Drive a Connected GRC Program for Improved Agility, Performance, and Resilience
Power Business Performance and Resilience
Discover ConnectedGRC Solutions for Enterprise and Operational Resilience
Explore What Makes MetricStream the Right Choice for Our Customers
Find Everything You Need to Build Your GRC Journey and Thrive on Risk
Learn about our mission, vision, and core values
From corporate policemen to strategic advisors, internal auditors have come a long way over the past decade. Today, boards and leadership teams are looking to them not just to point out where internal controls are inadequate or ineffective, but to provide insights on how the business can improve its efficiency and operating effectiveness. This has become particularly important in the face of increasing compliance burdens, cost pressures, and digital disruptions. So, how can internal auditors rise to the challenge and deliver the value that their business needs? Here are a few ways.
One of the simplest ways for internal auditors to create value is to ensure that their objectives and plans are always aligned to business objectives. Not only does that help them deliver more relevant insights, but it also helps the business be clear about what they want to achieve. Internal auditors might even want to challenge the business objectives to ensure that they are precise, attainable, and practical.
A strong understanding of the business is important here. Many audit training programs focus on enhancing the technical skills or domain expertise of the audit team, but it’s just as important that they build the team’s business knowledge as well: How does the business work at multiple levels? What are its key drivers, challenges, strengths, and weaknesses? What is it trying to achieve?
As auditors explore these questions, they can gain a clearer perspective of how and where to add value. They can also sharpen their focus, so that when they go into the business, they’re able to more quickly pick up on issues or processes that aren’t aligned to strategic objectives.
It helps to have some sort of integrated data model to understand how audit objectives, plans, and programs tie back to business objectives. Many organizations use audit management software to map together objectives, as well as the risks that impact those objectives, the controls to mitigate those risks, and associated business units, functions, and processes. This tightly integrated data framework makes it easier to get a sense of the audit universe and how everything is linked together.
Regular meetings with the audit team enable internal auditors to measure their progress, and ensure that they are still aligned to the right objectives. It allows them to identify what’s working in their audit plans, what isn’t, and what needs to be changed. Every potential audit can be quantified in terms of its relevance to business strategy. Those that have a larger impact on the achievement of business objectives can be given a higher weightage.
Sometimes strategic objectives may change. As a result, an audit issue that may have seemed significant some time ago may not require the same kind of attention or investment anymore. The only way to know that is to keep the conversation with the business going, and—within the audit team—to meet, take stock, and check that everyone is still focused on the right goals. Otherwise, it’s easy to lose sight of what the team is trying to achieve.
Reporting is internal audit’s opportunity to weave together what they’ve seen and observed into one cohesive set of insights that can help the business catalyze efficiency, performance, and growth. One of the keys to effective reporting is to break down complex or highly technical concepts into relatable terms, while also turning facts and data into a compelling narrative that the business can proactively act upon.
Here again, it’s important to keep coming back to strategic objectives. When business leaders understand which audit issues are most likely to impact the achievement of their goals, they can then prioritize their responses efficiently, rather than trying to address all audit issues at once.
Many internal auditors leverage predictive analytics to anticipate emerging risks, so that the business can get ahead of them before they snowball into larger issues. Today, there’s so much information available for internal auditors to provide better insights to the business. Are they leveraging it all? Are they being creative in how they gather, analyze, interpret, and more importantly, communicate the data? These are important questions to ask.
Technology can be an effective enabler when it comes to audit reporting. Especially in large, globally distributed enterprises where audit teams are scattered across locations, a scalable audit management solution can improve efficiency by streamlining and automating audit reporting workflows. Users can accelerate the process of pulling together data, and consolidating it into standardized reporting templates. They can also track the status of audit tasks and activities across the enterprise in real time.
In many organizations, the shift to agile internal auditing has been driven by the need to reduce audit costs, strengthen collaboration with the business, and deliver faster, better insights. It’s a significant move away from traditional annual audit plans and risk assessments which were largely static in nature. Agile auditing focuses on responding more dynamically to changing risks and stakeholder expectations. Not only can it help strengthen audit reporting and stakeholder satisfaction, but it can also improve the audit team’s morale, job satisfaction, and commitment.
The agile approach typically involves multiple short, collaborative, and targeted projects based on an iterative model that allows for frequent feedback. These projects are largely flexible in nature to keep pace with changing requirements. While traditional audits are often planned based on the capabilities and capacities of the audit function, agile audit plans tend to focus more on what the business needs. If the capabilities of the audit team aren’t sufficient, subject matter experts (SMEs) are often called in to fill the gaps.
At the MetricStream GRC Summit, one of the speakers talked about how his company used the agile methodology to solve a persistent SOX compliance challenge i.e., aligning changes in the HR database to the IT access rights database. Earlier, the process was largely manual and cumbersome. Realizing they had an opportunity to improve efficiency, the assurance function helped put together a Scrum team of collaborators including a senior IT auditor, coding experts, and an SME from the IT department with knowledge of SOX compliance. Within three months, the team had developed a solution to automate the process of matching the two databases. Not only did it improve compliance efficiency, but it also boosted the assurance function’s reputation as a problem-solver and trusted advisor.
Internal auditors today have the opportunity to create real business impact. The work that they do can help shape effective risk and compliance management programs, while also enabling leadership teams to be well-prepared for future challenges. As they focus on better alignment with business strategy, better quality reporting, and better agility, internal auditors can strengthen their reputation as value creators, and help their organizations move forward with confidence.
“Building a Relevant and Agile Internal Audit Function” - A GRC Summit presentation by Andreas Trogsch, General Manager - Global Assurance, ArcelorMittal
“Aligning your Audit Program to Key Business Objectives” - A GRC Summit presentation by Chris Greenway, Director - Internal Audit, The Co-operative Bank Plc