Indeed, that’s the most pertinent question entities need to ask at the time they’re fancying with the mere idea of having an internal audit. It’s correct that regulatory requirements and seeing other entities can give us an idea of a reason for investment in internal audit. But every entity needs to have its own reason for its own internal audit investment!
We need to wrap our heads around the reason why we need internal auditing because it’s a non-core business function. It’s not something that’s needed for manufacturing products, selling merchandise, providing services, keeping track of finances and accounting which are served by procurement, manufacturing, operations, sales, marketing and finance functions.
So, what’s that void that will be filled by hiring internal audit services and what’s the need? For good internal audit services, the reason for investing ought to be good as well!
It’s important and easier to put aside the case for external audit first. External Auditing is mostly mandated by virtue of statute and governed by regulation and even if not, its scope is still standard and limited to review of truthfulness and fairness of historical financial information against the applicable framework. So, call it a necessary evil or an individual preference, external audit is not a concern.
It is professional Internal Auditing which is built upon the notion that it helps improve an entity’s key processes, those processes that have an all-encompassing impact on the entity’s objectives. But does this also mean that entities cannot improve without internal auditing help? Or more appropriately, does this mean that people working within individual functions in an entity cannot self-improve?
Certainly not! But knowing the objectives of improvement, the difference between current state and an improved state, how to improve, what to improve, improvement roadmap, monitoring through the improvement action plan implementation, evaluation of improvement objectives accomplishment at the end and establishing mechanism for continuous improvement requires an elaborate / detail-oriented approach.
Yes, specific project teams or external consultants might help with these tasks. But then who will provide assurance on the overall process, if it has been laid out the way it should be right from specification of objectives and requirements to mechanism for continuous improvement? And who will provide assurance if the project team or consultant was correctly constituted or hired and if there Terms of Reference were established? And who will provide advisory over the overall approach and conduct?
Exactly, it’s hard to get away from needing assurance and advisory when the voids are identified and known and that happens when the approach even to planning is flawless.
Let’s now get to discovering some more voids:
- Individual functions are responsible for their part of the process. Who’s looking at the overall process delivery?
- Individual functions are absorbed in their roles and responsibilities. Who has the acumen to assess and evaluate what they’re doing and what is the evaluation criteria?
- Individual functions are process owners. Can they make an unbiased self-evaluation of the work they’re doing, and would self-evaluation be valid and effective?
- The process owners perform day to day operations. Can they have a well laid out or structured approach to their own evaluation?
- The process owners are focused on regular delivery off their processes. Can they tell and develop resilient processes that could withstand off routine tasks, shocks or risks materializing?
- The process owners go about in the normal course processing regular work. How are they assured that all risks in their regular work is known, assessed, impact evaluated and mitigated?
- The process owners mandatorily perform controls as part of their process protocols? Do they understand what are the control objectives, what should be controlled and what risks these controls mitigate?
- The managements are responsible for day-to-day operations. What should be governed in management’s responsibilities and how should it be governed?
- The process owners and managements do what they’re best at, operations and management. Who’s competent for optimizing Governance, Risk Management and Controls?
Convinced with the voids, it’s time to set sight over our approach towards these. Let’s try searching through the emphasized catchphrases in the voids we just covered. There’s a definition that comes to the mind perfectly encompassing the voids:
“________________is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”
Familiar? Rings a bell?
Indeed, it’s the Institute of Internal Auditors flagship definition of Internal Auditing.
Internal Audit’s
- Functional independence ensures its free from any influence in its assurance and advisory and can avoid conflicts of interest.
- Objectivity ensures it has an unbiased approach towards everything within its scope and this approach encompasses the whole process from engagement planning to engagement reporting.
- Assurance service is the only assurance that matters owing to its independence and objectivity.
- Consulting service is the best possible advisory since it is aimed at adding value and improving.
- Value Addition is based on its approach of continual monitoring, evaluation and improvement against dynamic criteria.
- Improvement is geared towards pursuit of excellence and sustainability in objectives accomplishment.
- Approach towards evaluation and improvement is systematic and disciplined because it begins with determination of requirements, objectives and risks, moves on to risk-based planning, then to controlled execution, followed by internal and joint reviews, risk-based reporting and finally having its own performance assessed.
- Targeting Risk Management, Control and Governance processes is in theory and in effect targeting the entity’s whole spectrum of processes laid out to fulfill its objectives and thus the entity’s existence.
Yet in the context of it all, Internal Auditing is there only to ‘help’. This helping role does not just ensure the independence and objectivity of internal audit but also ensures process owners and management’s ownership and self-evolution.
Think of this help in terms of internal audit being a facilitator, a moderator, a mentor, an optimization and improvement champion or a change agent. The goal is to ensure entity is in a constant pursuit of excellence in sustaining itself and growing, never losing sight of its objectives.
Yes, Internal Audit is always critical of what process owners and managements do, but improvement begins at critique.
Yes, Internal Audit is disruptive, but the result of that disruption is continual optimization and improvement.
Yes, Internal Audit requires a significant investment, but that’s far less than the cost of objectives the entity is set to lose without it.
Yes, Internal Audit might as well be burdensome but not as much as a disaster an entity doesn’t expect or isn’t prepared to encounter without its assurance and advisory.
Still more WHYs? Try Internal Audit to have them all answered!