinforcement, and accountability.

Approach: The approach taken by internal audit should be clear and may be one, or a combination of risk-based focus on the high-risk areas of the institution; and review-based focus on reviews of various parts of the institution. The board should endorse the approach and it should be scalable to future change, such that it adapts agilely to issues requiring internal audit involvement.

Segregation of Duties: Segregation of Duties ensures that no one person is solely responsible for the entire process end-to-end, without effective checks and balances. For example, key authorization processes should have appropriate checks and balances. The person, who documents the transaction, should not be the same person who conducts the transaction. These simple checks and balances ensure effective controls and reduce organizational error rates.

Policies and Procedures: Written policies and procedures codify management's criteria for executing an organization's operations. They document business processes, personnel responsibilities, departmental operations, and promote uniformity in executing and recording transactions. Thorough policies and procedures serve as effective training tools for employees. Having a documented repository of your standard operating procedures at the operational, financial, manufacturing unit levels, ensures consistency of processes and reduces audit failures.

Internal Audit Plan: The internal audit plan, which usually details the proposed internal audit work for the next 12 months, should be documented and endorsed by the board. Importantly, the plan should be consistent with the type of approach to be taken and should be adequate for the scale and complexity of the institution’s operations.

Audit Data: The internal audit should capture audit-related data on a single database for the entire enterprise, so that all data mining, benchmarking, and trend analysis processes are significantly improved.

Reviews and Approvals: When a process is performed within a department, there should always be another level of review and approval performed by a knowledgeable individual independent of the process. The approval should be documented to verify that a review was done. Review and approval are controls that help management gauge whether operational and personnel goals and objectives are being met. In this time and age of emails and web technologies, it is easier to document your approvals if you can refrain from verbal approvals and use electronic methods to approve key policies and processes.

Reporting: Internal auditor should report findings to the Audit Committee (or board) regularly. Serious issues should be elevated to senior management and the Audit Committee (or board) without delay. The reporting infrastructure is not just a way to create visibility into the status of key processes and activities, it also enables the management and the auditors a way to get possibly real-time visibility into the key indicators of your organization. Reporting of key Corrective Actions and Preventive Actions, Process KPI's, employee training status to key processes, supplier and partner scorecards, quality maintenance reports on critical equipments and plants is a simple example of a well-designed management reporting system.

MetricStream Solution
The MetricStream's Internal Audit Management solution is a comprehensive application designed to help companies manage a wide range of audit-related programs, data and processes. It provides flexibility to support all types of audits - internal audits, operational audits, IT audits, supplier audits and quality audits. The solution provides end-to-end functionality for managing the complete audit lifecycle including risk assessment, audit planning and scheduling, development of standard audit plans and checklists, field data collection, development of audit reports and recommendations, review of audit recommendations by auditees and management and implementation of audit recommendations and remediation.

Audit Planning: The MetricStream’s Audit Management solution helps you create an audit program with a well-defined objective and scope tied to quality, compliance and risk management processes. By virtue of the solution, auditors can organize an audit in a logical structure and hierarchy with detailed audit templates and work orders. The solution also helps organizations define evaluation and pass/fail criteria, checklists, and tasks that need to be performed for executing the audit periodically or on an ad-hoc basis. Based on the master audit calendar, you can select the auditor or a team of auditors and assign the audit responsibility to them with a due date. Automatic notifications are sent to the auditor as well as the entity to be audited.

Audit Execution: The MetricStream solution enables auditors to record qualitative or quantitative findings along with detailed observations and recommendations in predefined formats, alongside the checklist of evaluation criteria and questions. A unique offline capability allows auditors to enter audit findings in notebook computers or handheld devices at remote field sites even without the access to the corporate network. They can later on synchronize the data with the central repository while accessing the network. The audit managers can track the status of the audit, and measure the progress against milestones to ensure timely execution. Time tracking capability captures the time spent in auditing for optimal resource utilization.

Audit Review: The MetricStream solution helps you route audit findings, observation reports and auditors’ recommendations for review and subsequent actions. The audit findings are sent to the audited entity to seek response on findings or issues observed. The solution has built-in workflows for reviewing responses for approval or rejection with the options to initiate remedial actions for undesirable variations and trends, as well as to schedule follow-up audits.

Reports and Metrics: The MetricStream solution provides comprehensive capabilities for compiling audit reports and work-papers. It provides complete visibility into the audit process with easy status tracking. The solution allows access to all audit data and histories, as well as analysis of auditor performance and audit results. Graphical executive dashboards and flexible reports with drill-down capability provide statistics on a variety of parameters such as by audited entities, audit schedule and calendar, finding reports, and corrective and remediation actions triggered.

Risk Assessment: The MetricStream solution allows the Audit Management department to integrate with the risk management solution and supports assessment of risks based on parameters such as severity and likelihood of occurrence for calculating the risk index of a finding. The solution supports risk assessment and computations based on configurable methodologies and algorithms giving auditors a clear view into organizations risk profile.

Alerts and Notifications: The MetricStream solution extensively utilizes email as a mechanism for delivering event-based notifications, assignments, alerts, and escalations to ensure timely completion of tasks.

Security and Access Controls: The solution provides multi-level role-based access controls, essential for companies with multiple locations, product lines, and business units.

CAPA/Remediation Management: The MetricStream solution provides seamless integration with CAPA/Remediation Management solution for observations and findings that require a remedial corrective action plan. Once issues are identified, documented and prioritized, a systematic mechanism of investigation and remediation is triggered by the underlying workflow and collaboration engine.

Reports Wizard: In addition to the standard reports available in the solution, the end-users can build custom reports using the simple Reports Wizard without any programming. The solution also supports automated generation of reports in standard file formats