After ramping up investments and hiring during the mid-2000 global economic boom, organizations across various sectors rapidly implemented sweeping cost-cutting initiatives when the global recession began in 2008. Headcount reductions and high unemployment rates dominated business headlines in the U.S., with major budget cuts across functional areas, all while organizations were still expected to meet customer needs and execute their missions.
Internal audit’s objective of creating value remained the same during the subsequent recovery, even as continuous budget cuts across business functions became the new normal. Internal audit departments, as well as other business units, had to adapt and find innovative ways to continuously create value for their organizations with fewer resources.
According to The IIA’s 2016 North American Pulse of Internal Audit: Time to Move Out of the Comfort Zone, approximately 71 percent of CAEs reported that internal audit staffing levels are staying the same, and 25 percent indicated they will increase. This data could confirm the importance of the internal audit function, but might not necessarily address the increased workload placed on internal auditors. Additionally, limited resources means internal auditors also must prioritize the competing demands of stakeholders, who have different opinions about where internal audit’s focus should be.
Even while it is expected to do more with less, internal audit can continue to improve organizational effectiveness in the areas of strategic alignment, risk assessment, operational efficiencies, compliance and quality assurance, financial reporting, and responsiveness. Ultimately, priorities vary between organizations, and these areas should be continuously evaluated to create value in the context of the organization’s strategic goals.
The dynamic nature of internal auditing requires practitioners to understand the core issues impacting the organizations they support, such as tone at the top, people and culture, processes, and technology. Without in-depth knowledge of the organization’s strategic direction, it is difficult for internal auditors to create value and drive the required changes for the organization to effectively accomplish its goals.
Internal audit must play a critical role in assuring that organizational activities, processes, policies, and procedures align with the strategy. With the right tone at the top and support from executive leadership, internal audit can apply needed skills and broad knowledge of the organization while working collaboratively with stakeholders to ensure strategic alignment. The process should not be limited to annual or quarterly strategic sessions.
The KPMG 2015 Global Audit Committee Survey stresses that audit committees would be more efficient in their oversight roles if they have a better understanding of their organization’s strategy and risks. If the issues related to strategic alignment are important to audit committees, they must be equally important to the internal audit function that the audit committees rely so heavily on.
Risk assessments relate to ongoing organizational activities, an understanding of internal audit priorities that drive annual audit plans, and information obtained and evaluated by internal auditors from interacting with stakeholders. Internal auditors must have a strong understanding of the macro- and micro-risks impacting their respective organizations.
According to The IIA’s 2015 North American Pulse of Internal Audit: Navigating an Increasingly Volatile Risk Environment, at a time when geopolitical, macroeconomic, and cyber-related incidents border on the routine, the volatility of such risks places enormous pressure on internal audit functions to have the foresight needed to address these and other emerging risks to avoid damaging surprises.
An objective methodology should be used to evaluate and prioritize risks in the context of the organization’s strategic direction. The process should be ongoing and provide flexibility to make timely changes as new information becomes available. A comprehensive risk assessment methodology should include mitigation strategies in the context of the organization’s resources, such as:
People – Human capital with specific skills and resources to implement actions required to mitigate risks.
Processes – Routine and non-routine activities performed across functional areas to help organizations accomplish goals.
Technology – How well the organization uses technology to achieve results.
Tone at the top – A commitment from executive management that the most talented resources, optimal technologies, and processes will be focused on value-creation activities.
|Additional Ways Internal Audit Creates Value for the Organization|
Identifying Cost Savings Internal auditors should constantly look to challenge the status quo and for ways to do things better, faster, and cheaper, without compromising the organization’s ability to execute its mission, address customer needs, and maintain quality, compliance, and profitability.
Understanding Business Goals Internal auditors have the technical and interpersonal skills to encourage and support functional groups/stakeholders with often conflicting priorities to work collectively toward accomplishing organizational goals. The right tone at the top makes it possible for internal audit functions to work in an integration capacity to drive results.
Increased Collaboration Best practices and benchmarks noticed by internal auditors while working with stakeholders can be shared with other functional areas to drive organizationwide efficiencies and productivity.
Optimizing Existing Technologies Internal auditors perform various assessments to determine design and operating effectiveness of manual and automated internal controls. This includes expanded reviews and testing around significant financial and operational systems used by the organization. A byproduct of reviews performed should include recommendations for enhancements to these systems and tools.
Continuous Monitoring Working with functional managers to implement metrics and key performance indicators, as well as continuous monitoring of internal controls over critical organization operations, is key for internal audit. These includes monitoring evolving risks and potential fraud vulnerabilities impacting the organization.
Governance, Risk, and Compliance The internal audit function working in an integration capacity can save the organization valuable time and costs from performing these tasks in silos.
Internal auditors, armed with knowledge about the organization’s strategic direction and overall risks, have the capability to apply basic operational audit principles to drive results. Recommendations for cost-effective and sustainable solutions that reflect the context of the industry and issues unique to the organization (customer needs and mission-critical activities) should be major outcomes of operational audits. Internal auditors should perform assessments to determine required training and skills across functional areas, and assess use of optimal processes and technologies in key organizational units.
Compliance and Quality Assurance
Procedures to confirm important regulatory and compliance issues applicable to an organization are addressed continuously and adequately and that existing internal controls are operating efficiently should be included in the annual internal audits and assessments.
For certain industries, the nature of products manufactured and distributed may require extra scrutiny related to quality assurance procedures (e.g., medical device companies) or added internal controls and compliance requirements (e.g., financial services companies). Internal factors such as policies, procedures, product specifications, or service levels and external factors, such as regulators and standards organizations, impact the level of effort addressing compliance.
For some organizations, quality assurance can be seen as the level of internal testing to meet product specifications. Quality compliance is the level of documentation, procedures, policies, and periodic audits to confirm the organization is meeting standards. Developing and executing audits to confirm that adequate compliance and quality assurance oversight exists in an organization and providing recommendations are examples of how internal audit functions routinely add value by identifying risks that can be mitigated or avoided before the organization suffers loss.
For federal, state, and local government, executive managers are responsible for the stewardship and accountability of taxpayer resources and funds. The same logic applies to nonprofit organizations when funds are donated to serve a specific purpose. Private-sector organizations must implement adequate financial reporting oversight to achieve a clean audit opinion. Cost-effective financial reporting internal controls are critical for all organizations.
Internal audit plays an important role in conducting audits to confirm design and operating effectiveness of internal controls over financial reporting across enterprise operations, including IT and existence of entity-level controls. An effective internal audit function is critical in preventing and detecting material financial reporting errors, and working with stakeholders to adequately address audit findings timely. This enables external auditors to rely on work performed by internal audit and avoid duplication, resulting in cost savings.
Leveraging its knowledge of the organization’s strategic alignment, customer needs, mission, risks, compliance requirements, and operations, internal audit can work with functional stakeholders to develop and monitor financial reporting metrics and key performance indicators to drive profitability. These cost-cutting initiatives to meet financial goals must never compromise an organization’s ability to meet evolving customer needs and execute its mission.
Ignoring audit findings or not addressing compliance issues or customer complaints may result in negative media headlines and creates public relations nightmares for many organizations. In the course of developing and executing annual audit plans, internal auditors can conduct assessments and provide recommendations to identify and correct issues before they result in embarrassing publicity.
With the right tone at the top and support from executives, internal auditors can work with functional managers in an integrated capacity to apply value creation steps in the context of each functional area and operating environment. Recommendations that are the result of working collaboratively with functional managers often lead to sustainable solutions.
Internal audit can recommend benchmarks, standardized processes, and process improvement initiatives; track return on investments; and provide input in developing and maintaining training materials. Internal auditors can provide tools to continuously monitor and prioritize risks so that corrective actions are implemented timely.
Reaping the Benefits
When the internal audit function is working effectively, the organization can realize success with responsiveness to customer needs, minimal regulatory and compliance violations, productive employees, and implementation and use of optimal processes and technologies to accomplish objectives.
The internal audit function, itself, benefits from an increased perception of internal audit as a continually evolving, value-creating function throughout the organization; improved ability to understand, manage, prioritize, and mitigate risks impacting the organization; job satisfaction and improved retention rates for internal auditors working on projects that make a difference; and efficiencies gained in planning and executing future audits.
Other business units/functional areas might realize benefits, such as skills and knowledge transfer by working collaboratively with internal audit. Examples include reevaluating and improving existing practices, developing a culture of process improvement initiatives to eliminate bottlenecks and create streamlined customer-centric processes, better alignment with strategy, and increased risk awareness and mitigation techniques. Organizational benefits can include increased customer and employee satisfaction, significant cost savings, and increased productivity and profitability.
Doing More With Less
Unrealistic demands and expectations on employees in general can have the unintended consequence of low morale, employee burnout, and reduced productivity. This is also an area where internal audit can provide options to continuously evaluate cost-saving opportunities that won’t compromise its core values, the ability to execute its mission, or stakeholder priorities. Through leveraging knowledge and empowering internal audit to function in an integration capacity, auditors can help the organization accomplish its objectives while doing more with less.