Three steps to elevating the value of internal audit

In many companies, internal audit is often seen as a necessary evil – a group that other departments will cooperate with because they have to, rather than being seen as a value-add, says ACL’s Chris Stewart-Smith.

Recently, while attending a round-table dinner with eight directors of internal audit from different countries, I asked them to share examples of steps they had taken to be seen as a true partner in their respective businesses – in other words, how their team members had become the most sought-after professionals in their organisations. I heard three common themes:

Step 1: Develop productive relationships with similar auditing entities
 
How does your internal audit function compare with departments that have similar mandates? Compliance, shared services, internal controls, and risk management are performing ‘audits’ too, creating audit-like projects and probably analysing large volumes of data. The Institute of Internal Auditors’ white paper on ‘The Three Lines of Defence in Effective Risk Management and Control’ speaks to the gaps and duplication of effort when operating in silos, which means that internal audit must compete for value recognition. In fact, the lines are blurring, as one of the group described: His firm, a major manufacturer of aviation parts, discovered during a travel and expenses audit that payments had been made that were indicative of bribery and subsequent non-compliance with UK Bribery Act and US Foreign Corrupt Practices Act (FCPA) legislation. Compliance missed it completely, possessing neither the technology nor the skills to implement continuous monitoring of transactions. Working closely with compliance and the board, internal audit had managed to flag these payments to senior leadership before they made the news. In short, internal audit led a coordinated approach across all three lines.

Step 2: Share and invest in technology

This doesn’t mean use other peoples’ tools: Internal audit must still retain independence and the group I interviewed had a variety of technology solutions at their disposal. They had proudly shown off analytical findings to other departments, including business analysis teams and shared services groups who are supposed to consist of data gurus, but in fact were left in audit’s thrall. Internal audit most certainly belongs in this league too. It is often said that continuous monitoring of transactions is the Holy Grail for audit but it really isn’t. Many departments have already put it into practice and have integrated it into their day-to-day audit management projects.

Step 3: Hire innovators from beyond internal audit

Why did the internal auditor cross the road? Because that’s what last year’s audit plan said he had to do. An old joke, and most internal auditors know it, but audit has really transformed itself in recent years in terms of how it is perceived externally. Having broadened their recruitment strategies, audit functions are now made up of critical thinkers, strategic problem solvers and technophiles who are shaping their organisations’ enterprise risk assessment cycles with their audit management results. A high percentage of leadership in internal audit is recruited from non-audit roles. Although remaining independent, they are continually re-evaluating business risks and opportunities because they can think, act, and perform as stakeholders too.

Constantly looking for ways to compete and improve rather than simply ensuring that they get through their audit plans, the group told me that they are often seen as the benchmark for business assurance in their respective companies.

 

Chris Stewart-Smith is director of global solutions consulting at ACL, where he works with clients around the world to help them realise the benefits of governance, risk management and compliance (GRC) technology, and bridge the knowledge gap between the IT department and business leaders.