Internal Audit (IA) is not a new concept. It has evolved over time from mere audits of financial records, to the identification of fraud and corruption. Today, IA enables governance, risk management, compliance, resource conservation, and data verification and analysis for the entire organization.
With changing stakeholder expectations, newer perspectives on risk management, and demands from the board, senior management, and regulatory authorities, IA has had to evolve to not only enhance operational efficiency and compliance with internal controls, but also enable value preservation and creation.
Current Trends and Challenges in Internal Auditing
IA practices have come a long way, but not without their fair share of challenges1. In the face of emerging competition, spiraling cost structures, integrated global economies, newer technologies, and changing financial instruments, IA has often failed to keep pace. This has resulted in IA departments - in many organizations around the world - plateauing and being replaced by outside service providers and consultants.
While auditors have built strong relationships with their audit committees, they have been handicapped by the absence of regular updates to their audit quality improvement programs. Management support has been deemed critical to drive consistent IA operations, and the lack of it has often excluded auditors from getting involved in key strategic initiatives.
While the IA team size might have weathered the waves of change, there has been a marginal shift in terms of the skill sets required – “from industry-specific knowledge to excellent communicators and critical thinkers2.” The IA skills needed today are less related to accounting, and more focused on relationship building, negotiation, conflict resolution, presentation, and the ability to handle high-level meetings. In addition to these soft skills, internal auditors are now required to have deeper knowledge about their organizations and industries, risk management, and other topics, which require additional training and recruitment of internal auditors with skills other than just accounting and finance.
Given this context, it has become imperative that IA play a bigger role in adding value to their organizations by expanding value preservation (control focus) and including value creation (performance focus). Instead of being focusing solely on internal controls, IA now must be more concerned with identifying opportunities, threats, and requirements, while also understanding the performance, risk, and compliance impact that these elements have on their organizations.
Organizations, therefore, have to ask themselves:
- If there is an opportunity, what are the expected levels of rewards?
- How much can be earned by meeting a certain performance level?
- From a risk perspective, what are the threats which, if realized, will result in financial losses or the failure to meet organizational objectives?
- From a requirements perspective, how should compliance be managed and what are the best practices?
Transformed Role of Internal Audit
In seeking the answers to these questions, IA has witnessed a considerable transformation in their functions. Given that every business adheres to internal and external compliance requirements, the responsibility of auditors must be to synchronize these requirements with performance expectations. At the same time, auditors need to consider governance guidelines to ensure Principled Performance when meeting objectives or addressing uncertainties.
Principled Performance is a concept developed by OCEG, the organization that developed the concept of Governance, Risk Management, and Compliance (GRC) -- the three elements necessary to ensure successful attainment of organizational objectives. Principled Performance is an approach that helps organizations reliably achieve their objectives, while addressing uncertainty, and acting with integrity. These three areas of governance, risk management and compliance (or controls) are also the focus areas for IA groups in accordance with the Institute of Internal Auditors.4
Looking at the new and emerging risks across the enterprise, IA will have to, in the long term, adopt a risk-based approach to auditing, and transform into a Risk-based Internal Audit (RBIA) function. In the book “Risk-Based Internal Auditing” by Jason Lee Mefford, RBIA is explained as an approach focused on auditing based on the objectives of the organization, rather than just testing internal controls.5 An RBIA focus allows internal auditors to consider all of the things that may hinder an organization from meeting its objectives. This approach aligns internal auditors more closely with the organization’s management, and provides much more value compared to traditional internal audits that only focus on accounting and financial controls.
To this end, it will be necessary for internal auditors to sharpen their focus and skills in risk management and governance -- two areas where IA has traditionally not had deep knowledge. Auditors must also create a more responsive and risk-based audit plan, acquire and train talent, and step up the use of audit technology and tools to become more effective and efficient.
Value Preservation and Creation6
In adapting to the changing technological landscape, it is important that IA expand its focus and strengthen itself in the areas of risk management and governance. Improving its competencies will necessitate the use of quantitative skills and knowledge of risk. Therefore, while IA continues to preserve value by testing internal controls related to financial reporting, and adhering to compliance and capital market regulations, it will also need to offer strategic and consultative advice to drive the business.
In addition, IA will need to participate in value creation by overseeing finance transformations, mergers and acquisitions, post-merger activities, strategic sourcing, and operational enhancements, while enabling technology to sustain these changes.
Given the significant role that ERM plays across enterprises today, IA will need to use its knowledge of enterprise risks to support strategic business objectives. IA will also need to bring discipline to risk management activities, initiate risk identification, apply quantitative and qualitative risk analysis, strengthen control design and effectiveness, undertake control evaluation and continuous monitoring, strengthen auditing techniques, and enhance regulatory compliance. By expanding its risk-monitoring and auditing responsibilities, IA can not only help businesses preserve value, but also create value.
How Can Technology Help IA?
While audit personnel have emphasized the significance of technology, it has not been adequately used by many organizations. Historically, IA has primarily used productivity software like the MS Office Suite; but today, it needs to utilize mainstream technology to add value through automated work paper management, automated control testing, continuous risk monitoring, risk-based audit planning and scheduling, knowledge management, data mining and analytics, graphical audit reporting, issue tracking, and improved audit execution and documentation. Technology can help develop a consolidated, single view of risk, while supporting organizational objectives and coordinating governance, risk management, and compliance activities, holistically. All these elements point to a future with flexible risk-based audit plans and an IA function that is agile and aligned with organizational objectives.
In order to transition to risk-based auditing, auditors need to build an appropriate audit universe from which to select projects based on the organization’s objectives. The key is to look at the areas of the organization which impact the achievement of objectives such as:
- Process: Auditors need to use a risk-based approach to develop the audit universe by thinking about and listing all the different kinds of transactions and processes which pose higher risks
- Rotational: Processes, special projects, or even business units should be audited on a risk-based rotation basis, so that the more critical aspects are audited more frequently than the others. It is not sufficient to rotate through each part of the business ensuring that all areas are audited. Instead, a better approach is to focus on those areas that pose a higher risk, and make sure that those areas are audited more frequently
- Systems: IA should list all the different systems, IT resources, and assets, and then select the areas meriting focus -- particular those related to laws and regulations, compliance requirements, and higher risk. For instance, some of the highest risks in an organization involve technology and information security.
- Risk-based: There are multiple major threats which may cause the organization not to meet its objectives. Management should already be implementing actions and controls to reduce these risks. It is these management actions and controls that the IA group should focus on testing.
Looking at the above points, it is vital that IA commence with audits based on the organization’s key objectives and strategy. They will need to first list the threats that have the potential to thwart those objectives. Once the threats are identified, and risks assessed, auditors need to examine the business projects that will pose the highest risk to the organization’s ability to meet its objectives.
Today, cutting-edge audit management solutions enable risk-based planning and scheduling, faster audit execution, automation of risk assessments, electronic work-paper management, implementation plans to resolve control issues, and risk visibility for organizational stakeholders. All these capabilities drive auditor efficiency and collaboration, simplify audit reporting, and reduce the need for training.
The Future of Internal Auditing
With risk management becoming an intrinsic part of good governance, organizations have been striving to identify the vast spectrum of risks across the organization, and devise ways to mitigate them. Implementing rigorous internal controls is not been enough by itself. IA must step in and offer assurance in this regard. This is where RBIAs come into play.
Given how RBIA focuses more on objectives and high risk impact areas instead of simply examining internal controls, it may just be the tool of the future. RBIA necessitates developing audit mechanisms differently – by prioritizing issues, allocating resources more efficiently, and focusing audit effort on areas that need it the most. It emphasizes the need to evaluate risk exposure by soliciting inputs from the Board and Management. It also focuses on auditing and improving risk management processes, testing the reliability, integrity, and effectiveness of operational information, safeguarding assets, and sustaining compliance with laws, rules, and contracts.
IA has evolved remarkably to play a substantial role in enhancing businesses by introducing best practices and new approaches to risk detection and management. Given the changing risk landscape, IA needs not only the best technology solutions, but also, an understanding of RBIA in order to play a critical role in today’s business environment.