GRC Tuesdays: Internal Audit – Take Your Right Place as Business Advisors
One of the comments that I have heard from many presenters of the Virtual SAP Internal Controls, Compliance and Risk Management Live 2020 conference that concluded few days ago – but is still available OnDemand! – was that the role of internal auditors was changing and they are finally being perceived in more and more organizations as trusted advisors to the business.
The recent situation might actually have been the latest event signalling this change with executives reaching out to auditors for advice.
Independence Does Not Imply Isolation
In many organizations, Internal Audit is still seen as a cost center, not providing added value to the organization and sometimes even thought to be a duplication of quality assurance sort of say.
If you read these GRC Tuesdays blogs, then I am sure you already have a different view and maybe you are part of the people calling for a change in mentality since Internal Audit is much more than that!
Nevertheless, some of the underlying reasons for this perception might be due to the inherent nature of Internal Audit itself since it deals with sensitive information and sometimes cuts itself from the organization to ensure its independence.
Interestingly, and as highlighted by the Institute of Internal Auditors (IIA) in its July 2020 update of the Three Lines Model: “independence does not imply isolation”. The IIA then further states that “There must be regular interaction between internal audit and management to ensure the work of internal audit is relevant and aligned with the strategic and operational needs of the organization. Through all of its activities, internal audit builds its knowledge and understanding of the organization, which contributes to the assurance and advice it delivers as a trusted advisor and strategic partner.”
In this short blog, I’d like to suggest some ways for the Internal Audit of organizations where this perception still prevails, how they can change and take their rightful place as business advisors.
Key Roles of Internal Audit
Who better to detail the key roles of the Internal Audit than the Institute of Internal Auditors, right? Going back to their update to the Three Lines Model, they have shared a summarized version of these key duties:
- Maintain primary accountability to the governing body and independence from the responsibilities of management
- Communicate independent and objective assurance and advice to management and the governing body on the adequacy and effectiveness of governance and risk management (including internal control) to support the achievement of organizational objectives and to promote and facilitate continuous improvement.
- Report impairments to independence and objectivity to the governing body and implement safeguards as required.
Notice that the IIA clearly stated that communication of “advice” to “support the achievement of organizational objectives” is one of the key roles? As a result, Internal Audit does have a real consulting function since it is perfectly set up to add value by advising the business on how to improve processes and practices – including but not limited to:
- Business risks – including when it reveals emerging risks or technologies that could disrupt the market
- Business and process controls – including compliance controls
- Effective corporate governance – including when associated to new business lines, mergers and acquisitions, etc.
But there are also less obvious areas that audit can contribute to such as:
- Business process efficiencies
- Operational and quality effectiveness
- Potential revenue enhancements via costs savings, waste reduction opportunities and smarter spend
As a matter of fact, IIA has previously qualified Internal Auditor as “catalysts” for “improving an organization’s effectiveness and efficiency by providing insight and recommendation based on analyses and assessment of data and business processes”.
As a result, why not start thinking of auditors as in-house consultants?
Changing the Minds
For Internal Audit to be accepted and acknowledged by executives as trusted advisors, I feel the following conditions would need to be met:
- Competent internal audit team with business acumen and industry knowledge => it goes without saying that this will be the foundation to set the credibility of the function. I have never met an Internal Audit team that was not professional, but I have sometimes met auditors that didn’t have industry knowledge and, as a result, had more difficulty asserting themselves with the business stakeholders
- Varied auditor profiles with diverse capabilities => if the team wants to act as a consulting force, being composed of various functional and technical talents will be key, especially in being able to assess transformational projects relating to IT or a business model that the company wishes to pursue
- Strong internal network and proven collaboration with business stakeholders => forging relationships is key in any role, but even more so for in-house consultants
- Neutral and objective => independence is one of internal audit’s key requirements, but neutrality and objectiveness will also be necessary so as to ensure the advice provided won’t be tainted with scepticism by any of the involved parties
In addition to these internal qualities, I believe there are also 3 additional factors that would be required:
- Active and knowledgeable Audit Committee => since this is the organism that will set the tone from the top
- Approved internal audit charter by the Audit Committee => and this charter should include the list of audit services that Internal Audit can provide without jeopardizing its independence
- Communicated Key Performance Indicators! I know that this one might come as a surprise but, in my experience, nothing convinces executives more than a successful track record.
Making the Case
In the event that executives aren’t fully onboard yet with this approach of auditors acting as in-house consultants, it may be time to make the case.
For instance, by asking some questions that will reveal the de facto benefits of leveraging the expertise of Internal Auditors.
Some of these questions could be:
- In addition to an operational focus, do existing internal audit missions explore issues related to IT, cybersecurity or finance?
- Does the company contract external resources to improve service levels and lower costs?
- Do planned audits target business opportunities that can improve efficiency and create bottom-line savings?
- Does the company take full advantage of the experience and knowledge of their auditors?
- Is the company eliminating, simplifying and automating controls where possible?
These are all missions that I believe Internal Auditors could perform, alongside their usual audit plan, and help the organization thrive.
Suggestions of Key Performance Indicators
I mentioned earlier that KPIs are a key aspect of building the case for a shift in mentalities from executives. This is both to convince them that this is a controlled changed with risks being mitigated, but also to ensure that Internal Audit itself can measure its success and communicate on it.
There could be many performance indicators, but I have selected a few that I feel are most relevant and organized them in 3 categories: improvement to the business; respect of budget and timelines; and satisfaction of the auditors themselves.
What about you, how is Internal Audit perceived in your organization: as a quality assurance expert or a business advisor? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard