Drive a Connected GRC Program for Improved Agility, Performance, and Resilience
Power Business Performance and Resilience
Discover ConnectedGRC Solutions for Enterprise and Operational Resilience
Explore What Makes MetricStream the Right Choice for Our Customers
Find Everything You Need to Build Your GRC Journey and Thrive on Risk
Learn about our mission, vision, and core values
This article discusses how to plan an effective internal audit program focusing on risk assessment and key risks to be considered, which will help in appropriate resourcing of internal audit efforts, tied to board level issues and significant areas of the organization that can be impacted by the financial wellbeing of the organization.
This article discusses different aspects of internal auditing and leads to advancement in individual practices. The objective is to plan an effective internal audit project, as well as some of the general audit processes that are involved in most audits. The key focus is on risk assessment and key risks to be considered. There are many additional business and other risks that internal audits could exhibit. Importantly, how management can be encouraged to tackle risk management and operational risk in particular.
General audit steps and approach
Auditing is about how to improve practices of internal auditing . It has its own international standards as well as practice advisory that helps in implementing internal audits.
Fundamentally, the auditor’s perspective should be to take the view of board members, activities of the organization and projects that may have significant impact on the success of the organization, this is best evaluated by independent internal auditors. The internal auditor should be looking at the risk management efforts of the organization for these critical functions and critical initiatives. With picking those prospects, the resourcing of internal audit efforts will be appropriate and tied to board level issues and significant areas of the organization that can be impacted by the financial wellbeing of the organization.
In the practice of internal auditing, its primary focus is to plan for the projects to be audited and how each project fits the organization’s need. The first step is to determine the audit project, then, what are the goals and objectives of the organization, and the areas that are being audited. Accessing the key risks to the organization, initiatives and potential impact on the organization is also needed. This involves taking up the business perspective in each internal audit and tying it to business goals and objectives. The scope, purpose and objectives for the individual internal audit project have to be determined and defined. This provides the overview or general direction of the internal audit project and the drivers for different tests that have to be performed in different audit activities and analysis performed during field work.
By having clearly defined purposes and objectives agreed to by the management, the internal audit team will be able to deliver their independent objective opinion and recommendations for improvement and work towards providing value to the project for the department or organization’s unit that is being audited that will advance the organization’s performance.
In internal auditing, the type of internal audit projects is extremely diverse. You may be looking at finance function in one project, operations and customer services for another project, evaluating risk management on a third project and studying the efforts in a compliance program in another project. The audit scope for the project is to focus on understanding what the project is trying to accomplish, and what the risks to the organization are.
Audit risk assessment
Risk assessment needs to be performed within every internal audit project. In an audit risk assessment, trying to understand the business risk, better allocating audit efforts during the entire project and factoring relevant aspects is important. The audit risk assessment should be done as part of planning and then continued during field work as more information is learnt. The key risk factors need to be assessed comprehensively because as these factors are determined to be positive or negative and in between, the audit efforts and the sourcing of audit resources will have to be adjusted accordingly.
The lesson here is performing a comprehensive risk assessment to get to the key risks that needs to be assessed during the audit project.
Audit objectives drive what audit efforts will be. The appropriate audit objectives for internal audit project are determined during audit planning itself. The importance of objectives are that they drive resourcing, the audit approach, audit test, work load and also what information and recommendations will end up at the end of the audit project that will be going back to management. So it is advisable to discuss audit objectives with management, and get a real consent on important objectives for the internal audit project, as the audit reports will provide valuable information and feedback to the management and teams.
Audit Reporting process
Within the audit reporting process, there are always significant opportunities to communicate with management and staff on opportunities for improvement and suggested recommendations. The formal written audit report is the most visible product of internal audit efforts, and is always an interesting exercise in getting signoffs on that report. The internal audit team communicates with staff and management throughout the entire audit and so, the audit reporting process should be considered as happening from day one to the last day of the project, not just at the formal written reporting time. This is an important consideration when interviews, debriefing and status updates are being planned. All these communications and interactions are part of the audit reporting process and should be considered very important throughout the project.
Issues to watch out for
There are always various issues to watch out for as part of audit planning, risk assessments and audit delivery. These are inherent risks or people issues or recovery capabilities or resiliency of the organization etc. So during audit planning of a project, the business risk to the organization is to be considered, and the audit objective which should be the focus of the audit. But what are the additional issues that are being asked by management and should they be included or excluded in the sculpture of each of the individual audits? Every audit is slightly different and one always needs to be thinking through what is best for the organization for this particular audit, and what competencies on the audit team is required to successfully complete that in terms of efforts for the audit.
What the auditors like to see?
Auditors are questioned on what they determine to be positive attributes for the organization or the entity they are auditing, and good management practices are what auditors are looking for. Whether it is an IT audit or internal audit, looking for demonstrations of solid planning, direction, monitoring and reporting and that those processes and practices will resolve in good results. In information request, in interview discussions, in analysis of different output of the project or the department or the function, fundamentally one is looking for good management practices and encouraging a focus between short and long term as well as an engaged staff and a proactive management. By evaluating against these important factors a continuous improvement process and a strong management practice is instilled within organizations, which are very important attributes for long term success.
How technology helps internal audit organizations build an efficient environment
Customer interaction suggests that their control environment, risks, controls etc. have been defined in either word, excel or some format. As years go by this process needs to be more systematic. Technology helps migrate this data into a format that is readily accessible. The work flow can be smooth, issues like, ‘who has to do what task’ can be avoided. In this way technology can make internal audits less hassled. The time and cost needed to manage internal audit environments is readily available in a simplified process.