Board and management stakeholders want internal audit to demonstrate greater business acumen. They want auditors to have a broad understanding of the organization, as well as anticipate how to help the organization achieve its objectives.
That means auditors need to see beyond their area of expertise and responsibility. They must be agile to act proactively and congruently with the organization's way of doing business. By recognizing these expectations, internal audit can show that the department is an excellent place to develop business acumen.
Fit Business Needs
Organizations expect all senior managers to have the business acumen to lead their areas of responsibility and support broader organizational success. Managers should be able to anticipate and act on ways to add value to the organization and its stakeholders.
Likewise, internal audit needs to identify the best ways for the function to develop business acumen that fits the organization's needs. It can't take a one-size-fits-all approach, though, because business acumen will vary by industry, type of business, and the kind of service a business unit provides. For example, internal audit will require different aspects of business acumen than business lines, such as sales and production, or support services such as finance and security.
Moreover, internal audit's assurance role in relation to other assurance roles within the organization impacts the kind of business acumen it needs. Developing business acumen can enhance internal audit's risk-based coverage of the organization's main lines of business, as well as the first two lines of defense.
In developing business acumen, internal audit should not be seen as narrowly focused rule-followers who avoid innovation and taking risks. Chief audit executives (CAEs) should ensure the audit staff understands the capabilities of the organization's first two lines of assurance, as well as the business' main products and services. Their strategy for establishing business acumen should involve human resource activities, such as hiring, promotions, and career planning, as well as professional development activities.
Enabled by the Standards
Internal audit's use of business acumen must reinforce, and not compromise, auditors' professional competence. The
International Standards for the Professional Practice of Internal Auditing place great importance on risk-based planning — multiyear, annual, and engagement — to ensure that services are strategic and add value. Having business acumen enables internal audit to proactively plan and adapt all forms of audit activity to anticipate the organization's assurance needs. This capability goes far beyond simply repeating cyclical coverage or responding to senior management requests.
There is no trade-off between demonstrating business acumen and conforming to the
Standards. On the contrary, internal audit can build business acumen on a sound understanding and innovative implementation of the
Standards and associated guidance.
CAEs have used a variety of methods and approaches to attune their staff to the business needs of their organizations. The examples in the boxes that begin on page 41 demonstrate how business acumen can work in internal audit. These examples are based on four perspectives adapted from the Balanced Scorecard strategic planning and management tool: governance, client, internal processes, and innovation and learning. The boxes substitute governance for the Balanced Scorecard's finance measure. CAEs should plan, track, and report to the board and management on initiatives in each of these areas.
Internal Audit's Acumen
CAEs are likely undertaking some or many of these initiatives, as well as some others. To get the attention and mutual understanding needed, annual internal audit plans and year-end reports should include a formal strategy on investments in building staff capabilities to better respond to the emerging needs of the organization. This approach can foster productive discussions and improved understandings with management and the audit committee.
These examples can improve mutual understanding, enhance business capabilities, and strengthen relationships at the governance level of the organization:
- Have the CAE actively participate in regular meetings of the audit committee operational governing body.
- Assign individual audit managers to each of the major lines of business as account managers.
- Build the internal audit universe on top of the organization's strategic objectives.
- Conduct organizationwide internal audits in support of key corporate activities such as internal communications.
These examples can improve mutual understanding, improve business capabilities, and strengthen relationships with the organization's business units:
- Base multiyear, annual audit, and engagement plans on the organization's corporate and business risk profiles.
- Include strategic upside risks of opportunities and strengths in annual internal audit plans to complement the traditional focus on key downside risks of weaknesses and threats.
- Reinforce the role of other internal assurance functions (second line of defense), such as risk management and financial control, by auditing their processes.
- Invite business units to link the timing of audit engagements to their business information needs, such as in support of future financial approval submissions for major initiatives or new programs.
- Provide information on assessment criteria well in advance of an audit engagement when there are known shortcomings, to enable managers to take corrective action before the audit.
These internal audit processes can improve mutual understanding and business capabilities, as well as strengthen client relationships throughout the organization:
- Report more deeply on audit findings by avoiding a narrow-minded approach to audit issues. For example, reports should discuss the broader implications and possibilities of findings, such as their impact on broader business objectives. Internal audit also should show how findings link to implications for other business purposes and recommend reducing inefficient internal controls.
- Submit periodic status reports on the internal audit plan's implementation and adjust them during the year to better address emerging business assurance needs.
- Issue periodic reports on significant operational risks based on analyses of internal audit findings within the organization or across the industry.
- Offer to provide consulting and research services in conjunction with individual engagements.
- Invite internal audit team members to meet the audit committee and observe its discussion of their individual engagements.
Innovation and Learning
These examples of innovation and learning can improve mutual understanding, enhance business capabilities, and strengthen relationships:
- Assign talented employees from other business units to short-term engagements within internal audit. This practice can develop those employees, as well as bring their insight to audit staff members.
- Send talented internal auditors on developmental, nonaudit assignments within business units. This practice can help those auditors build business acumen and pass their knowledge to the teams with whom they work.
- Bring internal auditors from field offices to work at headquarters.
- Train new managers on internal audit's role and areas of expertise such as management control and risk management.
- Participate in professional associations other than internal audit, such as risk management, IT, security, and fraud prevention. Such groups can help auditors keep abreast of leading practices and share lessons learned with audit colleagues.