An internal audit, which provides insight and recommendations based on analyses and assessments of data and business processes, is a valuable tool. It helps organize and improve your company’s governance, risk management, management controls and strategic decision-making.
But what does it take to create a world-class internal audit function?
Smart Business spoke with Laurence Talley, managing director of Risk Advisory Services at BDO USA, LLP, about how to optimize your internal audit system.
What are the big internal audit problems? How can a company counteract these?
First, you might lack resources. It’s not a destination career path, and there can be high turnover. After internal auditors learn skills like negotiation or analytical thinking, they often move to new roles or another company. But the internal audit plan must continue, which stresses the remaining staff.
Progressive companies now plan for this turnover — and some even encourage it. They coordinate with HR to keep a pipeline of candidates. By monitoring turnover and prompting employees to move to other departments, they create a culture of shared risk management and governance. Employees carry their understanding out to the organization.
Another concern is ensuring your internal audit’s approaches and methodologies align with the business strategy and the risk that matters most. Largely because of technology, the speed and fluctuation of risk are more rapid. Once an internal audit plan is set, your risk — not just your internal controls — must be continually monitored. Your internal audit needs to be strategically positioned in order to see changes coming, so it can determine how to respond.
The best internal auditors monitor risk throughout the fiscal year, working with the business to understand where there is a high risk of exposure, especially with technology and data, and challenging the internal controls in order to minimize the hiccups.
Your internal audit department also naturally looks inward at your operations and client base, but global, political and economic influences bring risks, as well. When your internal audit department does its risk assessment, which drives the audit plan, it should be robust. It should look at everything, including external influences, regulations, changes to your competition/industry and technology advancements.
What framework and strategies do the best companies use?
COSO (Committee of Sponsoring Organizations of the Treadway Commission), which was revamped in 2013, is the gold standard for a robust and comprehensive internal audit plan. No matter what the size of your company or your internal audit team, the COSO 2013 model is a playbook for managing your risks.
Your company can also get objective ideas from its internal auditors to support the remediation of issues.
Internal auditors should have a seat at the strategic planning table. If you’re contemplating an acquisition or new product line, internal auditors can offer a valuable viewpoint, help head off additional exposure and see how the change fits into your current controls. When you implement a new enterprise resource planning system, for example, have internal auditors participate in the pre-implementation, even if it takes a little longer to get it up and running.
To optimize an already strong internal audit function, where should a company start?
Start by reviewing your audit charter and leadership’s expectations. You don’t want to compromise those mandates; there needs to be clarity as to what’s expected.
Once that’s aligned, it’s a matter of adding effectiveness and efficiency. A standardized approach to assessing risk, planning your audit, executing your audit and reporting the results inherently drives efficiency. But leveraging technology to increase reach without additional time or effort is the smartest way to optimize the process. Internal auditors can get visibility on emerging risk and keep pace with changes. Technology is able to monitor key indicators that demonstrate emerging or trending risks.
Again, it comes back to making everyone aware of risk. The more you have a culture of risk monitoring and managing with self-checks on the department level, close to the emerging issue, the better your company will be able to remediate that risk.
Insights Accounting & Consulting is brought to you by BDO USA, LLP