“Internal audit can help leaders with assurance that their people, systems, and processes are able to deliver the desired results – and advice and insight on how to improve them further,” Marks writes. “But do we?”
Contributing greater value to the board and top management by serving as a knowledgeable and respected advisor may require a shift in thinking about the role that internal audit plays within the organization. It is also likely to necessitate a change in audit planning and practices. Audits themselves must be seen as a critical component of a more holistic and continuous approach to identifying and analyzing risk, evaluating the effectiveness of controls, and proactively addressing areas of weakness.
The board’s approach to internal audit
Ensuring Internal Audit Is Doing What Really Matters, from the global consulting firm Proviti, approaches the role of internal audit from the perspective of the board.
When assessing the viability of internal audit, defining expectations, and putting resources into place, the article suggests boards take into account internal audit’s ability to provide adequate attention to operations, compliance, and nonfinancial reporting issues. Equally important is the ability of internal audit to deliver insight related to strategic uncertainties and the decision-making processes of the organization, “particularly around risk acceptance, and whether the right risks are accepted by the right people at acceptable levels.”
It’s also recommended that the board conduct a periodic evaluation of internal audit activities that take into account changes in company operations and the environment in which the organization operates.
In addition to a direct line of reporting to the board, internal audit should be given the authority and independence to evaluate and recommend changes to governance, risk management, and internal control processes related to the operational, compliance, and reporting risks the business faces. With these in place, the article notes that internal audit is empowered to serve “as a positive change agent and valued sounding board in safeguarding the adequacy and effectiveness of activities that matter most to the organization’s success.”
How can internal audit become an agent of change?
As Norman Marks points out, fully inhabiting the role of change agent and sounding board requires internal audit leaders to push beyond audit practices that adhere to the way things have always been done or narrowly focus on policies and standards requirements. When internal audit begins the process of becoming an advisor to the board, audit practices must shift from the bureaucratic to the strategic.
Audit planning will need to change in order to take into account all of the risks that could potentially prevent the organization from achieving its objectives and, as Marks writes, “include projects designed to address how well management will be able to ensure those risks are managed at acceptable levels.”
Furthermore, audits must be meaningful, transparent, and actionable to the board and top management. Marks asks, “[Are] you continuing to perform audits where, should controls fail, they would never rise to the level that they need to be discussed by the full board (because of the threat to corporate strategies) and require the attention of the CEO?” If so, be sure to expand your audit to focus on more pressing risks.
Technology and the transformation of internal audit
Ensuring Internal Audit Is Doing What Really Matters provides a detailed list of ways internal audit can contribute to the strategic vision and overall success of the organization. Included is a focus on thinking more strategically when analyzing risk and framing audit plans, providing early warning on emerging risks, improving information for decision-making, and watching for signs of risk culture deterioration.
This approach requires the full utilization of an organization’s audit data. Central to these efforts, given the limited amount of time most internal audit departments have available for making such a major shift, is another recommendation made in the Proviti article. Namely, that internal audit should leverage technology-enabled auditing.
“Technology can help to automate ongoing monitoring of certain internal controls, track issues, and provide customized dashboards and exception-reporting capability,” states the article. “By using technology, the future auditor is able to devote more time and effort to building relationships and providing expertise in high-impact areas. A technology-focused audit approach facilitates the future auditor’s shift of emphasis to strategic issues and critical enterprise risks by gaining more coverage with less effort, providing more analytic insight and offering early warning capabilities.”
How Origami Risk users are leveraging technology
An article examining trends emerging from the 2018 Origami Risk User Conference provides a first-hand account of how technology is being used to improve processes and the ability to put data to work.
Transparency and accountability. Presenters at the conference echoed the need to establish transparency and accountability in their processes. By converting from paper forms, the process is made more open and visible. Rather than remaining stuck in a file cabinet or box, data is immediately accessible and can be used to facilitate organizational change.
Connecting decision makers with data. Rather than simply “spamming” members of the board and top management with indecipherable audit reports, tailored dashboards are being pushed out to decision makers as needs and conditions warrant, providing actionable intelligence that informs both discussion and action.
Supercharging processes. The ability to customize automated, trigger-based actions is streamlining manual processes, facilitating quicker assignment when adjustments are needed, and improving monitoring of the performance of operating processes.“Would the success of the organization be in peril if internal audit disappeared?” asks Norman Marks at the conclusion of his blog post Internal audit needs to perform in a way that matters to the board and top management. It’s a question sure to hit home with those who question the role internal audit plays within the organization. Rather than simply limiting communication to audit reports, the internal audit department can ensure their efforts matter by delivering the strategic advice and insight the board and top management need. The right technology can help.
Origami Risk offers cloud-based RMIS and GRC software that includes highly-configurable, integrated audit tools that add to the transparency of audit processes, provide data-based insights that facilitate decision making, and automate processes to free up those leading internal audit to spend more time engaged with leadership.