Indeed, the development of an internal audit strategy is the first and foremost aspect of setting up an internal audit function. But how do we go about doing that? It’s not just about the prerequisite, which it surely is, in fact it’s a precursor.
Before you all begin googling the topic to arrive at the answers churned out from the machinations of the AI, let’s unravel it right here.
For a strategy to be developed, we must take aim. But what exactly do the internal auditors aim for when developing that strategy? Indeed, the aim is intended for the audit universe to be aligned with the client’s risk universe. But how do we arrive at the risk universe and comprehend it?
The answer is Know Your Client (KYC). You won’t be blamed if in your opinion, that’s a requirement specific to certain industries, for instance in Banks. But isn’t that what we should be doing right from the outset if we’re do develop an audit strategy and set aim for the audit universe?
And in fact, the KYC wherever it is religiously practiced hardly represents any substance now; it’s usually a mammoth form filling exercise that fulfills bureaucratic controls, at times in the name of compliance checks to fulfill audit needs! So, it’s good if we, the internal auditors embrace it wholeheartedly.
Now let’s focus on what an internal auditor’s KYC should entail and how is it that important to be a precursor to development of audit strategy.
The internal audit’s KYC should as a minimum inquire about the following duly supported with data, records, etc.
# |
Considerations |
Details |
1 |
Incorporation Status |
A body corporate? Registered Company? Listed Company? Partnership? Sole Proprietorship? Public Sector? |
2 |
Shareholding Structure |
Wholly owned by another entity? Associated? Publicly traded? Ownership mix? |
3 |
Business & Industry Sector |
Services / Retail / Manufacturing? Sector specific influences on the Business? |
4 |
Territorial Jurisdictions of the Business |
Location of business interests? Location specific influences? |
5 |
Vision and Mission |
Documented Vision & Mission Statement? Business alignment? |
6 |
Business Objectives |
Documented business objectives? Formal design & alignment mechanism? Monitoring of accomplishment? |
7 |
Risk Profile |
Documented Business Risk Profile? Existence of mechanism to identify & assess risks? Responsibilities for risk? |
8 |
Significant Policies and Procedures |
Board approved policies and procedures? Determination of significance? Alignment with business? |
9 |
Financial Health |
Audited Financial Statements? Applicable reporting framework? Significant KPIs for monitoring financial health? |
10 |
Significant Accounting Policies |
Policies around revenue recognition, capital expenditure, capital management, financial risk management, financial instruments, stocks, spares and cash? |
11 |
Stakeholders |
Significant influences from Regulators, Suppliers, Customers, Employees, etc.? |
12 |
Latest Audit Reports |
Reports carrying high and moderate risks duly acknowledged by management for action? |
These minimum KYC considerations allow an assessment of the risk universe that could be jointly reviewed and finalized with the management once documented. The audit universe is then conceived to encompass the risk universe finalized.
The audit strategy can now be formed to address all the components of audit universe. The audit strategy sets out the audit approach as audit services and methodologies, explaining how value will be added to improve the Governance, Risk Management and Controls over the entire risk universe.
Compare this with an approach whereby an audit strategy is derived theoretically based on a model risk environment for the business sector the client operates in. Not just that the risk environment will be entirely generic, it could even be so irrelevant that the audit strategy becomes a failure even before it begins.
And this is possible because of the entity’s size, it’s target market, how it perceives risk, it’s risk management strategies, diversification and its detachment with the sector it operates in. The model risk environment in such a scenario could at best be a good starting point to ask the relevant questions in the KYC exercise.
There’s another even worse approach to formulating an audit strategy; using a generic approach to offering audit services simply in accordance with the internal audit standards. The strategy thus formulated would be more of a theoretical intervention rather than a desired practical approach that could ensure internal audit value addition.
Completing the KYC process right at the outset of conceptualizing the audit intervention to be provided serves as the primary building block on which to construct the audit universe. The audit universe so built ensures perfect alignment with the entity’s risk universe and provides the requisite inputs to the audit resource planning, budgeting, magnitude and frequency of interventions, alignment of what is to be kept under assurance radar and the versatility of consulting services, internal audit reporting and its own evaluation!
And this doesn’t just stop at that, once the risk profile is developed and documented, all it needs on an incremental basis is tweaking with newly identified and assessed risks encountered with or without the impacts of the dynamic operating environment.
It ensures that a complete rebasing will not be required every time amendments to the risk universe are needed and the internal audit will continue to deliver ahead instead of being tied up with correcting the inaccuracies related to imperfect knowledge of the client’s business.
The internal audit value addition growth trajectory is thus enabled by getting to KYC right the first time!
Trackbacks/Pingbacks