Internal auditors, both as a profession and as individuals, want respect. We hear constantly how much they want to add value and “get a seat” at the executive table—and some audit teams and their leaders are indeed very successful in earning respect and becoming truly sought after. On the other hand, not all audit departments are held in such high regard and still somehow manage to reinforce some of the traditional, more negative, stereotypes about auditors that really should be outdated by now.
Because nobody wants to cause business leaders to roll their eyes and consider audit processes and reports as just one more challenge to endure, let’s look at some best practices that can help auditors add the most value and be seen in a whole new light.
1. Add value by looking for the bigger picture.
It is all too easy for auditors to be seen as obsessing about failures in policy and compliance, and not thinking in terms of what really matters in the context of achieving corporate objectives and business outcomes. Coming up with lists of control failures identified during the audit process may quite accurately reflect the fact that certain controls are not working as intended—but why is this? Does it mean that business management is not doing their job, or does it mean that the control just does not make good sense given the business priorities? Maybe the business manager does understand the risks and has simply decided that it is better to manage the risk than put up with the inefficiency of a control that reduces productivity by 25%. Or, maybe the business manager has miscalculated and does not realize the true impact of letting a control slide.
What can internal audit do in this case? How about providing insights that management does not have, through value-added metrics. For example, data analytics can be used to quantify the full extent of a control weakness by examining all transactions in which proper approval controls were circumvented. There is a big difference between reporting that “approval controls were found to be ineffective in five instances” versus reporting that “based on an examination of 459,000 P.O.s, totalling $26.5B in value, approval controls were circumvented over a 12 month period for 395 P.O.s, totalling $234.5M in value, resulting in instances of actual fraud and waste totalling $78.5M.” This overall financial impact can be weighed against the productivity savings of allowing loose approval processes.
What else could be done? Perhaps recommend that continuous monitoring of all P.O. transactions be performed by the business area. This not only allows for more efficient control and approval procedures, but also reviews the results of monitoring in order to manage the risk of potential negative financial consequences.
2. Time is value. Report on what matters most to management.
This may not be the most critical failing in the overall scheme of things, but it can be the most frustrating and annoying for business management—and does much to erode the professional credibility of internal auditors.
Auditors who misunderstand how processes really work, or who repeatedly ask the same questions during every audit, or, worst of all, report findings that are not accurate, are not adding value to their organisation and risk being seen as nothing but a drain on resources.
The traditional best practice approach has been to develop and maintain copious amounts of system and process documentation to support walkthrough tests and prepare auditors for performing specific audit procedures. The challenge with this is the amount of effort involved in maintaining accurate and current process documentation, particularly given the rate at which systems can change.
Technology can help support best practices in not wasting management’s time, in a number of ways. Much of this approach can depend on a risk-based and technology-driven approach to auditing. This means the ability to identify and assess the risks that matter, and linking them to the control procedures that impact effective management of those risks. Spending large amounts of time on inquiry, documentation and testing around things that are not important from a risk perspective is not time well spent—neither by internal audit nor the business area that has to answer and explain things.
Data analysis can also play a sometimes surprisingly effective role in helping internal audit to understand a business process, together with related risks and controls. While using modern software helps to make documentation of processes and controls a lot more efficient, data analysis can itself help to rapidly describe to an auditor how a process actually works.
Instead of viewing documentation—or, at least, in conjunction with documentation—how about visually analysing an entire population of transactions and activities that underlie a given business process? While this form of exploration may have been overwhelmingly complex at one time, it is now relatively simple to achieve. The result is that internal auditors are far more likely to ask business management smart, insightful questions, instead of the “same old, same old” ones that cause eye-rolling and annoyance.
3. Don’t be a dinosaur. Embrace big data and technology in the way that the business does.
When a business process owner sees internal auditors using manual techniques or outdated software applications, it does little to foster respect and confidence in internal audit’s capabilities and competency. Almost all other business processes have been transformed through the use of technology, whether it be more efficient cloud-based financial and business applications or big data analytics essential for functions such as marketing, sales, customer service and product management—and allow an organisation to remain competitive.
Personally, I cannot help but cringe at the thought of auditors using simplistic spreadsheet software or manual procedures for auditing sophisticated and complex technology-driven business processes. And yet this is still far too commonplace in the internal audit world, despite all the talk within the profession about the importance of better use of technology, data analytics and continuous auditing and monitoring.
On the other hand, think of the impact that auditors could make with process managers if they arrived to perform an audit using handheld devices and ran modern cloud-based software, all fully integrated with the organisation’s risk management systems. The auditor can share a dashboard with the manager that shows the results of suites of analytics that have been monitoring millions of transactions and assessing risks and testing controls throughout the business process. The dashboard also shows the combined results of questionnaires and surveys completed by business team members on the current state of controls and compliance activities. Based on discussions with the manager, the auditor uses her tablet to immediately change the parameters of certain automated tests that were producing false positive exceptions.
Your audit team is not guilty of any of the above…is it?
I doubt that many internal audit teams manage to annoy business management in all three of these areas—but the chances are that a fair number of audit teams are weak in at least one or two of them. These are all things that happen, usually not intentionally of course, but perhaps simply because audit leaders do not actually know how business leaders and managers really see internal audit.
Maybe a next step, assuming it is not already part of your audit performance improvement practices, is to perform an informal assessment and ask managers of key finance and business process functions how they rate your team in addressing each one of these three areas. It’s a great first step toward getting everyone working better together—for the greater good of your organisation and beyond.
Taken from the blog of John Verver, CPA CA, CISA, CMC
Advisor to ACL