(Source:- ACL Blog)
But how much of this contribution is recognized as really being a value-add, and not just a required organizational functional process? How often does the corporate C-suite and board really notice and appreciate internal audit’s contribution?
While internal audit may not have a reputation as being a particularly glamorous and exciting profession, when you think about its role and mandate, internal auditors are in a remarkably unique position in most organizations. What other function has a charter that provides unrestricted access to virtually all data, activities and aspects of an organization?
Perhaps part of the issue is that auditors have traditionally tended to focus on predictable audit areas and at times got into too low a level of detail on risk and control issues. Ask yourself: how often do you deliver audit reports that grab senior management’s attention, addressing topics that are important to their world—and help to turn on that light bulb about the full value of internal auditors?
Many corporate leaders do not expect audit to weigh in on the topics that are at the center of executive attention. Auditors are expected to be involved in risk areas such as regulatory non-compliance, fraud and corruption—all of which certainly have the potential to cause a lot of damage to an organization and the achievement of overall objectives. But what about strategic areas such as global competitiveness, sales and marketing performance, product innovation and development, or talent management?
Many audit teams are reluctant (sometimes with good reason) to venture into these areas. Second-guessing the CEO or one of his/her team on their strategic decisions is probably not a very good idea! But there are various ways in which internal audit can be involved in strategic areas and deliver very credible value.
Just one area to consider is the integrity of the data and reporting mechanisms that underlie strategic areas. What if the reports and dashboards that corporate leaders use to steer the organization contain errors and are misleading? Or, perhaps, the quality of competitive analysis, or market analysis, leaves a lot to be desired—and the CEO and CMO have made decisions based on faulty assumptions?
Almost every strategic corporate decision is made based on some form of internal analysis and system. By providing assurance over these processes and helping to improve them, you can make a realistic contribution to corporate strategic success.
The Institute of Internal Auditors’ “Three Lines of Defense” model is a very effective way of defining and communicating the respective roles of responsibilities of (1) front line operational management, (2) those directly involved in a range of risk, control and compliance functions, and (3) internal audit. Often, each function tends to focus on its own role with little time spent on ensuring that activities are coordinated and optimized across the three groups—resulting in the commonplace “silo” effect.
This is where internal audit can play a leadership role in helping to break down the silos and achieve an efficient and integrated approach to managing and assessing the effectiveness of risk management, controls and compliance. After all, it is the internal audit profession that came up with the “Three Lines of Defense” model, so why not put it to good use? Be the champion of taking an integrated approach, using software technology as the driver for a common and consistent approach to assessing and monitoring risks and controls effectiveness.
How could I not refer to the role of data analysis in all this? It is, of course, a key part of ACL’s heritage and contribution to the audit profession. I find it very interesting that “Big Data” analysis has gained so much attention in the past few years. Conceptually, it parallels much of what some internal auditors have been doing with data analysis for many years, if not decades.
Although some organizations are investing heavily in massive, often slow-moving, Big Data initiatives, the reality is that internal auditors are already able to achieve remarkable insights from examining data. This is thanks to (a) their experience in gaining access to data from across the organization and (b) applying specialized analysis software. And the bonus is that auditors’ value-added contributions from applying data analysis to any area, strategic or otherwise, are nearly always achieved at a very small fraction of the cost and effort of Big Data and BI projects.
A picture is often worth a thousand words—or a hundred rows of numbers. This is partly why visual data analysis and reporting have grabbed so much attention lately. The brains of most people are just not wired to quickly interpret and understand large volumes of words or numbers. The most impactful reporting is usually that which illustrates something insightful in simple terms, hopefully leading to an “aha!” moment for your audit committee or senior management. There may be a huge amount of effort and analysis underlying an audit finding, but there is no need to reflect the extent of work in the volume and detail of a findings report.
While the term “dashboard” may be often over-used, the principle of clearly illustrating the current state of, say, integrated risk assessment activities in a critical business area, across all three lines of defense—in one simple visual—can be incredibly powerful.
