INTERESTS of shareholders are carefuly considered.
photo: File photo
The mere presence of an internal audit says little. The real question is: What should an internal audit be doing to help the organization accomplish its objectives?
At PricewaterhouseCoopers, we believe that an internal audit can reach its potential and help the company achieve heightened levels of effectiveness if the internal function (1) aligns strongly with stakeholder needs, (2) achieves best-in-class capabilities, (3) complies with applicable professional standards, and (4) measures results.
Aligns strongly with stakeholder needs
Internal audits take into consideration the expectations of the company's primary stakeholders - senior management and the audit committee - and align audit activities accordingly. This alignment ensures that internal audit functions and key stakeholders share the same priorities when it comes to applying internal audit resources to risk management and control.
For example, do the key sponsors - management and internal auditors - have the same view of the role of the internal audit? Once the internal audit is aligned with the priorities of key stakeholders, the function needs to establish solid lines of communication between senior management and/or the audit committee (if a committee is established). By maintaining good communication, the internal audit ensures that its functions match those of key stakeholders' priorities as they evolve.
Achieves best-in-class capabilities
Highly effective internal audits rely on best-in-class auditing practices. To keep pace with organizational changes and to meet the heightened expectations of key stakeholders, an internal audit function needs to achieve proficiency in its operations, processes and skill sets.
Typically, top-performing internal audit groups exhibit a strong commitment to the following areas:
- Resources: Best-in-class internal audit departments identify the skills and resources it needs to achieve organizational objectives. It expands its risk management, compliance, business and product capabilities to build on its core internal audit and control competencies. It uses flexible co-sourcing arrangements to acquire specialized skills from third parties. And it continuously measures levels of staff proficiency as well as career development progress.
- Knowledge management: Top internal audit functions capture, manage and share internal knowledge, recognizing its importance to the long-term success of the organization.
- Risk mitigation: To strengthen corporate antifraud and risk mitigation efforts, an internal audit identifies potential schemes and scenarios affecting the industries and markets served by the organization. Successful functions detect fraud and evaluate and test antifraud controls.
- Risk assessment: A highly effective internal audit function has assessed the risks facing the organization and built an audit plan to address them. There is transparency to the process so that key stakeholders identify, evaluate and communicate any underlying risks. The process is dynamic and links changes in the company's risk profile to changes in the audit plan.
- Technology: Pervasive use of technology is a hallmark of highly effective internal auditing functions. Continuous auditing techniques, data mining and predictive modelling can all be employed to enhance the quality of the audit process.
Complies with applicable professional standards
An effective internal audit also operates in compliance with professional standards, principally those of the Institute of Internal Auditors (IIA).
In January 2004, the IIA revised its International Standards for the Professional Practice of Internal Auditing to more directly address internal audit responsibilities in the area of corporate governance.
The revised standards acknowledge the close link between corporate governance and the practice of internal auditing, suggesting that work related to corporate governance is fundamental to the basic performance of the internal auditing function.
According to the revised standards, internal audits should seek to improve the governance process by promoting appropriate ethics and values, ensuring organizational performance management and accountability, communicating risk and control information within the organization, and helping to coordinate the governance-related activities of the board and senior management.
The IIA revised standards also require both internal and external reviews of internal audit quality. To address these requirements, a company needs to determine if its internal audit structure is doing the job. For example, is it meeting organizational needs and complying with the new IIA standards? In addition, the revised standards require an external quality review of the internal audit function every five years.
On a routine basis, companies measure and quantify the performance effectiveness of their business activities. In the same manner, internal audits need to demonstrate their own effectiveness using a performance measurement system tied to the expectations of its key stakeholders.
Only by circling back to the needs of its key stakeholders and regularly tracking its performance against the expectations of the board, senior management and operating management, can an internal audit function satisfy its objectives.
PricewaterhouseCoopers recommends balanced scorecards to measure results. These go well beyond numbers to examine important, broad-based activities. The balanced scorecard concept, based on the simple premise that "measurement motivates", is used by thousands of corporations, organizations and government agencies worldwide.
The four action areas described above give management and internal auditors a high-level framework to assess internal audit effectiveness. Unless an organization adopts each measure comprehensively, it runs the risk of having an internal audit function that may fail to meet the new, higher expectations for this key governance activity.
Martin Guerin is a Senior Manager with PricewaterhouseCoopers Slovensko. He leads the firm's Performance Improvement practice.
26. Sep 2005 at 0:00 | Martin Guerin