Those who have been frequenting or have visited my blogspace https://www.career-auditor.com/blog/ would know that I am an Internal Audit fanatic, since I’m sure no other investment entrepreneurs make in themselves (their businesses) is as worthwhile and value adding as investing in internal audit.
After having written significantly on how internal audit adds value to an entity’s pursuit of improving its Governance, Risk Management and Control systems, I intend to dedicate this space to guide entrepreneurs and entities (boards and managements of) on how to seek that value from their internal audit investment.
So, let’s dive right in!
The first thing entities need to comprehend is the value equation of internal audit investment. This equation is emphatically and comprehensively explained in the Institute of Internal Auditors’ definition of internal auditing:
“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes”.
The key words within this definition I would like to focus for the purposes of this blog are systematic and disciplined. At the outset, the entities need to understand that for internal auditing to bring in a systematic and disciplined approach, it is imperative that entities ensure and encourage a methodical approach towards their internal audit function.
And how exactly could a methodical approach be ensured? This is achieved in consultation and coordination with the internal audit function. The elaborate answer is given at length in what follows.
Know Your Client (KYC)
First in the process is developing a thorough understanding of the entity’s business, its operating environment, its stakeholders, its objectives, its risk profile, its significant policies and procedures, what the entity considers as performance against objectives and how it measures performance.
There are several resources that could be exploited to gain access to fulfill these requirements. Some of these are:
- Business incorporation documents
- Industry Registration documents
- Licenses, patents, copyrights, etc.
- Financial Statements
Check out my detailed blog on KYC here.
Understanding the Business
Setting up, the audit function should invest time and resources in developing a sound understanding of the entity’s business.
This will require a deep dive review of Company’s policies and procedures, especially the ones that provide guidelines for controlling the key aspects of business, for instance its revenue, procurement, generation, finances, liquidity, risk management, investment in assets, accounting policies, etc.
The key here is to reflect on the entity’s vision and mission to understand the alignment with its policies and procedures. Its best to document your understanding as you go!
The Risk & the Audit Universe
Risks are what an entity needs to navigate through to accomplish its objectives. The path to fulfillment of objectives is replete with uncertainty and its implications that could be positive or negative. This uncertainty comes from the dynamics of the entity’s operating environment, the changing and evolving interests of its stakeholders, the entity’s growth trajectory, the target market forces, etc.
The negative risks need to be mitigated against for sustenance and survival, while the positive ones need to be exploited for growth and gains. Its best if the entity’s risk profile is comprehensively documented and the internal audit can simply begin from there.
However, even if it’s not, the internal audit could document a summary of its overall identification of the risks’ entity is facing and needs to manage and have it reviewed and confirmed with the management and the board. This jointly finalized risk profile identification will serve as a snapshot of the entity’s present risk universe.
Of course, later, once the function is fully established, the risk management value addition will become one of the core offerings of the internal audit.
The internal audit could identify the entity’s generic risk profile from entity’s business industry, operating market issues, regulatory interests in the sector of its business and its specific risk profile from its vision and mission, documented strategic, operational, reporting and compliance objectives, significant policies (board approved), board meeting minutes, significant business contracts, financial statements and material non-financial information and certainly discussion with management.
That risk universe serves as the foundation of the audit universe, i.e. identification of all auditable areas of the entity. For more on what should be included in the audit universe, refer here.
The Internal Audit Charter
Up next is the internal audit charter. The charter is essentially the internal audit’s own governance document, guiding about its purpose, authority, role, responsibilities, position within the entity, internal audit services scope and provision, communication and reporting, the framework with which the internal audit function will adhere and its performance evaluation.
The charter is essentially the blueprint for internal audit functionality and is thus a cornerstone in ensuring that internal audit brings a systematic and disciplined approach to the entity’s audit universe. The charter can and should have the minimum audit methodologies the internal audit desires to execute to add value to the entity’s Governance, Risk Management and Control (GRC) systems.
The charter is reviewed and approved by the Board, so that the internal audit has the desired authority, independence and means to function within the entity.
Not everything will be and can be documented in a charter. The internal audit’s value proposition is inherent in its agility. Read here to know more about that.
The Internal Audit Plan, Execution & Reporting
The logical consequence of all explained above is in the manifestation of internal audit’s coverage of the audit universe. That happens with the development, review and finalization of a fluid audit plan.
The audit plan lists down the audit engagements to be performed, their types, areas to be audited, frequency of coverage, risk assessments for each auditable area presented and timelines for fieldwork execution and reporting.
This plan needs to be reviewed by management and approved by the Board. Best is to have an annual plan frequency with inbuilt flexibility to accommodate the evolving risk profile or changing business needs.
The audit team needs to ensure that execution remains fully in accordance with the plan timelines as this is one of the most basic KPIs audit’s performance needs to be evaluated against.
The function will need to establish a reporting mechanism in unison with the executive management and by the approval of the Board. Such a mechanism will incorporate the release of initial draft, review by management, determination and documentation of actions plans, review of disagreements and their incorporation, final report issuance and its communication to the Board.
The Internal Audit’s Evaluation
The Institute of Internal Auditors has given a few methods to evaluate internal audit’s performance as part of its Global Internal Audit Standards (GIAS). However, I strongly believe that the metric on which internal audit is required to deliver and thus evaluated should be documented in the IA Charter.
Furthermore, the best judge of what should be evaluated, how and when it should be evaluated and what are the results that would ultimately matter, is the Board primarily and the executive management since it’s their interests the internal audit serves and represents.
Finally, for the internal audit to deliver at its best, the Boards need to be fully in command of the entity’s governance. This command only comes when the Board is well versed with what it needs to do to provide that governance and direction the entity needs and when it could review its own performance dispassionately.
How that could happen, you ask? Got you covered here too!