Several years ago, my employer, Western Reserve Group, a property and casualty insurer based in Wooster, Ohio, was contemplating the best way to launch an internal audit department — either in-house or outsourced. With continued growth of the company expected, it made sense to enhance its focus on internal auditing.
The company chose to outsource internal audit to third-party consultants. The consultants completed, on average, three to four audits per year, until about four years ago when senior management and the audit committee determined that having an internal auditor on site to manage the internal audit function, using a cosourcing model for technical expertise, was the best fit for the company.
I was brought on as that internal audit manager. As a one-person department, getting a positive start was a must. Recommending wholesale changes to an already successful company would not be the best way to gain support for internal audit. Instead, I garnered support by listening to and observing the business units, while gaining some early wins by updating governance items, such as the internal audit charter and manual.
Absorbing knowledge from the business units helped expand my awareness of the organization and provided valuable insight down the road. Reviewing each of the audit reports completed by the prior consultants also was valuable. Likewise, reading the external auditors’ and regulators’ reports provided useful information in gaining a foundational knowledge of the organization.
Most important to developing an effective internal audit function is having a strong tone at the top that governance and internal audit go hand-in-hand in establishing the values and ethical behavior that guide the organization. The support of the audit committee and CEO is vital in showing internal audit can be used as a valuable tool and resource, in addition to providing the typical assurances required. Since the first day, the continued support I have received has allowed internal audit to develop and grow. As Western Reserve’s president and CEO Kevin Day puts it, “Strong corporate governance starts at the top of our organization with a focus on providing an ethical climate based upon our strong core values. It was vital when bringing an internal auditor on board that the entire company was aware the internal audit function was fully supported by the CEO and the board. We succeeded in this through transparency and communication throughout not only the management team, but also through all levels of the organization.”
A saying I like to use is: “Look back to move forward.” I saw where internal audit was and then determined ways to improve the cycle time between audits of the core business areas and ensure high-risk areas were covered. Creating a function that adheres to the International Standards for the Professional Practice of Internal Auditing was a focal point.
Just determining each auditable function and the controls surrounding those areas can take considerable time and resources. The key is to be patient while continually moving forward in building an audit universe. From there, a risk-based audit plan can be formed while gathering trends and hot topics by interviewing key members of senior management to gain an overall picture of the organization. Blending that with industry-specific needs and audit focal points can help form a solid audit plan.
Internal audit must work as a strategic partner with management and should interact with all levels of the organization to gain support and show that it can be a trusted advisor. This cannot be accomplished in days or weeks, but rather in months and years, as trust will be built over time.
At times, it can feel like internal audit is spinning its wheels or going in many different directions at the same time. It is human nature to overestimate what can be completed in one year or less, but people often greatly underestimate what they can complete in five years. Internal audit should start with a long-term road map that it frequently adjusts and reviews.
With limited resources comes limited time, but small audit functions must maintain flexibility when events occur that are outside the scope of the audit plan. Having laser focus and a detailed game plan can help squeeze in work that can add value to the organization.
Whether it is gaining certifications, frequently attending training events, or reading articles about the industry or profession, continuous learning also is important with the ever-changing risk environments of most organizations today and cannot be minimized in a small audit department.
It should be a goal of all internal audit functions, regardless of size, to ensure adequate coverage across the organization’s audit universe. But internal audit must first understand where all the risks and their respective control points occur.