Almost every organization, regardless of industry, faces business challenges as a result of economic fluctuations, the pace and volume of regulatory change, and the accelerated growth of risks. An effective audit program helps to ensure that business operations are conducted within the boundaries of both the organization and the regulatory bodies that govern it. Further, a well-designed and well-executed audit function supports an organization's ability to confront challenges appropriately, and exploit opportunities effectively. And it is here that the internal auditor plays a key role.
Today, internal auditors are in a direct position to advise the board and management on opportunities to navigate through risks and challenges to achieve organizational objectives. With this in mind, at every step of the audit process, the underlying question the auditor needs to ask is: What could impact the organization so significantly that the board would have to get involved, and is management addressing those risks appropriately?
The primary mandate for any organization implementing an effective internal audit framework is to follow the IIA standards and guidelines. The IIA's international standards for the practice of internal auditing provide the cornerstone for an audit framework. The IIA has substantial resources that consolidate the IIA standards, the International Professional Practices Framework (IPPF) being one among them. There are many other resources that help internal auditors maintain their audit programs in line with best practices while also monitoring adherence to the policies and principles requiring compliance.
Planning well for an internal audit program is another important aspect that helps build a successful audit framework. The auditor needs to communicate a clear plan for the audit program, including consideration of the intricacies of each step, to the senior management, while keeping in mind the strategic directive of the company, to ensure that the audit program contributes to overall business success. The planning phase defines the components of the audit program:
"Begin with the end in mind" is a Stephen R. Covey fundamental. Determine the end results to be achieved, and use that information to direct audit efforts, IT efforts, and business efforts. Having a goal contributes to sustainable success. An effective auditor determines goals through a process-driven effort that focuses on results:
The scope forms the crux of audit planning, and defines the extent of the audit program within an entity and the organization. When planning the scope of an audit, auditors need to have a good knowledge of:
And to understand an entity, auditors must also determine:
The board and management need to periodically evaluate the operating effectiveness of the organization. These periodic evaluations are a supplement to the day-to-day monitoring of responses and control activities, and provide for more in-depth analysis of the entity's operating effectiveness, as well as an opportunity to consider new practices and technologies to enhance the entity.
The objectives of an audit program vary across entities and organizations. Specifying objectives for each entity allows the audit program to align with business needs, and drive tangible value in results. For instance, the objectives of a GRC audit program might include:
Likewise, the audit objectives for IT projects may include:
Risk-based audit planning has been a cornerstone of the professional standards for many years, and increasingly organizations are recognizing the cost-benefit value of such an approach. Auditors have realized, in today's dynamic risk environment, that what holds the key to an organization's success is an efficient audit risk assessment activity.
The audit risk assessment helps to ensure the audit program and specific tests to be performed are appropriate and tied to areas of identified risk exposure. A risk assessment should also help ensure that risks are understood. Key risk factors to be considered might include:
To support the continuous improvement of the internal audit program, a well-defined audit function will include reviews and programs that help monitor the progress and effectiveness of the program. Two of the most widely-known practices are:
There are six steps to be considered when completing the post-audit review:
The QAIP is a means to systematically improve internal audit practices and results. It enables an evaluation of the internal audit activity's conformance to the "Definition of Internal Auditing," "International Standards for the Professional Practice of Internal Auditing," and an evaluation of whether or not internal auditors apply the "Code of Ethics." The QAIP also assesses the efficiency and effectiveness of the internal audit activity, and identifies opportunities for improvement to add value to the audit activity, and improve organizational operations.
Proper attention and support from senior management and the board is evidenced through oversight, due diligence, and engaged involvement in relevant aspects of the audit program.
Pressures are mounting on internal auditors to provide risk assurance, and mitigate risks along with managing audit processes. Effective use of technology can help internal auditors implement an integrated and automated audit framework that enhances the efficiency, effectiveness, and quality of operations. Here are some ways in which internal auditors can leverage the use of technology:
Internal audit's highest value to the organization may very well be its independent vantage point from which to identify key risks, and gauge how well the management is addressing these risks. Given the landscape of growing regulatory pressure and dynamic compliance expectations, internal auditors need to employ best practices to streamline auditing processes, and deliver insights for sustainable organizational success.
Technology needs to be utilized in the right way for an integrated, top-down, and risk-based approach to the audit program which brings down operational costs. Fundamentally, internal auditors need to adopt risk-centric mindsets, and conduct the business of audit in a risk-oriented manner, to remain key players in the overall business of risk assurance and risk management for their organizations.