Value Adding Internal Audit

Whether the internal audit activity is necessitated by regulatory and compliance requirements, corporate governance and board (or audit committee) demands, or other stakeholders such as senior management, it is essential that the internal audit activity consistently adds value to the organization.

There has also been an intensified call for the internal audit activity to add more value and contribute to the growth of the organisation and achievement of corporate goals and objectives.

According to the Institute of Internal Auditors (IIA), “Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”

Over the course of my career in internal auditing (and more broadly risk consulting), I have seen stakeholders demand for more insights, value add, proactive engagement and pragmatic advice/recommendations from the internal audit activity as against a tick-box exercise to fulfill certain regulatory requirements. Personally, the ability to identify key risks within a Company’s operations and proffer practical recommendations to the client has been an exciting experience.

In this piece, I have tried to capture some of the points I believe can assist risk professionals to deliver value adding internal audits.

1.  Understanding the client

To add value, internal auditors need to dedicate some time in understanding the client business, operations and processes. It is also important to understand the strategy of the organization and to see how the current business model and operations support the achievement of the corporate goals and objectives. Findings and recommendations in themselves should not be in isolation of the context of the organization. Overall, internal auditors would need to be able to ‘connect the dots’, understand the ‘big picture’ and undertake the reviews in context of these points.

2.  Appreciation of external risks, events and mitigation

To add value, it is beneficial for internal auditors to have an understanding of external risks and environment in which the client operates. These includes socio-economic and political factors, technology and industry disruptions, regulations and events which could potentially have an impact on the organisation. We have also seen an increased impact of macro-economic risks, data privacy requirements and cyber incidents on organisations. Hence, whether the scope of work of the internal audit activity directly relates to these areas or not, it is important for internal auditors to have the right conversations on the organisations’ awareness of these matters and the possible mitigation such as crisis management programs, business continuity arrangements, cyber resilience programs and relevant insurance policies.

Overall, the internal audit activity should support the organization in having an effective risk management program.

3.  Understanding emerging technologies

In a world of digitization and the fourth industrial revolution, we have seen more automation of business processes and repetitive tasks in order to free time for more cognitive activities.

Internal auditors need to seek to understand (and possibly audit) these technologies (such as AI, RPA and blockchain) and also see how to use some in performing the internal audit assignments. At the very minimum, data analytics should be embedded in every audit as possible.

Internal auditors also need to have these conversations with the organization early enough prior to adoption or before it is too late for the organisation.

4.  Listening, and listening to the unspoken words

There is a lot of listening to be done in undertaking an effective internal audit assignment. Some of the key opportunities for improvements I have identified during my career have been through listening to the clients. As you listen, you may be able to answer the ‘why’, identify the root cause of certain client ‘issues’ and connect the dots. This may even relate to areas such as the client’s culture and corporate governance.

Identifying the root cause of an issue will enable the internal auditor to provide a recommendation that would go a long way in preventing a re-occurrence of the issue identified.

5.  Collaboration with key stakeholders

A ‘successful’ internal audit can be achieved through an effective collaboration with key stakeholders (including process owners and senior management) while maintaining the objectivity and independence of the internal audit activity. Such effective collaboration will improve trust and acceptance of the recommendations with a commitment to addressing the points raised. I have personally found out that the insight and input of management may also support framing the recommendations in a way that fits into the culture, fabric and peculiarity of the client business, process and environment.

Internal auditors need to engage effectively with the client and key stakeholders across all phases of the audit – planning, execution and reporting. There should be no surprises at the ‘closing meetings’ and reporting stage.

6.  Identifying opportunities for improvements in design of controls

Traditional internal auditing may arguably already be late in certain instances where ‘exceptions’ are identified when the internal auditors review transactions that have happened in the past (typically over a year period).

Internal Audit reports typically provide assurance and recommendations on two areas – design of controls and operating effectiveness of controls. My favorite and a key way to add value to clients is to identify opportunities to improve design of controls, and of course processes. Essentially, this relates to things and perspectives which the client may not have thought of, thereby benefiting from having an independent person review the system of internal controls. These may relate to both over-control (inefficiencies) and under-controls (gaps).

There are several ways to achieve timely identification and reporting of exceptions and non-compliance including through continuous auditing and monitoring, automated controls by way of flagging deviations based on predefined criteria, and a more robust and mature internal oversight mechanisms.

7.  Having a commercial/business mindset

It is important for internal auditors to have a commercial mindset even in cases where regulatory compliance is required. This would enable and support proffering cost-effective recommendations. This is also critical in weighing the cost-benefit analysis related to the ‘findings’ and recommendations.

The cost of implementing the recommendations should be considered along with the risks associated to the finding – this of course is not limited to financial cost but also reputational impact.

8.  Considering the interest of all stakeholders

The stakeholders for an internal audit activity include the Audit Committee and the Board, regulators, senior management, auditees, the internal audit function and the community where the client operates. Interests and perspectives of the stakeholders should be considered including objective auditing, reporting and disclosures. At the back of the major corporate scandals, regulators and other stakeholders have asked the question ‘what did the internal auditors say in their reports?’

It is therefore necessary that the views (observations, risks and recommendations) presented in the report should be balanced while providing context, pointing out the opportunities for improvements and also mentioning the good practices or processes in place.

Credit: This article was written by Oluwasegun Sonola CIA, CISA, CRMA, PMP.

Note: The points shared in this piece are the personal thoughts of the writer and do not necessarily represent the views of any organization he is affiliated with.