In today’s competitive business landscape, most departments, including internal audit, must continually operate more efficiently and add greater value to the business. “Like every other area of the organization, we’re strapped for resources,” says Tony Redlinger, director of internal audit with IHS Markit, a provider of insight and information. “We have to do more with less.”
To meet this goal, internal audit has to boost its performance throughout each stage of the audit cycle. The guidelines below can help you improve the risk assessment, planning, execution, and reporting stages of the audit cycle.
Expand the scope of the risk assessment
When it comes to assessing risks, internal auditors need to look beyond the functions traditionally considered within the typical audit scope, such as cash controls and accounts payable, and examine risks in other functions that are strategically important to the organization.
“Think outside your comfort zone,” says Ed Williams, senior manager in the risk advisory services practice with Experis Finance. “Two areas that often would benefit from closer examination are strategic planning and the organizational culture.”
Both functions can expose an organization to significant risk. However, many organizations fail to integrate risk assessment and monitoring into their strategic planning processes, and often don’t consider the concept of “culture risk.” Instead, the focus remains on traditional risk areas. “Internal audit shops that don’t pay attention to these are missing the boat,” he says.
To be sure, approaching departments you’ve never audited comes with a learning curve. One starting point is to review industry information that’s available publicly, usually through online searches. Internal audit also needs to simply ask executive management and the board about their concerns.
“Just like you talk to accounts payable, ask ‘Where do you see the risks and concerns?’” Williams says. “It’s the same process, but in a different area.”
Dedicate sufficient time for planning
It can be tempting to rush through the planning stage and jump right into an audit. Rick Franklin, internal audit managing director with Protiviti, recommends allocating enough time to define the audit scope with as much accuracy as reasonably possible. That way, everyone involved knows what to expect and the way in which resources will be deployed. During the planning stage it’s also important to reach an agreement with management on the audit’s estimated time frame.
As part of the planning process, determine how you can leverage work done by other assurance areas, like compliance. Minimizing duplication reduces cycle time, Redlinger notes.
While reviewing past audit work can provide context, keep in mind that business environments change. For instance, say a process that had been manual was automated. Rather than assess the old manual process, the audit should check that the automated system is configured and operating correctly.
“Don’t just repeat the past,” Redlinger says. “Understand the current environment.”
To be sure, audits can twist and turn as new information is discovered. As you find exceptions, share them with the group to determine if the new data warrant a delay.
“If an auditor feels additional research is needed, that’s important,” Franklin says. At the same time, internal audit needs to concentrate on material areas and stay true to the audit’s initial objectives. “Avoid scope creep that can’t truly be justified,” he adds.
Developing Agility: One way internal audit can improve all phases of the audit cycle is by becoming more agile, Williams says. The concept goes beyond flexibility and requires a willingness and ability to “go in one direction, realize the path is not worth your time, and then pivot to a different direction,” Williams says. The goal is to identify and focus on the risks and concerns that are strategic to the business, and through which internal audit can provide value. That requires continually assessing which risks are most significant and dedicating resources to them.
Use technology to enhance field work
Today’s software and systems are poised to play a growing role within the internal audit function, and particularly within fieldwork. Yet, internal audit’s use of data analytics is in its early stages, especially in North America, according to Protiviti’s 2018 Internal Audit Capabilities and Needs Survey. Less than two-thirds of respondents in North America use data analytics, versus 76 percent of respondents in Europe and Asia-Pacific.
“The world of data analytics and predictive indexing is exploding, and the opportunities to re-engineer how internal audit works is amazing,” says Larry Harrington, vice president of internal audit with Raytheon Company.
New technology can allow for more comprehensive testing in less time and with less travel, Harrington says. In addition, by automating routine tasks, technology will free up auditors to take on more complex work. And, using technology to move from paper-based to electronic processes will boost efficiency, as information is more easily shared and searched.
More important, the use of data analysis, data mining and data extraction solutions will change the audit process itself.
“It’s not just putting analytics as an add-on to what you’re already doing,” Williams says.
For instance, rather than manually pull, examine, and reconcile one set of information against another, software analytics allows internal auditors to efficiently review transactions, identify anomalies, and assess risk. That will help internal audit focus its efforts and resources, he adds.
As technology plays a greater role in the audit cycle, some organizations will shift to continuous auditing. They’ll use technology to assess and analyze patterns and trends in data, identify exceptions and test controls in close to real-time. They’ll be able to more quickly determine the reasons for the exceptions than they can with periodic audits. As a result, they can offer more timely insight to mitigate the risks in the future.
This doesn’t mean computers will take over the audit process. Williams notes that auditing remains “a principles-based profession.” Auditors still need to adhere to professional standards, and then use technology to enhance their work throughout the audit cycle.
Tailor reporting to the audience
Two issues are key during the reporting phase, according to Franklin.
One is how internal audit communicates. Internal audit needs to understand its audience and tailor its communication accordingly. For example, the conversation with a plant supervisor could focus on day-to-day operations, whereas a discussion with a board member likely would encompass more strategic risks.
The other issue is timeliness. To add the most value, the conclusions and recommendations for mitigating risks need to be issued in a timely manner. One way to achieve this is for auditors to start crafting their observations while the field work is underway, rather than waiting until it’s concluded. Their thoughts are fresh, they can get near real-time feedback from the business units, and they can identify items that require follow up.
For instance, during status meetings, the audit team can initiate discussions on items that might be reportable, highlight their concerns, and check for inaccuracies.
“It allows the process to take hold earlier,” Franklin says. By accelerating the delivery of meaningful feedback, decision-makers can act more quickly, he adds.