Internal audit teams are being asked to take on additional responsibilities such as integrating other compliance and assurance functions.

Satyavati Berera

PricewaterhouseCoopers has been conducting the State of the Profession survey since 2005 to provide audit leaders with important data and insights into current issues affecting the internal audit community.The business environment has become more challenging for many organisations, and the expectations of internal audit's stakeholders have increased significantly in the wake of the economic crisis. Although internal audit has not been immune to cost-cutting measures taken by many companies, the impact has been less severe than on other parts of an organisation and include reductions in travel and training, delays in staffing open positions, and, in some cases, the elimination of positions.

Internal audit teams are also being asked to take on additional responsibilities such as integrating other compliance and assurance functions and expanding the scope of internal audit's work.

The economic crisis has led to an increased attention on improved risk management for regulators, rating agencies, and boards. This represents an opportunity and a challenge for internal auditors. On the one hand, it has the potential to raise the discussions in which internal audit is participating to a strategic level. However, it poses a challenge because it is an emerging area, and there are many views on what constitutes effective risk management.

Though the economic crisis has not impacted India directly, but business leaders have adopted a cautious sentiment. They want to be proactive and mitigate the possibility of such crisis in the future being so globally connected and to mitigate the possibility of such crisis in the future, Hence an increased focus on risk management has been felt by most of the Indian companies.

The Ministry of Corporate Affairs has also issued a set of voluntary corporate governance guidelines which aim at further strengthening the risk management and internal control practices of companies.

Emerging practices

Most of the internal audit departments can increase their support to corporate governance in a number of areas. Assessing key enterprise risks, measuring risk-mitigation effectiveness, assessing ethics and codes of conduct, and reviewing and assessing IT governance are among the top activities performed for boards and audit committees. Other opportunities include training and orientation of the board and audit committee, administering board and committee self-assessments, executive compensation and disclosure.

Auditing ERM process

There is definitely an increased focus on the need for auditing the ERM (enterprise risk management) process. This is another example of the expanded scope of the internal audit function. When auditing an ERM programme, auditors must understand the role and purpose of ERM to assess whether it is meeting its goals for providing value.

It is difficult to take a standard approach to auditing ERM. By understanding the objectives of an organisation's ERM programme first, audit activities can be created that adequately assess the intricacies of ERM.

We believe that internal audit's role is as a contributor to the ERM process and also a consumer of ERM information. Internal audit is therefore in a unique position to help drive the ERM process for many organisations.

Outsourcing, off-shoring

Off-shoring is an effective strategy for managing costs and increasing efficiency .However, usage is limited and most popular in the following scenarios:

When an organisation with offshore business operations establishes a local internal audit team to focus on auditing the offshore business operations and processes (resident auditors)

When a local internal audit function is established at an offshore location to perform routine or standardized audit testing such as data analysis, SOX compliance, and IT control testing.

When making a decision around outsourcing/off-shoring internal audit activities, it is important to ensure that tasks are standardised and that there is sufficient communication and supervision.

Factors that are critical to the success of sending work offshore include:

Little or no need for close geographical ties between where the work is done and where the work originated.

An ability to train and retain staff at the offshore location.

Clear communication and reporting ties with the offshore location.

Our observation is that off-shoring requires a significant investment of time and effort to achieve the expected long-term benefits.

Reporting structures

In our experience, most internal audit organisations report functionally to the audit committee, but we also are seeing some shifts to the administrative reporting as there is further integration within organisations.

When it comes to reporting relationships, the most critical questions for internal audit function is to ask whether the function has a strong advocate in the executive ranks and the stature necessary to be relevant to the audit committee and senior leadership.

Expectations vs delivery

The gap between what internal auditors deliver and what their stakeholders expect is definitely growing. In this year's survey, we introduced the concept of ‘Internal Audit 2.0' to start organisations thinking about dramatic change. As internal audit confronts new and continually changing needs and expectations, it must take the initiative to redefine its role. That means expanding its skill sets and preparing to take a leadership role as a more powerful resource for senior executives, directors and boards in aligning strategy and risk identification, control and mitigation. We propose internal audit 2.0 as a fresh and innovative way to expedite the closing of gap.

Defining the value proposition entails clearly understanding the expectations of stakeholders, particularly in terms of scope of work. From there, internal audit needs to determine the skills and capabilities required to deliver on that value proposition and then purposefully acquire those skills. Next, organisations must develop these people so they can deliver on expectations, taking care to measure results along the way.

The successful achievement of internal audit's mission and vision depends on having the right mix of core internal audit and specialist staff and requires that organisations provide:

A formal career path for internal audit staff that is defined and has the support of senior leadership in the organisation.

A continual learning and development model to improve internal audit's credentials by gaining business experience and knowledge.

Staff performance measurement against the mission and vision of internal audit.

Training, a solution?

Though our survey results indicate a strong preference for training as the primary means for closing skill gaps, but we believe that training is not the answer in all cases, particularly when an internal audit function needs to make significant changes. For the internal audit function to provide increased insight, business experience is a critical ingredient. This experience also enhances credibility and perhaps most importantly, it's essential to developing the audit team.

PwC publication Maximising Internal Audit: A 10-Step Imperative for Thriving in a Challenging Economy, suggests some useful steps to maximise the value delivered by internal audit.

Understand stakeholder expectations: To achieve this goal, chief auditors must frequently engage in a robust dialogue with executive management, the audit committee, external auditors and, where appropriate, regulators.

Develop a strategic plan: For most functions, it is appropriate to have a strategy for increasing its operational excellence, as well as a focus on enhancing its partnership with the business, and to the extent appropriate, its strategic support for the entire organisation.

Leverage other risk and control functions: Internal audit can improve its position within the organisation by aligning the multiple governance, compliance and risk functions across the organisation.

Assess strategic risks: Although many internal audit teams are performing risk assessments for their organisations, existing practices often need to be revised or expanded to introduce a sharper focus on strategic risk and related risk management activities.

Develop a flexible audit plan: In today's volatile and dynamic environment, multi-year and even annual plans are being replaced by shorter planning periods to enhance flexibility.

Develop the right people: Organisations must determine the best resourcing model to achieve internal audit's strategy and ensure they get the right people on board.

Use technology and develop an infrastructure roadmap: Technology can be valuably applied to virtually every element of internal audit's core and support processes.

Obtain funding commitment: Funding requests should include cost benchmarks from relevant industry sectors and organisations. Key drivers of audit costs include the extent of regulation, global footprint and organisational decentralisation and complexity.

Establish a relationship plan: Developing an overall relationship and communications plan is a key component to increasing both the real and perceived value of internal audit.

Create a performance scorecard: A holistically balanced scorecard can serve as a basis for annual performance goals for everyone within the function so they can be held accountable for results and rewarded for successes.

(The author is Leader, Internal Audit Services, PricewaterhouseCoopers.)

(This article was published in the Business Line print edition dated August 30, 2010)
XThese are links to The Hindu Business Line suggested by Outbrain, which may or may not be relevant to the other content on this page. You can read Outbrain's privacy and cookie policy here.