How does a new internal auditor whose primary focus could be standard audits, such as auditing expense reports or U.S. Sarbanes-Oxley Act of 2002 testing, get the opportunity to work toward auditing nontraditional risks that are strategically significant to the company? Internal audit departments cannot audit what matters if it keeps new auditors on an island regarding internal and external information and changes facing their companies. By capitalizing on information and best practices, internal auditors can expand their roles both within the department and the organization. This is especially beneficial with the changing demands of stakeholders, senior management, and regulators.
Through a blend of formal and informal channels, internal auditors can keep their fingers on the pulse of the company and identify opportunities to add value. There are many formal conduits of information that can yield useful information about potential audit opportunities. Having internal audit participate in financial close calls and quarterly business reviews is a great way to identify the company's pain points and potential solutions.
For example, suppose while sitting in on a call, management notes that due to recent turnover and capacity issues, accounting was unable to identify the root cause of an issue related to absorption accounting at one of the production plants. The chief audit executive (CAE) volunteers one of his or her auditors to assist at an advisory level to do a root cause analysis and help develop an operational process narrative to help new employees understand the process. The auditor identifies issues that were causing absorption to be underreported at the plant, which, in turn, increased expenses. By remedying these issues, the plant is able to accurately present its financials and drive higher profitability.
Internal auditors can get exposure to critical information through the simplest means. Developing professional relationships with different departments opens the door to many audit opportunities. It could be as easy as informally discussing issues facing their department that could expose process flaws or opportunities for improvement. This can be done by encouraging the audit team to sit with different departments in the company cafeteria instead of isolating themselves by sitting with other auditors.
Informally engaging with other departments also may turn up issues that aren't discussed in formal meetings. For example, suppose an auditor invites her company's operations manager to lunch. While trading pleasantries, the manager mentions that an employee quit his job a week before and left his badge and corporate credit card on his desk. No one has come to retrieve it and the items have been sitting out in the open ever since. The auditor is concerned, so she tests the badge at the entrance and it still unlocks the door. With her CAE's approval, the auditor reviews the exit process and discovers that 80% of employees who left or were fired that year still had access to the building, and that there was no formal offboarding process to ensure that badges were collected. The issue is then quickly remedied, but it may have persisted if the auditor had not decided to lunch with the operations manager.
Subscribing to industry publications and tracking standards and regulatory updates can help internal auditors gain a better understanding of the company, itself, and the industry their company is in. Greater knowledge of these areas improves an auditor's capability to indentify risks.
Industry Publications Knowing how the industry is operating and trending can help identify risks, drive efficiencies, and create competitive advantages. Internal auditors can subscribe to industry publications or create Google alerts for their companies and competitors to easily stay informed about industry news and make educated assessments of risk.
Standards Updates Staying current on relevant standards updates before their adoption dates allows internal auditors to identify issues their company might face and help address them proactively. When a new standard is adopted, instead of waiting for the evaluation and adoption to be completed by management, internal auditors can study the topic and develop the required competencies. Then they can discuss with their CAE their interest in joining the implementation team as an advisor.
At this level, auditors can be proactive in providing insight into the adoption controls that should be in place throughout the project and the process-level controls that should be embedded into the procedures during implementation. Major public accounting firms often release resources such as industry-specific interpretations and practical applications of standards updates for free.
Regulatory Updates It is important to keep track of regulatory changes for smaller companies that don't have the resources to proactively disseminate regulatory information to their employees. For example, if an employee was not aware of a regulation such as the U.S. Telephone Consumer Protection Act (TCPA), which prohibits solicitation to phone numbers that are listed on do-not-call lists and the company uses robocalling for commercial solicitation, they could be exposing the company to risk. Or if it relied on data obtained by a third party saying it supposedly was already scrubbed against all numbers on state and national do not call registries, then making calls from that list could open the company up to class-action lawsuits if those numbers were opted in to a do-not-call registry. Since the TCPA is a strict liability statute that awards $500 per violation and up to $1,500 per willful violation, a class-action lawsuit with thousands of violations could have a material impact on the company.
Internal auditors can be a great resource by identifying regulatory risks such as these based on their knowledge of processes and staying current on regulatory laws and updates. This is a great example of how an auditor can step outside of his or her comfort zone to audit what matters to management. One caution when stepping out of comfort zones is to remember IIA Standard 1210: Proficiency. If an auditor does not have the competency to conduct the audit or review, he or she should not begin it.
Grow Your Career
Through leveraging internal and external information and capitalizing on change, internal auditors can position themselves to expand their roles and develop skills that will help them advance their careers. This includes staying informed and keeping their eyes open, continuing professional development, staying involved, inviting themselves to formal and informal corporate meetings, and ensuring they are prepared to deliver on engagements.