Ever wondered, what a high performing Internal Audit (IA) team would look like, or more appropriately what are its characteristics? Not sure if there could be a high performing IA team? Or if there’s a performance by IA through which it could be gauged?
Well yes, there’re certainly effects that could be effectively and collectively called IA performance. At its lowest ebb, these are the distress signals managements give to the Boards when Internal Audit is at work. So, the severity and volume of those signals, right or wrong, could indeed be a way to understand the degree of IA performance.
Except that it’s too crude a reflection to be considered as a performance yardstick! So, we do have several other methods to have our performance evaluated; by ourselves under formally approved criteria, by the Board directly and even by certain external assessors!
But that’s not the point here!
What I aim to unravel here is what a high-performance IA team is or more aptly what high performance in IA’s context is. So, let’s begin with the way it should end:
| Component |
High Performance Benchmark |
| Performance Evaluation |
- A team that is always forthcoming on having its performance objectively evaluated.
- Proposing new performance metrics and KPIs every year incorporating lessons learnt and annual business plan.
- Significantly varied metrics for each member of the team, yet fully aligned with overall function objectives.
- Accepting ever challenging evaluation criteria by accepting the previous accomplishment as a base point.
- Specifying, agreeing and formalizing the records that would qualify as evidence of accomplishment.
|
| Reporting |
- Non-standardized reporting: reporting aligned to the nature of each engagement.
- Standards established for ensuring minimum information in each report.
- Report format is flexible and attuned to the engagement requirements.
- Reports clearly identifying findings / observations and advisory for improvement.
- All report findings are rated in terms of probability and impact aligned with the approved heat map.
- The report findings classify the risk category and quantify the potential impacts, wherever the risk belongs to a quantifiable category.
- The report gives a summary of analytics (preferably graphical) of the areas audited and the exposures in perspective of the entity’s business.
- The report is only issued with management comments: concurrence or disagreement.
- The findings narrate the auditor’s assessment of the root cause.
- The findings carry advisory aimed at causation to prevent recurrence.
|
| Reviews |
- Senior reviews of the engagement conduct are conducted at the outset, during the engagement (interim reviews) and at conclusion of the engagement.
- Reviews focus on quality, quantity, authenticity, relevance and validity of data and information gathered for the engagement.
- Reviews focus on fulfillment of the minimum requirements of engagement conduct as formalized within the work program.
- Reviews focus on fulfillment of engagement objectives and stakeholder expectations.
- Working paper-based reviews.
- Interim reviews focus on the potential and need for altering engagement planning and objectives and issue instructions for conduct modification when indicated.
- Reviews focus on the consideration of red flags and the potential for control failing and issue instructions for conduct modification when indicated.
- Reviews ensuring findings represent value addition and advisory are tested on cost and benefit criteria.
- Reviews ensuring the engagement timelines are being adhered to.
|
| Engagement Fieldwork |
- The fieldwork is driven by the engagement work program only to the extent of ensuring a systematic and disciplined approach and fulfillment of minimum conduct requirements.
- The fieldwork is driven by the discoveries and revelations of the data and information being processed and analyzed.
- The fieldwork is guided by the professional judgement and skepticism of the audit seniors.
- The fieldwork is aided by the individual creativity and collective wisdom of all team members involved.
- The fieldwork requirements are altered based on new knowledge of the processes and systems under review.
- The fieldwork triggers a rethink of engagement objectives.
- The fieldwork is modified in the direction of risk while ensuring fulfillment of minimum requirements for a diligently conducted engagement.
- The fieldwork also incorporates areas not directly relevant to the review in progress but reflects important risks that need to be worked upon and communicated. Read more here.
|
| Engagement Planning |
- Systematic and disciplined approach to planning
- Work program for each engagement setting minimum requirements and mandatory objectives.
- Dynamic / Evolving planning receptive to fieldwork discoveries, review insights, lessons learnt from past reviews, creativity and innovation.
- Frequent engagement planning reviews to augment or modify objectives and approach.
- Approach carrying relevant assertions-based review of data and information to be able to assess state of risk management and controls.
- Approach designed to test for identification of red flags (fraud risk factors).
- Planning based on transactional walkthrough-based understanding of complete process flow.
- Planning based on knowledge of policies and procedures governing the process.
- Planning identifies and formalizes the sampling methodology to be used (where applicable) in a combination of forward and backward process trails.
|
| Audit Planning |
- Management reviewed and Board approved Audit Plan.
- Annual audit plan comprising of regular risk-guided assurance engagements and dynamic risk profiling of areas for advisory engagements.
- Annual audit plan reviewed for continual relevance at every quarter or earlier if business plan, operations and operating environment are experiencing transition.
- In-built flexibility in audit plan to adopt unscheduled but significant engagements self-determined and approved by Board or instructed by Board.
- Plan fully aligned with the audit universe.
|
| Audit Universe |
- Perfect alignment with Risk Universe.
- Documented in management reviewed and Board approved IA Charter.
- Coverage with types of audit methodologies.
- Risk rated audit universe with regular updates.
|
| Risk Universe |
Through KYC. |
Being part of a high-performance internal audit team, we ought to be unique in every aspect of the work we do and even be eager to differ from our own past approaches, challenging what we have already done, and being open to critique. Since, in a high-performance team, everyone contributes right from the ideation!
So, the disruption caused by the high-performance team should be welcome since it is this “nuisance value” of internal auditing that adds value.
The High-Performance IA team is the most critical change agent. It is the trigger that causes you to think over, about and around how things are and what these could become both without doing anything about them and with the internal audit’s advice.
What instigates performance from the auditee, be it in the furtherance of established business objectives or adopting new business objectives / breaking new ground, is the High-performance IA Team!
And the High-Performance IA team is only in competition with itself; it continually strives to be its best!
