Best Practices in Internal Audit

Gone are the days when internal audits were limited to annual assessments of operational and financial controls alone. Today’s internal auditors are expected to do more – to step out of their comfort zones and provide assurance on a range of new and emerging risks, while also delivering timely insights to guide key strategic decisions. Stakeholders are increasingly relying on internal auditors to help them navigate the choppy waters of rapidly changing regulations, large-scale data breaches, complex global business ecosystems, and geopolitical uncertainties. How internal audit responds to these expectations will determine their success, relevance, and value in the coming years.

With that in mind, here are 5 best practices for internal auditors to successfully meet stakeholder expectations, and drive exceptional business performance in their organizations:

 

1. Put Risk at the Front and Center of the Audit Plan

We live in a world where risks are changing at an incredible pace; where events that might not have been foreseen a year ago have become a reality. Consider the unprecedented vote by U.K. citizens to exit the EU, the bitter and deeply divided political battle in the U.S., the simmering refugee crisis in Europe, or the increasing cyberattacks against critical infrastructure.

For internal auditors, these developments are a strong reminder that risks need to be constantly reassessed, and audit plans revised to reflect the changing risk environment. While risk identification is ultimately a management responsibility, auditors would do well to stay informed on the new and emerging risks that would hinder the achievement of the organization’s objectives. They must be able to provide assurance that existing risks, as well as the big risks around the corner are being properly controlled. Achieving these objectives calls for continuous, risk-based audits.

 

Recommendations

• Get a sense of the top risks to the business through conversations with stakeholders, internal observations, surveys, and industry analyses
• Coordinate with other assurance groups to assess and score risks in a top-down manner
• Tailor risk assessments to understand how various risks are interconnected and what causes them
• Rank and prioritize the risks based on their impact and likelihood; make sure to get management buy-in on the risk priorities
• Ensure that the areas of highest risk and the associated controls are audited more frequently than others
• Conduct periodic reviews throughout the year to determine if the prioritization of risks is still applicable

 

2. Collaborate Closely with the Second Line of Defense

For the board and management, it can be frustrating and confusing to receive multiple reports from various assurance functions, each addressing similar risks and issues, but talking in a different risk language, and providing different recommendations. If internal auditors are to truly add value, they must collaborate and communicate more effectively with the second line of defense, working towards a holistic, integrated view of risk and compliance. This kind of combined assurance gives stakeholders better visibility into critical risks and opportunities which, in turn, enables them to make better, faster business decisions on how to tackle the changes in the risk and regulatory environment.

 

Recommendations

• Establish a common risk and control language that will enable the second and third line of defense to communicate with each other, and report risk more effectively
• Conduct periodic meetings between internal audit and other assurance functions to share information, and to align risk priorities
• Don’t hesitate to question and challenge the findings from risk and compliance functions
• Link the risk function’s assessments of key risks to audit planning; in turn, share the risk-based audit plan with the risk function to get their insights and perspectives
• Report key risks, issues, and opportunities to stakeholders in an integrated manner with inputs from all assurance functions
• Standardize and streamline risk assessment and control evaluation processes to ensure that there are no redundancies or overlaps between assurance functions

 

3. Provide Advice and Insights that Focus More on Foresight, Less on Hindsight

PwC’s 2016 State of the Internal Audit Profession Study found that 62% of stakeholders expect more value from internal audit, including half of those who already reported experiencing significant value. Many stakeholders want internal audit to expand its value beyond assurance, and be a more proactive trusted advisor.

While the work of providing assurance is extremely critical, internal auditors are also uniquely positioned to deliver insights that can guide and influence decision-making at the highest levels of the organization. They have the ability to advise stakeholders on important business process improvements, while also alerting management to emerging issues and risks. The key is to focus less on the issues and risks that have already occurred, and instead look ahead to understand where the organization is heading and how its risk profile is likely to change as a result.

 

Recommendations

• Decide how to balance the time spent on advisory and assurance work based on the organization’s strategy, stability, business environment, and other such factors
• Spend time understanding the organization’s business processes, strategy, and performance indicators; that makes it easier to spot areas of concern, and add value to discussions
• Balance hindsight with foresight; focus on forward-looking analyses that anticipate the issues that could occur, so that the organization isn’t caught off-guard
• Communicate insights to stakeholders in a simple, succinct, and timely manner; separate the signal from the noise
• Instead of providing too many details, focus on strategic questions such as “what caused these risks or issues,” and “what can be done to prevent their recurrence”
• Engage actively with industry associations to exchange knowledge with peers, and to understand how they are responding to stakeholder expectations for better insights

 

4. Expand and Sharpen Internal Audit’s Skills

The world is rapidly changing, but audit skills are not evolving fast enough. In Deloitte’s 2016 Global Chief Audit Executive Survey, 57% of Chief Audit Executives (CAEs) reported being unconvinced that their teams had the skills and expertise needed to deliver on stakeholders’ current expectations - let alone future demands. 

Today’s auditors need to have a broad range of skills that go beyond operational and financial auditing, to include enterprise risk management, regulatory compliance, vendor risk management, anti-bribery, corruption, and even cyber security. Auditors must understand how to not only test con-trols effectively, but also communicate with a range of stakeholders. Critical thinking, analytics, and technology skills are also important. 

Many organizations are addressing these skills gaps in their teams through comprehensive training. Others are hiring new audit professionals, while still others are looking at co-sourcing and outsourcing options.

 

Recommendations

• Evaluate the existing skills of the internal audit team; identify gaps, and conduct periodic training to address these issues
• Align training and development programs with emerging risk and regulatory developments, as well as business objectives
• When recruiting new resources, evaluate their communication skills as much as their auditing qualifications; trying to teach soft skills later can often be difficult
• Explore alternative staffing models such as rotation (exchanging talent between the business and internal audit) or guest auditor programs (bringing in subject matter experts from the business to help conduct in-depth audit reviews)
• Build relationships with external service providers who can provide specialized audit skills without long-term investments

 

5. Automate Wherever Possible with Technology

While internal audit’s roles and responsibilities may be increasing, budgets are limited, and talent is difficult to come by. In fact, auditors often find themselves having to do more with less. Many are turning to technology to simplify and automate manually-intensive audit processes, thus freeing up time to focus on more value-added activities such as risk analysis.

With big data analytics, technology also provides the ability to aggregate and analyze tremendous volumes of data (from both inside and outside the organization), and deliver risk and compliance intelligence in real time. These insights enable auditors to better predict the risks, issues, and opportunities that lie ahead, thereby providing timely advice to the board and leadership team.

 

Recommendations

• Consider replacing siloed spreadsheets and tools with integrated audit systems that can streamline and automate audit workflows across the enterprise
• Build a centralized library to integrate and map audit data, including risks, objectives, controls, and auditable entities (This tightly-knit data model helps understand the relationships between various data elements, and enables more targeted and focused audits)
• Leverage mobile auditing tools to enter audit findings on the go, and to easily capture photos and videos as evidence
• Implement intuitive dashboards and reporting tools that can roll up audit and risk data from across the enterprise, summarizing key observations, and highlighting critical information
• Adopt analytics to derive valuable risk intelligence that can drive decision-making

 

Conclusion

Internal audit is faced with an important choice. It can either refuse to evolve and, thereby, fade in relevance. Or it can find ways to reinvent itself and drive greater business value. The successful internal auditors of tomorrow will be those that can keep pace with the risks and changes in the business environment, communicate more effectively with stakeholder across functions, and deliver timely and forward-looking insights that matter to the business. Just as important will be their commitment to continually sharpen their auditing skills and knowledge, and leverage world-class tools and technologies. Achieving these objectives will go a long way towards helping internal audit attain its full potential and become an even greater asset to the business.