For good reasons, internal audit traditionally spends a lot of its time on internal controls over financial reporting (ICFR) — a very important area. Unless there was a recent material weakness or significant deficiency, or one still remediating, this does not tend to be a high residual risk area. That is because ICFR gets much attention from management, internal and external audit, and internal audit's traditional administrative boss, the chief financial officer (CFO).
But what about nonfinancial reporting areas? As internal audit strives to further increase its business relevance, it sometimes is challenged to get others to accept the value it can bring to areas outside of what others think are more traditional areas.
Higher residual risks are likely to be found outside of financial reporting, including in legal compliance, front office operations, and back office end-to-end processes. Organizations publicly report on many areas outside of the financial statements in growing areas such as environmental, social, and governance and diversity, equity, and inclusion. But is internal audit providing increased confidence (assurance) in these nonfinancial reporting areas? If not internal audit, then somebody else will provide it or already does.
One way we can help management and the board understand that internal audit can work on more than just ICFR is to add an "n" to the abbreviation. Just as we provide more confidence around financial reporting, we also can provide assurance on nonfinancial reporting by auditing or advising on those internal controls over nonfinancial reporting, or ICnFR.
Actually, we should just drop it all and talk about internal controls (ICs). By definition, internal controls are in place so that objectives are met, meaning that the risk of not meeting objectives is managed within tolerance. These controls can be at many levels and be in place to manage any risk.
Internal audit is expert in internal controls and is in the best position to add value relative to any and all that are put in place to manage risk — any risk. So when we communicate what we do or can do, we can simply talk about internal controls over anything, or ICx.
Timothy J. Berichon, CIA, QIAL, CPA, is director, Insights & Intelligence, at The IIA.
Want to be a part of Your Voices? Click here to learn how to contribute a blog post.