How internal audit functions can prepare for the future
In today’s rapidly digitising and interconnected world, the role of internal audit is becoming increasingly important in order to ensure risks are well managed, compliance and a culture of good conduct. Bharat Shah, a Senior Partner at RSM India, reflects on how internal audit functions can successfully prepare for the future.
The Internal Audit function plays a crucial role in an organisation’s corporate governance framework, internal processes and controls, risk management, regulatory compliances, financial reporting and overall assistance to the Board of Directors and Senior Management to fulfil their responsibilities towards the organisation and its stakeholders.
Internal Audit function acts as an intelligent and agile tool available with the Audit Committee and the Board of Directors to discharge the duties bestowed to them by the various stakeholders. Given its onerous duties, the Board/Audit Committee heavily rely on internal audit to provide assurance to stakeholders.
Adding more value
This role is ever expanding and in many matured organisations, it is expected that the role of Internal Audit must spread into newer and broader areas such as sharing insights in management’s strategic and transformative initiatives, proactively participating in management decision making, identifying disruptive means to achieve the internal audit objectives, helping organisations reduce the overall cost of compliances, etc.
Internal audit is expected to venture into newer areas and keep innovating and improvising its Audit Charter so that the value to the organisation is maximised. Thus, there is a definitive shift in perception of internal audit function from being a Cost Center to being a Profit Center.
This article touches upon the key aspects of the Internal Audit function keeping in mind the traditional success factors, the present trends and an eye on the future of internal audit in the ever-changing business environment and digital arena.
Business risk assessment vis-a-vis internal audit plan
Risk assessment is one of the most crucial steps in the internal audit lifecycle. Any gaps in risk assessment could lead to an ineffective internal audit coverage. In this context, it is very crucial for the internal auditors to understand the overall business context including factors such as industry pulse, competitive landscape, an organisation’s strategy and business objectives, end-to-end business cycle and processes, its products, geographical presence, regulatory environment, IT systems landscape, financial statement analysis, existing risk and controls framework, etc.
Based on the above qualitative and quantitative assessment, a risk based internal audit plan is created and depending on the severity of risks assigned to the individual business processes (e.g. high / medium / low), the frequency of internal audit is determined. E.g. high and medium risk areas are covered on an annual basis and low risk areas can be covered once in three years.
Typical processes covered in an internal audit and an illustrative risk-based audit plan (for a manufacturing entity spread across 4 quarters) is given below:
Value Added Service
Internal Audit is not only expected to conserve the existing enterprise value, but also add to the organisational value. Extreme focus on only one of these areas can actually lead to deterioration of audit value.
Factors leading to conserving the value
Focus on Corporate Governance
Compliance to internal policies and procedures
Following the Audit Charter
Deploying a risk based approach
Coverage of Operational, Financial and Compliance Controls
Providing Assurance
Monitoring of Exceptions
Factors leading to value addition
Strategic Outlook
Benchmarking with Industry best practices
Agile Risk Management approach
Innovative mind-set
Anticipation
Digital Orientation
Focus on top / bottom line impact
Moving up the maturity curve
Globally, the internal audit function is undergoing a massive transformation in its scope, approach and methodology to meet its overall objectives and the expectations of various stakeholders. This is helping the auditors move up the maturity curve – from a basic Internal Audit function to the Internal Audit function of the future.
The key parameters to be evaluated to assess the maturity of the internal audit function are summarised in the below table and some of these are elaborated further:
Robust internal audit methodology
An organisation’s internal audit methodology is generally based on globally acceptable SIAs issued by leading Accounting and Auditing Boards. Organisations develop their own internal audit charter aligned to the departmental objectives set by the audit committee of the Board of Directors and adapt a methodology which best suits their business requirements.
It is pertinent to note that successful implementation of the adopted methodology is possible when the internal audit team has adequate budgets and the necessary powers (without any limitations) to execute its responsibilities. Hence it is important that the internal audit has adequate support and backing from the audit committee to meet its objectives.
A robust methodology would ensure:
- End to end risk coverage
- 360 degrees coverage including operational, financial and compliance aspects of all in-scope processes
- Evaluation of Enterprise Risk Management, Corporate Governance and the Design and Operating Effectiveness of Internal Controls
- Significant emphasis on Data Analytics throughout the Audit Life Cycle
- Deployment of SMEs where needed
- Quality Assurance
- Timely completion of assignment
- Overall Value Addition and Assurance
Use of subject matter experts
A key transformational development that is helping the internal audit teams immensely is the hiring or temporary deployment of subject matter experts (SMEs) in the fields such as accounting, taxation, engineering, supply chain, IT, compliance, etc. for effective execution of complex and technical audit areas.
The SMEs are able to deep dive into the technical nuances of the underlying area and identify areas of improvements or any process gaps, which may be beyond the capabilities and skill sets of the regular Internal Audit team members. SMEs also play crucial role in contributing towards value addition which is one of the important objectives of internal audit.
Leveraging digital tools
With the advancement of underlying tools and technologies deployed in business operations, over years, internal auditors have moved from auditing around the computer to auditing through the computer. With each passing day, businesses are adopting highly innovative and disruptive technologies such as machine learning, cognitive and artificial intelligence. This is resulting in newer risks which were unheard of before, thereby making the internal audit of such areas highly complex that requires knowledge and training in such areas.
Understanding the risks in the digital era and mapping out a strategy to ensure that IT controls are in place is a crucial step for businesses where internal audit can play a significant role. The effectiveness of internal audit itself can be enhanced with the use of technology and tools.
The digital and mobility revolution has improved, impacted as well as disrupted business models, processes and efficiencies. The emergence of as e-commerce, mobile applications, sophisticated ERPs, blockchain solutions, cloud computing, robotic business process automation (RPA), internet of things (IoT), machine learning and artificial intelligence (AI) have added and will add new dimensions to businesses. The internal audit function needs to re-orient itself to meet the requirements in this digital era as well as improve its own approach and methodology.
In order to be effective, auditors must use IT as an auditing tool, audit automated systems and data, to understand the business purposes for the systems, and understand the environment in which the systems operate.
By embedding analytics in audit process, internal audit can support in navigating complex business scenarios covering varied business areas during the course of audit. This new approach to integrate analytics into internal audit is referred as the ’data driven audit analytics.’
By seeking new use for computers and communications, auditors improve their ability to review systems and information and manage their activities more effectively. Automated tools allow auditors to increase individual productivity and that of the audit function. By recognising the importance of emerging environment and requirement to perform audit task effectively, auditors must recognise the key reasons to use audit tools and software.
Conclusion
With each passing day, the parameters of the maturity curve itself are changing dramatically with new factors either completely replacing or being prioritised over the existing ones. Internal Audit functions who will fail to achieve a continuous upward movement on the overall maturity curve and that too at a speed which is at par with the changing dynamics, will eventually become obsolete and redundant, leaving their organisation exposed to the internal and external world of risks.
On the other hand, the Internal Audit teams which will continue to evolve and transform themselves, on the ever changing parameters of maturity curve, will be able to succeed far higher in defending their organisation from the unforeseen risks of the future.