Comments
Internal Audit (IA) was once viewed as a finance policing function. This narrow focus did not survive as many problems were outside the finance area. The way in which IA has widened out as a discipline into a whole raft of risk management skills has been one of the success stories in its development.
Now the focus is on how the IA can help the Board of Directors, the Audit Committee and other stakeholders. The key to internal audit adding value is that it provides objective evaluations of an organisation's processes and operations.
The main focus is on improving risk management, internal controls, and governance so that stakeholders' value is preserved. In other words, IA seeks to improve the organisation's operations and to reduce the chance of negative surprises, including those created by unreliable financial reporting.
Through its monitoring efforts in such areas as fraud prevention, improving business processes, and promoting reliable information (including financial reports) and sound controls, a properly designed and functioning IA group can add significant value to an organisation.
IA should be focusing on what the company sees as its major risks. IA should be reviewing the risk management processes used through the company and ensure that the right controls are put in place by the management.
Powerful force
In the wake of the major accounting scandals followed by Sarbanes Oaxley requirements where Chief Executive Officer and Chief Financial Officers asked to sign , IA has emerged as a powerful force in promoting effective controls, risk management, and governance. On top of these challenges, the pressure to produce reliable financial reports has caused many audit committees to lean more heavily on internal auditors for information and technical guidance related to risks and controls.
IA function also can contribute greatly to SOX audits, performing some work on which the external auditors can rely. Such arrangements can reduce SOX-compliance costs.
What is changing is the nature of the assurance the board of directors needs mainly to the non-executive directors who spend little time with the company. They will be looking for assurance that the management is doing what it is are supposed to do. IA is at the heart of this requirement. This is a really strong role for IA.
This extension of the need for assurance by all stakeholders is likely to widen the role of IA even further. Should the IA be commenting on the work of the external audit? I think that there a role for reviewing the effectiveness of the audit and other consulting work done the external auditors. I think that IA should be asking the questions!
If you're not already measuring softer controls, you probably should be. What is driving the shift away from hard, tangible controls toward softer ones?
Tech empowerment
Technology not only makes old controls irrelevant because it enables empowerment; it also makes it possible to build into computers whatever hard controls and audit routines might still be necessary. In areas where it's still necessary, the traditional kind of audit work can now be performed better by the computer, using a 100 per cent sample.
As managements move into empowerment modes, they need help with the transition. Most of all, they need the help of an independent, objective observer who will give them the kind of realistic, honest, substantial feedback that most people in the organisation won't provide. IA increasingly is going to involve evaluating these soft, intangible areas.
The present framework emphasises the importance of softcontrols such as trust, ethics, integrity, building relationships, and effective leadership. To effectively evaluate the soft side of controls, auditors must demonstrate different mindsets than those of traditional auditors.
This change is the biggest thing to happen in internal auditing.
Is internal audit strategically positioned to contribute to business performance?
The structure and reporting lines adopted for the internal audit function should promote independence, objectivity, consistency and business understanding. The head of the IA should have clear authority to communicate directly to the board, the chairman of the board, or the chairman and members of the audit committee.
Are internal audit's processes enabling and dynamic in meeting business needs?
Internal audit has a strong risk identification and planning methodology and delivers a high quality service.
Technology is used appropriately to enhance the provision of internal audit services. An appropriate framework is in place to measure internal audit's performance.
Does internal audit have the right people strategy to deliver its mission/ objectives?
Internal audit's staffing strategy should reflect its mission, role and required competencies. The strategy is sufficiently flexible to respond to changes in demand. IA provides high potential employees with broad exposure to business activities and upper management, corporate culture, risk management practices. Finally, as a team, it should be looking at ways of changing the company for the better. It is the management‘s responsibility to do this, but IA could help. IA could provide the role of a coach.
(Edited excerpts from a speech delivered at the Institute of Internal Auditors (IIA) seminar on ‘Emerging challenges in contemporary internal audit')
(The author is Chairman, eNoah iSolution.)
Comments
COMMENT NOW
Comments
Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.
We have migrated to a new commenting platform. If you are already a registered user of TheHindu Businessline and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.