Let's be honest, there are many negative perceptions of internal audit. Whether perceived to waste management's time with rote compliance testing, lack of knowledge of the business function being reviewed, or feared for potentially uncovering hidden secrets, the traditional view of internal audit has been mixed.
Let's take a look at the macro environment first. It doesn't take much time for anyone to search up and find corporate scandals and frauds. From Volkswagon's "Dieselgate" to FIFA's bribery and money-laundering scandal to fake accounts at Wells Fargo, these are just a sample of stories depicting a premeditated breach of internal controls and perpetration of fraud – sometimes through the direct involvement and approval of the most senior levels of management. These examples only represent a drop of water in an ocean of publicized as well as non-publicized issues impacting corporations around the globe totaling billions of dollars of direct impact to shareholders like you and me.
A complete and rigorous governance, risk and control framework is needed to combat headlines like those above, and should be based on setting strategy to preserve and build value, outlining roles and accountabilities for all aspects of strategy and operations, and identifying challenges to achievement of business objectives (i.e. risks). If entity-level controls are weak, businesses may have confused ethics and direction on how to carry out operations. If the board of directors isn't clear on what is of value to an organization, they may be confused on what to monitor. If all key stakeholders have an inadequate understanding of key corporate risks, this may result in inadequate risk mitigation measures. If internal audit isn't aligning its activity with corporate strategy and helping management accomplish its objectives, it may only be providing form over substance.
The following are some initial topics to consider asking to evaluate if internal audit is providing value to your organization:
1. Is it clear what internal audit does? An organization is based on selling/providing a good or service. What if a customer walked into your business and saw no shelves, no advertising, or no brochures? How do they know what is being sold? Internal audit needs to communicate what is being provided – the fundamentals of services, authority and scope. They should also set the expectations, communicate the services provided, advertise their successes, and continually dialogue with all levels of the organization.
2. Is internal audit aligned with the business? Internal audit must spend time to meet with management, read and understand strategy and business plans, and continually assess the business environment. The focus, strategy and delivery of internal audit services should dovetail with corporate strategy so that deliverables help management accomplish their objectives, including identifying potential pitfalls.
3. Does internal audit understand corporate risks? Internal audit must understand the risks the organization faces. If testing is done without understanding risk, it ends up being a rote exercise of limited value. Identifying risk, discussing them with management, and then auditing the key controls within those key risk areas will assist the company in their pursuit of value preservation and generation.
4. Is internal audit considered a strategic partner and advisor? Internal audit must be seen as a strategic partner and advisor – are they really helping the organization achieve desired outcomes? Internal audit should be involved with assessing new projects, initiatives, and organizational changes by bringing an understanding of the underlying risks, controls and applicable legislation that may impact changes and ultimately success.
Value is in two horses pulling a wagon in the same direction. Each has a work to do but each is inherently helping the other as long as they are both pulling together. Value may have different connotations to different organizations – improve a business or verify compliance with policies and procedures. Don't just provide internal audit services – coordinate with management and provide the value that ensures everyone is satisfied with the final deliverables. And remember that value comes from continuous improvement through asking how practices can be changed, audits conducted, results communicated, and relationships invested in to evolve the business.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.