The world we live in is volatile, uncertain, complex and ambiguous. Business models are changing rapidly along with the introduction of innovative products and processes. Disruptive models and technologies are making traditional business extinct and therefore companies need to reinvent themselves. Across the world, newer legislations, governance codes and practices have been instituted. In the midst of this environment, we have seen several business failures, in India and overseas, that not just relate to poor strategy or risk taking at unacceptable levels but also those owing to financial fraud and poor corporate governance practices. In this environment, the role of the Board and its Committees are onerous. The importance of managing investor expectations, developing a sound business strategy with high quality execution coupled with robust systems, processes and good corporate governance practices cannot be over emphasized.
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. The internal audit activity should evaluate the adequacy and effectiveness of controls encompassing the organization’s governance, operations, and information systems. This should include:
- Reliability of integrity of financial and operational information.
- Effectiveness and efficiency of operations.
- Safeguarding of assets.
- Compliance with laws, regulations, and contracts
Internal Audit is a critical element in the assurance environment of the organizations and a valuable tool and contributor to managing risks more effectively. It is a key attribute of good governance which provides the Directors, Audit Committee, CxOs and various stake holders with an independent view on whether the organization has an appropriate risk and control environment. It also acts as a catalyst for a strong risk and compliance culture within an organization.
Improving effectiveness of IA
Faced with new market opportunities, ongoing economic challenges, increased pressure to improve risk management effectiveness, and unprecedented regulatory requirements, many organizations are recognizing the importance of internal audit and risk management functions to turn these disruptive forces into opportunities. A discussion on the potential levers for enhancing effectiveness of Internal Audit follows:
Risk Based Internal Audit
Over the last few years, the need to manage risks has become recognized as an essential part of good corporate governance practice. This has put organizations under increasing pressure to identify all the business risks they face and to explain how they manage them. In fact, the activities involved in managing risks have been recognized as playing a central and essential role in maintaining a sound system of internal control.
While the responsibility for identifying and managing risks belongs to management, one of the key roles of internal audit is to provide assurance that those risks have been properly managed. We believe that a professional internal audit activity can best achieve its mission as a cornerstone of governance by positioning its work in the context of the organization’s own risk management framework.
IIA defines risk based internal auditing (RBIA) as a methodology that links internal auditing to an organization’s overall risk management framework. RBIA allows internal audit to provide assurance to the board that risk management processes are managing risks effectively, in relation to the risk appetite.
By following RBIA internal audit should be able to conclude that:
- Management has identified, assessed and responded to risks above and below the risk appetite
- The responses to risks are effective but not excessive in managing inherent risks within the risk appetite
- Where residual risks are not in line with the risk appetite, action is being taken to remedy that
- Risk management processes, including the effectiveness of responses and the completion of actions, are being monitored by management to ensure they continue to operate effectively
- Risks, responses and actions are being properly classified and reported.
This enables internal audit to provide the board with assurance that it needs on three areas:
- Risk management processes, both their design and how well they are working
- Management of those risks classified as ‘key’, including the effectiveness of the controls and other responses to them
- Complete, accurate and appropriate reporting and classification of risks
Implementation of RBIA
The implementation and ongoing operation of RBIA has three stages
Stage 1: Assessing risk maturity : Obtaining an overview of the extent to which the board and management determine, assess, manage and monitor risks. This provides an indication of the reliability of the risk register for audit planning purposes.
Stage 2: Periodic audit planning : Planning the assurance and consulting assignments for a specific period, usually annual, by identifying and prioritizing audit areas based on risk analysis.
Stage 3: Executing audit assignments : Carrying out individual risk based assignments to provide assurance on part of the risk management framework, including on the mitigation of individual or groups of risks.
Process Based Internal Audit
The process based approach to Internal audit focuses on evaluation of the efficiency of various organizational processes with the objective of rationalizing and achieving the desired efficiency in various processes. A process based audit checks the adequacy and effectiveness of the process in meeting its objectives. A process based audit is an evaluation of the sequential steps and interactions of a process within a system. A process is simply a way of doing something. process is a series of actions or steps that lead to a desired result : Input – Process – Output. A process based approach to audit examines the resources (equipment, materials and people) used to transform the inputs into outputs, the environment, the methods (procedures and instructions) followed and the measures adopted to determine process performance.
Elements of a Process
- Expected inputs
- Expected activities of the process
- Expected output
- Expected results
- Verification of activities
- Action for correction / improvement
Evaluating a Process – Basic Questions
- What are you trying to do? Why ?
- How do you make it happen?
- How do you know you are doing it right?
- How do you know it’s the best way of doing it ?
- How do you know it’s the right way of doing it ?
- Did you receive what you are supposed to receive from the previous process ?
- Did you do what you are supposed to do at your process ?
- Did you send what you are supposed to send to the next process ?
Just because it’s always been done that way, does not mean it’s being done correctly
Benefits of Process Approach to IA
- Focuses on process and results
- Determines effectiveness of the processes
- Evaluates the results the process delivers
- Tests linkages between departments and processes
- Follows flow of work throughout organization
- Determines if processes are under control and controls are effective
Essentials of an effective process
- A process must have a well-specified design; otherwise, the people performing it won’t know what to do or when.
- The people who execute the process, the performers, must have appropriate skills and knowledge; otherwise, they won’t be able to implement the design.
- There has to be an owner, a senior executive who has the responsibility and authority to ensure that the process delivers results; otherwise, it will not be effective.
- The company must align its infrastructure, such as information technologies and systems, to support the process; otherwise, they will impede its performance.
- Finally, the company must develop and use the right metrics to assess the performance of the process over time; otherwise, it won’t deliver the right results.
These enablers give a process the potential to deliver high performance.
Methodology of Process Based Internal Audit
- Develop a Process Flow Chart for mapping processes / activities
- Identify non-value adding activities
- Look for factual evidence that the process works
- Plan – Do – Check – Act (PDCA )
- Check whether the process meets the objectives
- Evaluate the process – time/cost/quality/efforts/environment
- Identify areas for improvement
- Make recommendations for Process improvement
Agile Internal Audit
Agile IA is the mind-set that an Internal Audit function adopts to focus on stakeholder needs, accelerate audit cycles, drive timely insights, reduce wasted effort. Agile prompts internal auditors and stakeholders to determine, upfront, the value to be delivered by an audit or project. As the Internal Audit function considers their specific challenges and contemplates a custom solution, agile audits
- Are outcome driven / value driven
- Break some eggs- Challenge that’s the way we have always done it
- Focus on Impact over thoroughness – 80/20 Rule
IA Plan and Strategy
Internal audit may have a charter and an annual plan, but many do not have a higher-level, internal audit-specific strategic plan. A detailed strategy enables internal audit to align its objectives to the organization.The internal audit strategy should have a long-term (e.g., three to five-year) time horizon and have a road map that is based on the organization’s overall strategy, stakeholder expectations, regulatory requirements and the role of the other risk functions. Develop an internal audit-specific strategy that matches the organization’s strategic plan time horizon to increase organizational alignment and improve internal audit’s relevance to other operating functions.
Assessing skills and managing talent
As the role of the internal auditor evolves and stakeholder expectations rise, internal audit increasingly requires competencies that exceed the more traditional technical skills. In addition to internal audit knowledge, stakeholders expect internal auditors to have the ability to team with management and business units on relevant business issues. They also expect internal audit resources to have deep sector knowledge and business acumen. Being able to look at the totality of the business and of the processes — that’s what sets a good internal auditor apart
Leveraging Data Analytics
Use analytics as part of a comprehensive program throughout the audit life cycle rather than on an ad hoc basis. Embedding data analytics into the audit plan can help internal
audit guide the risk assessment, drive enterprise efficiencies and results that add tangible value to the business, and effectively communicate to the audit committee
Executing a focused, dynamic audit plan
Internal audit must develop an audit plan that focuses on organizational strategic imperatives and key business risks identified during the risk assessment, including an appropriate blend of:
- Advisory and assurance reviews
- Thematic audits
- Issue-based audits
Update audit plans according to business cycles and triggering events such as a merger or acquisition, new product launch or litigation.
Conducting thematic audits
Thematic and issue based audits are not new to internal audit. But they are making a resurgence as stakeholders increasingly want to know the implications, magnitudes and insights that audit findings convey. Thematic audits are one way of doing this. Themes should be tailored to the sector, organizational structure, business life cycle and strategy. These audits can include a mix of advisory and assurance reviews.
The future of IA is now
Today, change is coming faster than ever before – and there is more of it. The sheer velocity of change has upended the business environment and rearranged the landscape. Organizations must identify, assess and address emerging risks without losing sight of their existing business and control environment. They are not only working to get ahead of the curve – often they are struggling to keep up – and not always succeeding. Management, audit committees and boards of directors rely on internal audit to provide assessments and assurance around the effectiveness of controls and company processes, while also providing support in a diverse array of risk and business process improvement areas. In an expanding risk landscape Internal Audit has emerged as a critical lever for change. Now, more than ever, it needs to rise to the challenge and demonstrate its value.