Role of Internal Audit as Business Advisor

Introduction

The role of internal audit within an organization has undergone dramatic changes in the recent years. Today, audit activities are considered as tools for value addition in form of assurer, assessor and advisor. An optimally managed internal audit can prove to be the best tool for designing key strategies and making pragmatic business decisions.

According to recent survey reporst¹, the senior executives and audit committees indicate that their internal audit function has an important role to play in their overall risk management efforts, and in achieving business objectives. They have the potential to move it to a higher value-added model, functioning as an increasingly valuable resource - a trusted advisor and consultant to key stakeholders.

 

Figure: Value Proposition of Internal Auditing²

 

The role of Chief Audit Executives (CAE)

It’s an undisputed fact that CAE is best suited to play the role of the main business advisor. However, the question arises; can the CAE be a trusted business advisor? It calls for the specific skill to understand business strategically and to be able to speak from that particular context. The CAE generally reads the audit reports which typically deal with operational, financial, and compliance issues. However, they also need to look at the trends in audit findings that may give strategically focused insight into the business. 

According to a survey by the IIA Audit Executive Centre3, last year, most audit plans still focus on operational, compliance and IT risks and only a few of them focus on the business plan, and business strategy in their audit plan. 

According to the Corporate Executive Board, stumbling blocks to strategic risk assurance are as follows:

• The Risk Model: Traditional risk factors include finance, operations, compliance and IT. The need of the hour is to prioritize risk factors by importance to achieve corporate objectives.
• The Audit Universe: This presently has a predefined set of activities, organizational units, business processes etc. Each “auditable entity” is assessed based on a number of risk factors which can be related to finance, operations, compliance, and IT. A better, top-down approach is to deconstruct corporate objectives to identify non-traditional assurance work.
• Management Interviews: It is important to meet with the executives, typically once in a quarter, to discuss and identify the key risks, particularly emerging risks, in their mind. While valuable, such interviews are not enough. Managers often have an inadequate view of risks and priorities to identify non-traditional assurance work.
• Risk Universe: This typically defines strategic risks too broadly or out of context. Instead of relying completely on the organization’s risk universe, CAEs should make sure that every audit team, while doing an audit, understands how every risk they audit affects the achievement of corporate objectives.

Organizations need to have the right resources to audit strategically. Instead of starting from the resources the audit department had a year ago, it is better to start from how auditors can best monitor the organization’s critical strategic risks and then work towards that. Some ways to overcome resource limitations are:

• A rotational program, in which talented, experienced staff rotate into internal audit for a period of time - usually 2-3 years - then go back to the business. They bring their knowledge of the business into the audit department and take their knowledge of risk and control and achieve broad exposure to their next assignment.
• Guest auditors, from different parts of the organization, can join the audit team just for one audit of a related subject and can help overcome the talent limitations.
• Co-sourcing with outside firms that have specific technical expertise needed for an engagement.

The CAE can play a valuable role in advising management during the strategic planning process. Some of the key points that need to be considered during the process include benchmarking the strategic planning process and ensuring involvement of all the key players. It is also vital to ensure that when all the risk factors are evaluated, resources need to be identified and business objectives aligned. Also, it is important to see if the strategy has been or will be communicated across the organization. 

Examples of strategic initiatives: New IT infrastructure New products Standardization & optimization projects Restructuring Re-engineered business processes Outsourcing functions Acquisitions, divestitures, business integration Expansion to new markets Management philosophy/ people management program

 

 

 

 

 

 

 

Another role in business strategy is to audit the strategic planning process. The key areas that need to be focused on include:

Managing Volatility
Widely prevalent methods such as hedging and commodity trading are employed by energy organizations to offset price risks, and the negative impact of adverse market conditions. Commodity price volatility has always been the single biggest variable in forecasting EBIT (Earnings before interest and taxes) for energy organizations.
 

Another role in business strategy is to audit the strategic planning process. The key areas that need to be focused on include:
 

• Existence of a formal process and level of compliance with the process
• Cross-functional involvement and vetting process
• Documentation of the strategic objectives and underlying assumptions
• Review and approval process
• Measurability of strategic objectives
• Communication of strategic objectives
• Organizational readiness

 

Strategic Business Adviser: Key to success
Auditors should be on top of the key processes of the organization, knowing the systems extensively and deeply. Thus it is essential that auditors sit with the business managers once in a month or at least quarterly, to have an informal chat about the new changes within the organization. If the new changes are considered as emerging risks, the auditors can help business managers do a real time risk assessment and can share with them common findings derived through audits and best practices that can make them better risk managers. 

Auditors can also research industry best practices and identify best practices to share within the organization. At least one audit department can develop a database of best practices appropriate for their organization from these sources. When they identify a deficiency, they are able to recommend a best practice to the management. Also, whenever the audit team identifies a practice worthy of putting into the database, they also identify managers in the organization that might benefit from that piece of information and send them emails describing the practice The audit team also distributes a regular audit newsletter and if they think more managers than they can identify could benefit from the knowledge, they put it in there. In this way, the audit department becomes a knowledge centre for the organization.
 

Leveraging Technology for Strategically Aligned Audit Process: 
From a technology perspective, in a large or mid-size organization, the data is largely fragmented and extensive efforts are required to put in all the data together and add value to it. Therefore, an effective and efficient technology is required to make the overall audit process more effective so as to add value to an organization’s internal audit function. A highly structured and standardized method of reporting audit results can deliver deeper insights aligning business focus on the right set of business risks and enabling informed decision making process. A standardized data collection procedure can eliminate errors and inconsistencies and real-time business intelligence helps in efficient analysis of findings, enabling valuable recommendations. It highlights critical information, provides risk insights and intelligence and top-level visibility for CAEs. It also provides operational metrics crucial for making decisions and defining audit strategies, enabling management to focus resources and time on key areas, resulting in optimal resource utilization and effectiveness. Overall, this drives transparency within the organization, bringing stakeholders across enterprise on the same page and increasing collaboration.
 

Conclusion:
Today, with evolution of audit activities from assessing oversight to delivering insight and foresight towards an organization’s functions and performance, internal audit has become a competent tool of value addition within the organizations. A systematic approach to internal audit in a strategic framework with help of technology solution has proven to be of significant advantage, for contributing in crucial business initiatives.

¹ E&Y study titled ‘Unlocking the strategic value of Internal Audit’¹(2010)
  PWC study named ‘State of the Internal Audit Profession’¹(2013) 
² Audit Committee Priorities for 2014 by KPMG
³ *CAE-2013 Global Pulse of the Profession Report