For years, internal auditors have been known by many epithets — "eyes and ears," "police," and "watchdogs," to name a few. But a fundamental shift has occurred in the profession that positions it to play a more strategic role — a shift away from mere assurance over controls to the more vital assurance over governance, risk, and compliance.
Risk management, in particular, is becoming an increasingly important part of internal auditing. In PricewaterhouseCoopers' 2011 State of the Internal Audit Profession survey, 79 percent of respondents indicate that the focus on enterprise risk management programs in the audit plan will increase over the next three years. Seventy-eight percent say there also will be an increase in the focus on strategic initiatives and programs.
Stakeholders and boards of directors increasingly are relying on internal auditors to provide enterprisewide risk intelligence and insights that can be leveraged to proactively mitigate risks, assure regulatory compliance, and, ultimately, protect stakeholders and customers. Internal auditors have become a major presence in the boardroom.
But along with this attention comes heightened expectations for more transparency and accountability. Internal auditors need to take their audit approach to the next level to meet these expectations and solidify their role as strategic partners.
Facing a Tough Lineup
Internal auditors are dealing with an unprecedented level of change. Businesses continually are restructuring, merging, and acquiring. Supply and distribution chains are expanding quickly across multiple geographies. Cloud computing and virtualization are dissolving network boundaries. Cyberfraud is becoming more sophisticated and pronounced. An increasing number of risks are emerging, as are unanticipated "black swan" events such as the Japanese nuclear facility flooding last year and the 2010 BP oil spill in the Gulf of Mexico.
On the other side of the fence, regulatory bodies and governments are introducing regulation after regulation. The average bank in the United States has to comply with Basel III, the Gramm-Leach-Bliley Act, the Payment Card Industry Data Security Standard, the Dodd-Frank Wall Street Reform and Consumer Protection Act, and the Sarbanes-Oxley Act of 2002, to name just a few. Compounding the challenge, regulations are evolving continually.
This tough business landscape makes internal auditing that much more of a challenge. Older demands for controls assurance have to be balanced with newer demands for risk management. A plethora of risks have to be monitored and mitigated. Fraud has to be prevented or deterred, risk intelligence provided, and audits aligned with business strategy. All these initiatives have to be conducted across hundreds of processes, departments, business units, and locations with thousands of employees. To top it off, resources are limited, which means internal auditors have to do more with less.
The Way Forward
Internal audit as a function must reinvent itself to stay current and relevant to the business. Audit departments are adopting some practical strategies to address the demands of their new role and drive value for their organization.
Focus on Objective-based Audits
When the risk-based audit approach emerged several years ago, it focused on prioritizing risks based on their impact and likelihood of occurrence. High-priority risks were given maximum attention, while low-priority risks were generally ignored or accepted.
Risk assessment can be a very judgmental process, and some risks that are perceived to have a low likelihood of occurrence may be judged as low priority. However, we saw such risks materialize on Sept. 11, 2001, and, more recently, during the BP oil spill. Who would have thought that a plane would crash into the World Trade Center, or that a deep-water oil rig explosion would occur?
In response to these surprises, audit experts are fast shifting away from a traditional risk-based approach toward an objective-based approach where the company's objectives and goals become the central focus of the audit. After all, risks are only relevant when seen in the context of the company's objectives.
The chief advantage of the objective-based approach is that it enables a more targeted audit by focusing audit resources only on those risks that truly matter to the organization's strategies and goals. It also accounts for low-priority risks and enhances the capacity of internal audit to achieve its objectives. Implementing an objective-based approach involves:
- Relying on people for risk input. Managers across the organization deal with risks every day. Because they understand their objectives, they tend to know instinctively which risks may impact those objectives, making them best positioned to help auditors understand the relationship between the company's objectives and its risks.
- Mapping risks to objectives. Internal auditors can use managers' responses to quantify the relationships between risks and objectives. Applying this method enables practitioners to discover risks they had not considered.
- Identifying risk patterns. Risks interact with each other and with objectives in complex ways. Auditors need to understand these interactions instead of looking at each risk in isolation. The whole is often more dangerous than the sum of its parts — much like reading a book while crossing a road is more dangerous than doing each activity independently.
- Focusing risk management on the most critical objectives. By putting objectives before risk, auditors can mitigate those risks that impair the achievement of objectives and exploit risks that enable value creation. This helps internal auditors use audit resources efficiently, facilitate transparency, and align risk management with business strategy.
Strengthen Audit Relevance and Effectiveness
Internal auditors are under increasing pressure to provide assurance related to organizational risk-resilience, identify areas that may contribute to the bottom line, and provide management with ongoing information — all with speed, agility, and efficiency. In this demanding environment, traditional cyclical and ad hoc audits are not sufficient to keep up with the pace of business change. Auditors need to shift toward continuous auditing, wherein audit data is analyzed on an ongoing basis. This is critical for the early identification of risks, trends, errors, fraud, waste, and areas for improvement.
The value of continuous auditing lies in its focus on 100 percent of the data rather than on a random sample. This ensures a more thorough and comprehensive check of risks and controls. It is a Herculean task to gather and study all audit data across processes, functions, and business units.
To simplify the process, experts have implemented several practical strategies. For instance, audit data can be prioritized to focus on the most critical data. In addition, a centralized audit data management system could be implemented to extract only the relevant audit information from large volumes of enterprise data. Also, those areas prone to deliver a large number of false positive results can be avoided to maximize the efficiency and effectiveness of continuous auditing efforts. Finally, technology can be leveraged to automate control testing and issue detection, integrate information gathering, and facilitate centralized collaboration with auditable entities.
Focus Sharply on a Proactive Audit Approach
Traditional internal audits looked at past events and transactions, determined what went wrong, and made recommendations to correct the sins of the past. In recent years, distinguished internal auditors have focused on the here and now, connecting the dots to provide insights that help the organization be successful going forward. While such insights elevate the stature of internal auditors, it is becoming increasingly important for them to be proactive and show foresight to help identify emerging risks and trends. Leveraging their knowledge about governance, risk management, and controls, internal auditors are in a unique position to help interpret the signals of today and anticipate the changes of tomorrow.
This approach is critical because the risk landscape is continually changing. Old risks are evolving, and new ones are emerging all the time. Instead of being unprepared to deal with these risks, companies are looking to anticipate and react to them better. They are relying on internal auditors to provide risk recommendations that can influence positive change.
Act as a Trusted Adviser to Top Management
Internal audit is as much about communication as it is about assessing risks and controls. Communication with top management, C-suite executives, and boards is particularly important. These stakeholders rely on internal auditors to ensure that the risks taken are within the risk appetite, and that compliance with policies, procedures, and standards is up to the mark. That means internal auditors need to stay informed of business plans, events, developments, and new initiatives.
For example, auditors should get involved with strategic developments such as new growth in emerging markets because new markets come with a host of new compliance regulations and risks such as political instability, cultural differences, and scarcity of resources. Internal auditors can play a key role in advising top management on how to understand and manage the risks involved, charting out a plan for an appropriate control environment, learning about the new market's regulatory norms, and establishing an audit framework that enables value creation throughout the enterprise.
Facilitate Collaboration Across the Enterprise
Internal audit is no longer a stand-alone group that operates independently from other functions. It needs to be aligned with other assurance functions such as risk management, compliance, IT, security, and quality control so it can understand better the company's risk-taking activities.
Internal auditors also have the power to leverage collaboration in a way that drives a risk- and compliance-focused culture across the enterprise. They can, for instance, facilitate the identification and evaluation of emerging risks, facilitate compliance and ethics training for employees, monitor a hotline and encourage reporting of adverse incidents, drive surveys to determine whether employee activities are in sync with company goals and policies, and develop campaigns to promote fraud awareness.
Follow Professional Guidance
To remain respected within the field, auditors must not only comply with The IIA's International Standards for the Professional Practice of Internal Auditing and Code of Ethics, but also be familiar with and generally follow the strongly recommended guidance contained in the International Professional Practices Framework.
Bring Together People, Processes, and Technology
The success of internal audit largely is determined by how effectively people, processes, and technology are aligned. People are the crux of the audit function. Organizations would do well to strike a balance between the knowledge and experience of senior audit leaders and the new skills and innovation of younger auditors. Additionally, ongoing training and updating of skills is imperative.
Similarly, processes need to evolve continually if internal audit is to improve efficiency and drive value for the business while cutting costs. Technology also has begun to offer new ways to automate processes, integrate internal audit with other business functions, and facilitate real-time visibility into audits across the enterprise. The key is to reassess the role of technology, processes, and people continuously, and to determine which of the areas need to be enhanced depending on the organization's unique requirements.
Seize the Opportunity
Now is an exciting time to be an internal auditor. No longer is the role limited to financial reporting oversight, Sarbanes-Oxley compliance, or controls assurance. Today's internal auditors have the opportunity to play a fundamental role in directing company strategy and enabling success. It is time for auditors to step up to the plate and prove their value to the organization by evolving internal audit and leveraging it to support the organization, thereby enabling it to move forward into a new era of profitability.