This article talks about the five key best practices for internal auditors to successfully meet stakeholder expectations, and drive exceptional business performance in their organizations.
Gone are the days when internal audits were limited to annual assessments of operational and financial controls alone. Today’s internal auditors are expected to do more – to step out of their comfort zones and provide assurance on a range of new and emerging risks, while also delivering timely insights to guide key strategic decisions. Stakeholders are increasingly relying on internal auditors to help them navigate the choppy waters of rapidly changing regulations, large-scale data breaches, complex global business ecosystems, and geopolitical uncertainties. How internal audit responds to these expectations will determine their success, relevance, and value in the coming years.
With that in mind, here are 5 best practices for internal auditors to successfully meet stakeholder expectations, and drive exceptional business performance in their organizations:
We live in a world where risks are changing at an incredible pace; where events that might not have been foreseen a year ago have become a reality. Consider the unprecedented vote by U.K. citizens to exit the EU, the bitter and deeply divided political battle in the U.S., the simmering refugee crisis in Europe, or the increasing cyberattacks against critical infrastructure.
For internal auditors, these developments are a strong reminder that risks need to be constantly reassessed, and audit plans revised to reflect the changing risk environment. While risk identification is ultimately a management responsibility, auditors would do well to stay informed on the new and emerging risks that would hinder the achievement of the organization’s objectives. They must be able to provide assurance that existing risks, as well as the big risks around the corner are being properly controlled. Achieving these objectives calls for continuous, risk-based audits.
For the board and management, it can be frustrating and confusing to receive multiple reports from various assurance functions, each addressing similar risks and issues, but talking in a different risk language, and providing different recommendations. If internal auditors are to truly add value, they must collaborate and communicate more effectively with the second line of defense, working towards a holistic, integrated view of risk and compliance. This kind of combined assurance gives stakeholders better visibility into critical risks and opportunities which, in turn, enables them to make better, faster business decisions on how to tackle the changes in the risk and regulatory environment.
PwC’s 2016 State of the Internal Audit Profession Study found that 62% of stakeholders expect more value from internal audit, including half of those who already reported experiencing significant value. Many stakeholders want internal audit to expand its value beyond assurance, and be a more proactive trusted advisor.
While the work of providing assurance is extremely critical, internal auditors are also uniquely positioned to deliver insights that can guide and influence decision-making at the highest levels of the organization. They have the ability to advise stakeholders on important business process improvements, while also alerting management to emerging issues and risks. The key is to focus less on the issues and risks that have already occurred, and instead look ahead to understand where the organization is heading and how its risk profile is likely to change as a result.
The world is rapidly changing, but audit skills are not evolving fast enough. In Deloitte’s 2016 Global Chief Audit Executive Survey, 57% of Chief Audit Executives (CAEs) reported being unconvinced that their teams had the skills and expertise needed to deliver on stakeholders’ current expectations - let alone future demands.
Today’s auditors need to have a broad range of skills that go beyond operational and financial auditing, to include enterprise risk management, regulatory compliance, vendor risk management, anti-bribery, corruption, and even cyber security. Auditors must understand how to not only test con-trols effectively, but also communicate with a range of stakeholders. Critical thinking, analytics, and technology skills are also important.
Many organizations are addressing these skills gaps in their teams through comprehensive training. Others are hiring new audit professionals, while still others are looking at co-sourcing and outsourcing options.
While internal audit’s roles and responsibilities may be increasing, budgets are limited, and talent is difficult to come by. In fact, auditors often find themselves having to do more with less. Many are turning to technology to simplify and automate manually-intensive audit processes, thus freeing up time to focus on more value-added activities such as risk analysis.
With big data analytics, technology also provides the ability to aggregate and analyze tremendous volumes of data (from both inside and outside the organization), and deliver risk and compliance intelligence in real time. These insights enable auditors to better predict the risks, issues, and opportunities that lie ahead, thereby providing timely advice to the board and leadership team.
Internal audit is faced with an important choice. It can either refuse to evolve and, thereby, fade in relevance. Or it can find ways to reinvent itself and drive greater business value. The successful internal auditors of tomorrow will be those that can keep pace with the risks and changes in the business environment, communicate more effectively with stakeholder across functions, and deliver timely and forward-looking insights that matter to the business. Just as important will be their commitment to continually sharpen their auditing skills and knowledge, and leverage world-class tools and technologies. Achieving these objectives will go a long way towards helping internal audit attain its full potential and become an even greater asset to the business.