Dan Swanson recently posed the question, "Where should IA focus its efforts over the next 1-2 years?" This was my reply:
My suggestion for IA is:
- Work with management to improve risk management processes.
- Work with the board to improve risk oversight.
- Move to formal periodic reporting on the adequacy of governance, risk management, and related control processes.
- Move to an internal audit program that is focused on providing assurance and consulting services relative to the higher risks to the business as a whole. Move away from bottoms-up auditing (we have to audit the Sydney factory because it is large) and middle-down auditing (IT is important, so we have to audit IT general controls in their entirety), which are not based on risks to the business as a whole.
- Move to an internal audit program where the risk assessment is updated at least monthly, ensuring that today's risks (and perhaps tomorrow's) are being addressed, rather than yesterday's.
- Improve the use of technology, and consider building a continuous auditing program as described in the IIA GTAG or a continuous risk and control assurance program described in my paper.
- Address the issue of whether management and boards are receiving sufficient, timely, reliable, and current information on which to base their decisions. See this post.
- Address the risk of ineffective management, hiring practices, etc. See two posts, here and here.
- Have a formal strategy.
- Be introspective and constantly ask whether IA is adding the value it can, how to be more of a rock star and drive improvements to the business, and how has technology and best practice changed — can I leverage it better?
You can also read my foreword to Dan's book, shown here: http://normanmarks.wordpress.com/2010/06/29/the-future-of-the-internal-audit-profession/.
Do you agree?