In an era when IT is embedded in almost every process, trying to audit operational, financial, and technology controls independently is not an efficient use of resources. Beyond the redundancy of effort, it results in fractured reporting to both the board and senior management. Yet many practitioners continue to use this fragmented approach, despite its numerous disadvantages. To add value and improve the organization's operations — as mandated by The IIA's Definition of Internal Auditing — audit functions should instead adopt an integrated audit approach.
Integrated auditing, as described in an IIA Practice Guide, refers to a holistic approach to internal audit engagement planning and execution that helps ensure all aspects impacting the quality or efficiency of a process are considered. The approach often requires auditors with different backgrounds and areas of expertise, at least during the planning phase, to identify all the risks and exposures that should be part of the audit engagement, including operational, financial, environmental, technological, and regulatory concerns.
Adopting an integrated audit approach focuses the chief audit executive (CAE) on developing auditors who can plan and perform engagements that consider any activity with the potential to prevent the achievement of organizational objectives. These integrated practitioners can provide an end-to-end understanding that includes policies, procedures, inputs, people, technology, outputs, environmental impacts, regulatory requirements, and more importantly their connection to organizational goals.
Integrated auditors, though, should not be expected to possess expertise in every area. In fact, part of being an effective integrated auditor involves knowing when to call the experts and ask for help. However, integrated auditors should be expected to possess the core competencies needed to plan and perform an internal audit, and to be proficient in applying the International Professional Practices Framework's Mandatory Guidance.
They also should have a deep understanding of the organization, including its core business and strategic goals, policies and culture, and technology (information and operational). Moreover, they should be well-versed in industry-specific issues, such as those pertaining to geographic location or the market in which the organization operates.
Integrated auditing is a winning proposition for the internal audit activity, individual auditors, and the organization. Integrated audits are more effective because they simultaneously assess financial, operational, and IT risk and controls, and they produce more timely recommendations to improve risk management, operational, and governance controls. The approach may help discover deficiencies that could go unnoticed when performing individual audits, and it can increase internal audit's relevance by providing a more comprehensive view of organizational risk.