Business landscape is rapidly changing, requiring internal audit (IA) to play a proactive, catalytic role, enlarging its scope and transforming into a value adding, strategic aid to management. IA should be capable of contributing towards achieving the core business objectives and governance by being the eyes, ears and mouth piece to senior management, audit committee and board of directors.
Besides ensuring reasonable assurance to integrity of financial reporting, conforming to applicable rules, regulations, accounting standards and principles; IA should assist the organisation in risk management, preparation of sustainability reporting; establishing reliable MIS and its alignment with business objectives and processes. In cases of company's mergers and acquisitions, IA should come with valuable suggestions, based on in-depth study, data mining and data analytics.
IA must facilitate safeguarding entity's assets and help mitigation of fraud, leakage and waste of resources.
competent internal auditors
The change in scope of IA demands placement of competent personnel for conducting internal auditing, having relevant experience in different domains of the business processes, including manufacturing, engineering, marketing, and change management. The auditors have to keep abreast with business dynamics, fill skill gaps and use advanced computer-aided auditing techniques (CAATs), data mining, drilling, extraction and analytics software to extend entire business activities and conduct audit efficiently and expeditiously.
The IA professionals need to establish effective communication with business units, external auditors and support audit committee and board of directors in undertaking continuous review, monitoring and initiating appropriate, timely detective, corrective and preventive actions, bringing in quality governance and continuous improvement. It is the indispensable responsibility of audit committee and board to make certain that IA has clear mandate, scope, functional independence and autonomy.
IA enables the company to avoid recurring product delays, cost overruns, establishes regulatory compliance and avoidance of criminal penalties, compensation and loss of image.
It enables crisis management and business continuity process; conducts due diligence, detailed audit of outside contractors and actually becomes a profit centre. IA may help reducing corruption, kickbacks and enhance its value to business.
Standards for Internal Auditing (SIAs)
The institute of Internal Auditors (IIA) prescribes an external quality assessment or peer review for internal auditing in every five years. ICAI issued 17 Standards on Internal Audit (SIAs) for undertaking effective internal auditing.
These SIAs cover entire gamut of IA including planning, documentation, reporting, sampling, analytical procedures, quality assurance, evidence, fraud and risk management. SIA 14 elaborates the procedure to be followed while conducting internal audit in an IT environment focussing on essential controls to be reviewed.
The audit committee and board expect IA to prepare a comprehensive risk-based audit plan, inform directors about the tone of the organisation, control processes, and provide insight, advice, and assurance on enterprise risks.
External auditors, regulators, and others expect IA to develop and regularly update a formal strategic plan, aligned with key enterprise-wide objectives and stakeholder expectations.
IA should apply technology to conduct real-time reviews, escalate issues, ensure compliance with standards and adopt formal knowledge-management plan.
Internal auditing needs to adopt risk-centric approach and conduct an annual enterprise-wide risk assessment to place robust controls.
Annual audit plan should be drawn on the basis of risk assessment in consultation with audit committee, who will continually monitor, review and track IA performance using management tools like balanced scorecards.
IA should report directly to audit committee and board and able to discuss issues without the presence of the management.
Number of audits conducted, key findings, recommendations accepted by management along with average cycle time for engagements, average reporting cycle time, and client satisfaction demonstrate the effectiveness of internal auditing.
(The author is Director-General, CAG office.)