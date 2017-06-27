Let's be honest, there are many negative perceptions of
internal audit. Whether perceived to waste management's time
with rote compliance testing, lack of knowledge of the business
function being reviewed, or feared for potentially uncovering
hidden secrets, the traditional view of internal audit has been
mixed.
Let's take a look at the macro environment first. It
doesn't take much time for anyone to search up and find
corporate scandals and frauds. From Volkswagon's
"Dieselgate" to FIFA's bribery and money-laundering
scandal to fake accounts at Wells Fargo, these are just a sample of
stories depicting a premeditated breach of internal controls and
perpetration of fraud – sometimes through the direct
involvement and approval of the most senior levels of management.
These examples only represent a drop of water in an ocean of
publicized as well as non-publicized issues impacting corporations
around the globe totaling billions of dollars of direct impact to
shareholders like you and me.
A complete and rigorous governance, risk and control framework
is needed to combat headlines like those above, and should be based
on setting strategy to preserve and build value, outlining roles
and accountabilities for all aspects of strategy and operations,
and identifying challenges to achievement of business objectives
(i.e. risks). If entity-level controls are weak, businesses may
have confused ethics and direction on how to carry out operations.
If the board of directors isn't clear on what is of value to an
organization, they may be confused on what to monitor. If all key
stakeholders have an inadequate understanding of key corporate
risks, this may result in inadequate risk mitigation measures. If
internal audit isn't aligning its activity with corporate
strategy and helping management accomplish its objectives, it may
only be providing form over substance.
The following are some initial topics to consider asking
to evaluate if internal audit is providing value to your
organization:
1. Is it clear what internal audit does? An
organization is based on selling/providing a good or service. What
if a customer walked into your business and saw no shelves, no
advertising, or no brochures? How do they know what is being sold?
Internal audit needs to communicate what is being provided –
the fundamentals of services, authority and scope. They should also
set the expectations, communicate the services provided, advertise
their successes, and continually dialogue with all levels of the
organization.
2. Is internal audit aligned with the business?
Internal audit must spend time to meet with management, read and
understand strategy and business plans, and continually assess the
business environment. The focus, strategy and delivery of internal
audit services should dovetail with corporate strategy so that
deliverables help management accomplish their objectives, including
identifying potential pitfalls.
3. Does internal audit understand corporate risks?
Internal audit must understand the risks the organization faces. If
testing is done without understanding risk, it ends up being a rote
exercise of limited value. Identifying risk, discussing them with
management, and then auditing the key controls within those key
risk areas will assist the company in their pursuit of value
preservation and generation.
4. Is internal audit considered a strategic partner and
advisor? Internal audit must be seen as a strategic partner
and advisor – are they really helping the organization
achieve desired outcomes? Internal audit should be involved with
assessing new projects, initiatives, and organizational changes by
bringing an understanding of the underlying risks, controls and
applicable legislation that may impact changes and ultimately
success.
Value is in two horses pulling a wagon in the same direction.
Each has a work to do but each is inherently helping the other as
long as they are both pulling together. Value may have different
connotations to different organizations – improve a business
or verify compliance with policies and procedures. Don't just
provide internal audit services – coordinate with management
and provide the value that ensures everyone is satisfied with the
final deliverables. And remember that value comes from continuous
improvement through asking how practices can be changed, audits
conducted, results communicated, and relationships invested in to
evolve the business.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
