Executive summary: 10 ways to increase internal audit relevancy
INSIGHT ARTICLE |
Internal audit is a critical function within an organization, but in many cases, it does not receive the proper credit for adding value. In addition to monitoring risk, internal audit can identify various business opportunities and cost savings. Chief audit executives (CAE) can improve effectiveness and gain efficiencies by increasing the relevancy of several governance, risk and compliance activities.
Security is a hot topic with every organization, as emerging threats seem to be looming around every corner. Modern threats are built to bypass traditional preventive controls; therefore, companies must implement robust detective and corrective controls. When addressing these multitiered cybersecurity threats, the evaluation of risk management must also be multitiered.
Tier one involves strategic assessments, with security governance measures to ensure programs are complete and effective, as well as enhanced management oversight and security risk management. Tier two includes tactical assessments, such as security testing to identify and remediate weaknesses and effectively address the most critical areas of security programs. Tier three involves change-based assessments, evaluating risks of major changes in technologies or business processes.
Effective use of co-sourcing
Organizations normally enter one of three major types of sourcing arrangements for the risk management function: in-house, outsourcing or co-sourcing. With co-sourcing, internal audit is conducted in tandem between the company’s department and an internal audit service provider.
Co-sourcing is a growing business trend, as the strategy typically increases productivity and return on investment for the risk management function. In addition, companies are turning to internal audit co-sourcing as a way to:
- Control costs
- Avoid dealing with staff turnover
- Cover unexpected staffing needs
- Access subject matter expertise in areas such as tax, cybersecurity, revenue recognition, etc.
- Enhance ability to keep up with changing technology and related needs
Optimize the value of ERM
Global events, environmental disasters, regulatory changes and product, system and service failures lead many companies to explore a more extensive risk approach. In response, boards and senior management are taking a closer look at how risk is handled and are implementing enterprise risk management (ERM) strategies.
Unfortunately, without focus on the proper areas, ERM programs may not deliver their projected value. The CAE or internal audit function can enhance the relevancy of the ERM program by targeting several improvement areas, including:
- Evaluating the program’s framework and methodology, executive sponsorship and board support
- Assessing responsibilities and effectiveness of lines of defense and coordinating testing where applicable
- Aligning risk processes with business objectives and strategies
Measure the performance of the internal audit function
From a historical view, organizations assess the internal audit function based on metrics such as percentage of the audit plan completed, ratings of audit reports and implementation of audit recommendations. The historic view is important and is still in use in many organizations, but there are also more progressive ways to measure the performance and value of an internal audit function.
For example, value-added scorecards are agreed upon by the audit committee and senior management and provide a tangible score that measures success throughout the year on a variety of topics. Organizations should measure the statistics that drive performance and help achieve the strategic goals, benchmark the current department to establish a standard and establish tactical, measurable key performance indicators.
Enhanced business continuity plan (BCP) assessments
Business continuity is critical for all organizations. The BCP should be reviewed to determine if it addresses prevalent and growing risks, effectively manages risk and increases the return on investment. Key objectives of business continuity audits should include:
- Identifying existing recovery planning documentation, strategies and processes
- Identifying notable deficiencies and omissions
- Recommending remediation actions to improve recovery capabilities and increase efficiency of related activities
High-value areas during business continuity audits include:
- Determining if time and capital investments are efficient
- Assessing gaps between the functional recovery plans and recovery time objectives (potential downtime) and recovery point objectives (potential data loss) of various technical systems
- Assessing dependence on, and interfaces with, third parties to determine how such relationships impact the BCP
Continue leveraging technology
To enhance internal audit relevancy, companies can establish strategic and tactical plans to leverage technology and identify key stakeholders throughout the organization. Organizations can also integrate analytics throughout their audit methodology, develop analytical testing objectives and select traditional audit areas for analytics testing.
In addition, many organizations utilize a continuous monitoring strategy, but integrating a continuous auditing framework should also be considered to maximize value. Continuous monitoring is performed by management, while continuous auditing is an automated, ongoing process that enables internal audit to provide much better coverage at a lower cost and often with less effort. Putting both in place can increase the coordination between internal audit and management.
Third-party compliance reviews
Organizations are increasing their usage of third parties, such as vendors, suppliers and distributors, due to benefits related to scale, access, efficiencies, cost savings and time to market. The compliance burden is also more extensive, as regulators are paying closer attention and levying more fines and penalties.
Third-party management is a process, not a one-time action. Organizations must develop a program that focuses on people, processes and technology to identify gaps within current processes. Internal audit should develop a detailed plan, schedule and budget and broaden its view to incorporate strategic, regulatory and other third-party risk expectations that could be addressed simultaneously.
Timely assessment of the impact of regulatory changes
Regulatory changes are inevitable and the ability to adapt is critical. Policy and process is only half of the battle; consistent execution and evidence are also key. A solution needs to be:
- Scalable to accommodate increasing depth and breadth of review and regulatory changes
- Usable by a distributed network of stakeholders and users
- Fully auditable, transparent and comprehensive
Internal audit can help establish regulatory compliance goals and assess and audit current compliance activities to identify shortcomings prior to regulatory reviews. It can also determine and implement remediation actions, identify maturity enhancements and work with legal counsel as needed.
Delivering value to stakeholders
Internal audit should play a key role as agents of discovery for stakeholders and be viewed as a resource to ask questions and get strong advice and recommendations on the business and the control environment. To reach this goal, performance metrics should be closer aligned to stakeholder expectations. Don’t disregard current risk assessment and control processes, but consider these expectations when establishing the risk plan or audit plan for the year.
Leading change with results and demonstrating leadership in the organization increases the visibility and respect of internal audit. Internal audit can also aid overall performance by indicating when strategic objectives are not being met and becoming a risk partner to the business.
Use the adoption of COSO 2013 to drive initiatives
The new COSO guidelines provide an opportunity to take a fresh look at internal controls, especially entity-level-type controls, while also enhancing information technology controls and fraud risk assessments. The framework is broadened to include internal reporting, as well as external reporting of nonfinancial measures that are highly relevant to stakeholders and operations.
In many situations, formal controls and risk assessment activities can be brought together for a more integrated, consolidated view, instead of having separate, siloed processes. To increase effectiveness, organizations can use a tool to track status of COSO implementation, measure gaps and determine whether any new initiatives must be put in place.
The CAE plays a unique role within the organization, and focusing on these key areas can help internal audit gain more relevance by implementing a more integrated and holistic approach to risk management. Aligning risk practices with the goals of the business and driving continued success can help executives understand the true value and potential of the internal audit function.