Moving From Performing Internal Audits to Providing Assurance​

Comments Views

In 2001, I joined a new company called Solectron as the head of internal audit. Solectron had a history of entrepreunership and innovation (twice winning the Malcolm Baldridge award, in 1991 and 1997. I felt it was time to apply that innovative spirit to internal audit as I redesigned and rebuilt the internal audit function.

I wanted to move awaty from the prior practices of auditing the major locations every so often, assessing the more significant risks at those locations, to a top-down and risk-based approach — where we assessed the controls over the more significant risks to the business as a whole, provided an annual opinion on the adequacy of controls every yeat, and were a catalyst for change rather than a sideline observer and commentator.

To do this, I had to persuade both executive management and the audit committee.

Here is the note that I included in the audit committee materials.

I have some questions for you:

  • Do you agree with the principles that internal audit should be more focused on the big picture of providing assurance than on the smaller one of performing audits?
  • If so, how well are we doing?
  • What are the barriers to success?

WHAT DO WE MEAN BY MOVING FROM

"AUDIT" TO "ASSURANCE"?

We recognize that the value to be obtained from an internal audit function is derived from two things:

  1. The "peace of mind" we give our customers with our objective assessment of the company's system of internal controls and their management of business risk; and,
  2. The change that is effected as the result of our work.

Our primary customer is the Audit Committee of the Board of Directors. Other customers include executive, senior, and operating management. The value of our work can only be measured in terms of our ability to satisfy our customers' needs.

First and foremost, the Audit Committee relies on Internal Audit for assurance that the corporation's internal controls are adequate to address significant business risks. The Committee and executive management rely on us, not only for our assessment, but also for assurance that appropriate corrective actions are taking place to limit any business risk resulting from controls weaknesses. Traditionally, we have met that need with formal audits that express an opinion on the condition of controls[1].

In these times of increasing attention by regulators (e.g., the SEC[2],[3]) and the investing public on the role of the Audit Committee, it is our responsibility to provide the members of that Committee with the information they need to perform their responsibilities. It is our contention that performing a series of traditional assurance audits that addresses all major business risks over a short period, perhaps 3 years, no longer meets our primary customer's needs. We need to provide more continuous assurance; in fact, an annual opinion has become appropriate.

Our challenge in 2001 is to move from the traditional, series-of-audits approach to one that provides a more continuous level of assurance. We need to be able to express an overall opinion on the corporation's systems of internal control every year, for the January Audit Committee meeting. We will build that assessment on a number of bricks and blocks, of different shapes and sizes. Many activities, some traditional and some radical, will help us obtain sufficient knowledge and understanding of the system of internal controls to express that opinion. We will consider, for example:

  • Traditional assurance audits
  • CSA workshops
  • Management self-assessment
  • Reliance on the work of third parties, including the external auditors, regulators, etc.
  • Controls monitoring activities (either monitoring controls performance directly, or searching for red flags that indicate potential controls problems)
  • Partnering with other groups in the corporation that monitor the performance of internal controls
  • Controls consulting work[4]
  • Participation in task forces, committees, systems development projects, etc.
  • Any other work that adds value and information

Our 2001 projects will be justified either because they are necessary to provide "Peace of Mind Through Controls Assurance", or because they add significant value (or both)[5]

There are areas where our unique talents can assist the company make changes that have a significant impact on operations. As we develop the scope and objectives of each project, and choose from among the variety of resources and tools available for our use, we will strive to develop a question that strikes at the heart of the business issue. It will be a question that confronts the business problem head-on. With the support (and frequently the participation) of management, we will use our objectivity, facilitation, analytical, and other skills to identify business-practical resolutions and action items.

These "WOW! Value-Added Projects" will not only help improve the company's bottom line, but they will be dynamic opportunities for the audit staff to develop and showcase their skills. They will be learning experiences, as they tackle problems that are typically multi-functional, and work with all levels of management. At the same time, they will be preparing (and presenting) themselves for their eventual move into line management. A win-win for the company and employee.

This new approach, performing projects that either add Peace of Mind or are WOW! projects, is changing our planning process. We will understand where controls weaknesses can occur that have the potential of rising to the level of Audit Committee concern. We will be creative in developing ways to obtain a level of professional confidence that those controls are adequate and operating properly…. every year. We will also ensure that we only perform work that is effective in building towards that assurance, or adds significant value to the company's bottom line.


 

[1] Many in our profession call these "assurance" audits. By contrast, "consulting" projects are focused, not on providing an objective assessment, but on correcting or enhancing an area of controls that is already known to be in need of improvement.

[2] For example, one official of the SEC recently called the Audit Committee the "watchdog of financial reporting" within a company.

[3] The Blue Ribbon Committee included a number of recommendations for Audit Committees that have not been taken up by in the new SEC, NYSE, AMEX, or NASDAQ rules. They include formal statements by Audit Committees on the financial statements and internal control systems.

[4] Some in our profession see the new definition of internal auditing as defining assurance and consulting as different and separate activities. We believe that our customers desire first and foremost that the company has adequate controls. Our consulting activities add to that assurance. In addition, we obtain valuable information about the adequacy of the company's internal controls through consulting and other work, and use that in forming our professional opinion each year.

[5] Required audits for regulators (e.g., the RFG attest) or the external auditors are considered to add value. Our performing the work is considerably less expensive than the alternative.

​The opinions expressed by Internal Auditor's bloggers may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers' employers or the editors of Internal Auditor. The magazine is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.

 

 

Comment on this article

comments powered by Disqus
    • CIA-September-2021-Blog-2
    • Your-Voices-September-2021-Blog-3