Compiled by CPA Abdallah Mambo Dallu.
Over the years, the Internal Audit (IA) function has evolved to become more strategic and proactive
in its approach. From an inspection-oriented role, today it has moved to forging a partnership with the business. Internal audits help keep a check on the overall health of the company and to ensure
that no department oversteps regulatory norms. Over the years, the Internal Audit (IA) function has evolved to become more strategic and proactive in its approach. From an inspection-oriented role, today it has moved to forging a partnership with the business.
in its approach. From an inspection-oriented role, today it has moved to forging a partnership with the business. Internal audits help keep a check on the overall health of the company and to ensure
that no department oversteps regulatory norms. Over the years, the Internal Audit (IA) function has evolved to become more strategic and proactive in its approach. From an inspection-oriented role, today it has moved to forging a partnership with the business.
The role of internal audit has expanded as auditors have taken on more responsibilities. Businesses no longer only look to the function as evaluators of effectiveness, but also urge internal auditors to add value to their organizations. Thus, internal auditors are now expected to improve efficiency and operations, especially in the face of rising compliance risks and costs. In this article I want to share the techniques I have used to create value in organizations in my eleven (11) years’ experience in internal auditing.
1. Maintaining a good relationship with governance structures.
In this journey of making and keeping the organization resilient, one of the most important factors is the relationship between the Audit Committee (AC) in the Board of the company and the Internal Audit (IA) team. Direct and frequent interactions of the IA Head and team with the AC Chair help in obtaining timely guidance and better understanding the expectations of the Board.
The audit function serves as a governance control, and it performs a crucial role by strengthening the organization’s overall systems of control and conducting assurance reviews of the critical controls intended to address entity level, industry, and business-line risks.
These reviews provide management, the board of directors, external auditors, and, most importantly, the AC with assurance that key controls within the organization are designed appropriately, operating effectively and efficiently, and functioning to protect stakeholders.
These reviews provide management, the board of directors, external auditors, and, most importantly, the AC with assurance that key controls within the organization are designed appropriately, operating effectively and efficiently, and functioning to protect stakeholders.
The audit function serves as a governance control, and it performs a crucial role by strengthening the organization’s overall systems of control and conducting assurance reviews of the critical controls intended to address entity- level, industry, and business-line risks. These reviews provide management, the board of directors, external auditors, and, most importantly, the AC with assurance that key controls within the organization are designed appropriately, operating effectively and efficiently, and functioning to protect stakeholders.
The partnership between the AC and the IA team must help IA be iterative with a constant desire to do better, i.e., to learn by doing, by being flexible to meet new challenges and forward-looking in the
use of new digital tools and technology. Based on the partnership between the AC and IA, the IA will have a conducive working environment to deliver the agreed IA objectives for the organization.
use of new digital tools and technology. Based on the partnership between the AC and IA, the IA will have a conducive working environment to deliver the agreed IA objectives for the organization.
2. Risk-Based Approach
An effective risk-based approach to IA is done collaboratively with business unit and corporate management. The audit function facilitates discussions which help the business look past the
immediate fire drills to identify those risk areas where additional management focus can head off problems before they mushroom. This approach gets to risk issues before they manifest themselves
in losses or compliance deficiencies. It provides an early warning system and a method for extending management’s reach, analyzing the controls to mitigate risks at a high level and then scheduling
audit projects to address risks that have been identified and can be addressed appropriately through an IA process.
immediate fire drills to identify those risk areas where additional management focus can head off problems before they mushroom. This approach gets to risk issues before they manifest themselves
in losses or compliance deficiencies. It provides an early warning system and a method for extending management’s reach, analyzing the controls to mitigate risks at a high level and then scheduling
audit projects to address risks that have been identified and can be addressed appropriately through an IA process.
Risk-based planning is done in conjunction with business management. The audit function leverages its
knowledge of the business and business risks to start the process but also seeks the input of business management so that upcoming trends and initiatives are taken into consideration. Another critical element of a forward-looking risk assessment process is to understand industry, economic, and political influences that impact the company’s risk profile. It is important not only to consider internal systems, controls, and initiatives but also to understand the impact of risk areas that are connected to business partners and even to consider what risks and issues competitors are experiencing.
3. Taking an integrated approach
One of my first priorities has been to strengthen the stakeholder relationships with every business within the organization. This can be best achieved by providing a holistic view of the risk and control environment of the organization combined with a coordinated and seamless approach with all the other assurance functions in the organization to provide overall assurance.
In my case, I have always created an Integrated Assurance Forum (IAF) consisting of key senior leaders from
various assurance functions such as Quality, Safety, Compliance and Information Security along with
business heads. This also increases the team’s agility. Demonstrating agility has become integral to the work of IA and ERM. Taking up varied reviews like assurance by design, identifying emerging risks (for instance, when the current COVID-19 pandemic first came to attention), virtual audits, usage of digital tools all help the team in making its work impactful.
From the point of view of the Audit Committee, such a holistic approach provides comfort about the depth and focus of management on assurance activities. Discussion at the highest possible management level increasingly improved management response and has led to timely remediation of the agreed actions in the areas with internal control weaknesses.
4. Business Process Improvement Adviser
The IA function should work closely with business and operations management to identify opportunities for business process improvements, cycle time reductions, and cost savings. Building
a strong IA team by increasing team
credibility has been a key internal goal of
the IA function. The responsibilities of the
members of the team are interdependent
and it is imperative to develop a well-
functioning working relationship within
the team. This helps the audit team be
able to look at processes not only from
a controls perspective but also from the
prospective of a business owner who wants
to maximize the return that the company is
making in the area under review.
Since IA spans the entire organization,
enhanced diversity in the team is a must
to increase innovation and problem-
solving. Facilitating the induction
of interested, talented, and capable
resources from across the organization
to work in IA for a limited stint will not
only help these resources get an overview
on risk, governance, and controls
processes, but it will also help IA get
cross-functional learning and exposure.
Trainings and refresher courses for
continued learning on the job, ‘all-hands’
meetings to develop team relationship clear roles and responsibilities, opportunity for role rotations and growth, knowledge-sharing practices internally and through participation in external forums, all contribute to instilling the right team culture along
with work competencies to set the team up for successful and impactful work thereby expertly advising the
management on the internal control weaknesses.
continued learning on the job, ‘all-hands’
meetings to develop team relationship clear roles and responsibilities, opportunity for role rotations and growth, knowledge-sharing practices internally and through participation in external forums, all contribute to instilling the right team culture along
with work competencies to set the team up for successful and impactful work thereby expertly advising the
management on the internal control weaknesses.
5. Going Agile
Agile auditing responds dynamically to changing risks and stakeholder expectations, allowing auditors to stay current and relevant in their audits. The switch to agile auditing usually stems from a need to cut costs and a desire to strengthen collaboration with the business to deliver faster and better insights.
The agile approach is built on frequent feedback and short, targeted, collaborative projects that are flexible
to adapt to changing environments. Agile audits are focused on the needs of the business and use outside experts to fill in the gaps of knowledge within the audit team, allowing the function to specifically tailor its services to the greatest benefit for the business. Agile auditing has improved my reporting and stakeholder satisfaction, and help my audit team’s morale and added-value.
The agile approach is built on frequent feedback and short, targeted, collaborative projects that are flexible
to adapt to changing environments. Agile audits are focused on the needs of the business and use outside experts to fill in the gaps of knowledge within the audit team, allowing the function to specifically tailor its services to the greatest benefit for the business. Agile auditing has improved my reporting and stakeholder satisfaction, and help my audit team’s morale and added-value.
Conclusion
Internal auditors are more and more expected to add value to the organizations they serve. They can enable business leaders to effectively deal with issues an prepare them for future problems that may arise. With the tips that the report offered, auditors can rise to the challenge and help their organizations thrive in a dynamic world.
The writer is the Chief Internal Auditor & Compliance Officer;
UMMA UNIVERSITY
E-Mail: [email protected]
