Forbes Insights recently published an interesting report on how key stakeholders viewed the external audit of financial statements and what could be done to improve the value. While there was overwhelming agreement on the value of the traditional assurance role of external audit, there was a strong view that the external auditor could provide greater insight into a company’s performance and the risks that are faced. The report also mentioned that “the incorporation of data analytics into the core audit was also widely supported.”
In many ways the external audit survey responses and report apply equally to the world of internal audit, as well as to risk management and compliance. The internal audit profession has, of course, heard repeatedly over the past few years that it is expected to grow beyond its traditional focus and provide more value to the business overall. This view is built in part upon the realization that both internal and external auditors are in unique positions of potential insight in terms of their very broad access to company-wide activities and data.
I suspect that some of the issues are pretty fundamental to the audit process. On the one hand there is a lot of talk about change and internal audit “earning a seat at the executive table.” But how much have fundamental audit processes really changed? I am sure every internal audit department would say that it takes a risk-based approach to developing its overall audit plan. But it strikes me that there are often significant gaps between what internal audit considers in its assessment of risks and what business leaders would consider to be critical risks.
How many leaders of internal audit departments actually step back and consider, in conjunction with the leaders of core business areas as well as finance, risk management and compliance: What would it look like to fundamentally change and improve the value that internal audit can provide? After considering and answering this question, I think the next big question becomes: How do we enact this change?
The answers may be challenging for some, as the reality is often that internal auditors, while typically smart and conscientious professionals, often lack the training and skills to provide insights around the most significant risks, particularly those around core business performance areas. And real enablement is not just a people and knowledge issue. It is usually the successful marriage of people, knowledge and technology that leads to real change and breakthrough performance.
If internal audit is serious about meeting expectations for change, then it is time to fundamentally rethink three things:
These three areas should be addressed in the context of the overall objectives for each internal audit department and the definition of the type of value and insights and degree of change that they actually want to deliver. This type of critical self-assessment process strikes me as a very healthy thing for any internal audit department to do from time to time—and should be a necessity for those who sincerely want to do things differently.
It can serve as the foundation for a rebuild of approach that reflects the way that internal audit should really work in order to not only maximize the value delivered, but also to optimize the way it’s delivered.
(Source: ACL Blog)