Investing in emerging good practices in Internal Audit - 1

NOTE FOR THE READER

This is part of a series of short articles based on the emerging business environment and good internal audit practices by early adapters. The objective is to help, keep a focus on value adding & business improvement capabilities of internal auditing …

In this article we touch upon the state of the internal audit profession in India, maturity of the internal audit activity, an emerging tool of organizational governance, and a couple of case studies on the good practices of emerging business environment.

STATE OF INDIAN INTERNAL AUDIT PROFESSION SINCE 2013

The state of the Internal Audit profession has changed since the introduction of the Companies Act 2013. If a person reasonably aware on the going-on in the profession was to write the developments during the last seven years, it would probably read as below

Within corporates and for their Audit committee, the role of Internal Audit has increasingly become an important one and for the majority entities the subsequent years saw their activities focused around IFC & other compliances while some added fraud protection & forensic. Those using digital platform extensively covered IT audit, ERP security, Cyber security apart from process assurance, process improvement & control assessment. The more committed to professional internal auditing had their staff follow Internal Audit standards, while many encouraged learning & trainings in SQL, ACL & other data analytics. Also, Internal audit departments of MNCs and large Indian Groups follow guidelines, practices & directives of their Group internal audit department.

MATURITY OF THE INTERNAL AUDIT ACTIVITY WITHIN AN ENTITY

To summarise, these seven years since 2013, has seen a marked improvement in the maturity of internal audit function in companies and a better understanding of the two roles, viz. assurance & consulting. There has been an improvement in the management of the internal audit function. What was typically a part time additional role of the Director (Finance)/ CFO many entities now have a full time Chief Internal Auditor. Complete outsourcing is reducing sharply towards an internal audit department with a co-sourcing by professional firms. Earlier compliance assurance and control assurance were where internal audit had its focus, now it has added risk assurance at the Centre stage. The Chief Internal Auditor could be a person not necessarily with a finance background as has been in the past, but from a discipline where the significant risks of the entity are maximum, maybe a petroleum engineer in an oil company or a transport engineer at a metro, a doctor in a hospital, etc.

Also adding to the maturity of internal audit is that many Chief Internal Auditors now report to the Audit committee. Methodologies as the COSO framework for designing/ assessing controls & Enterprise Risk Management, 3 lines of defense are increasingly in use and so are assurance tools e.g. Risk Control Matrix (RCM), Value-at-risk, RACI matrix, Process Performance Rating, Segregation of Duties (SOD), Continuous Monitoring, Listening software & analysis (for social media), etc.

The increasing usage of methodology frameworks, assurance tools & compliance to internal auditing standards is contributing to the maturity of the internal audit profession in India.

Going forward, the ability to have a continuously updated internal audit plan which is constantly in line with business risks & priorities would greatly add to the maturity and the value proposition of this activity

INTERNAL AUDIT INCREASING SEEN AS A TOOL FOR ORGANISATIONAL GOVERNANCE

There are internal audit departments who are seen to be bringing significant value on risk assurance on one hand and organizational improvement on the other. Their reviews and insights are aligned to the business objectives and are future focused. The normal progression of this would see internal auditing increasingly as an important tool for an entity’s governance.

Starting with providing assurance on controls & compliances, internal audit activity added risk assurance and is now adding assurance on governance processes.

EMERGING INTERNAL AUDIT GOOD PRACTICES

Some of the take-aways for internal audit departments to consider are as under

a.) Framing the Internal Audit strategy: starts with a discussion on how much time is to be spent during the year separately on assurance and consulting activities, to maximise the potential of value addition to take place for the organisation’s operations & meeting business objectives.

This is in line with the IIA Mission for Internal Auditing. viz. To enhance (consulting) and protect (assurance) organizational value….

A few years ago, the CEO of a pharma major having a sizable chunk of their revenue from exports, was explaining their internal audit strategy as purely an assurance one. as there are large compliance issues in the pharma industry & their company was facing regular US FDA audits. So, having an assurance culture was crucial to their business and was an organizational value.

Another recent experience was while working with the Govt agencies. By its very nature, Govt have so many audits and reviews that another assurance activity may not have been as value adding at the moment as preparing them to implement risk management in their programs & schemes. Here the consulting role of internal audit as facilitating workshops on risk registers and they eventually having a formal ERM process in their programs & schemes was seen as the potential of adding value to their outcomes.

b.) Digital applications to feature in the audit plan: A significant part of the internal audit activity today is around ERP environment. As we can see business is taking a step up on the digital platform environment. The Digital Economy Report 2019 of the UN, clearly brings this out. Hence It would be no surprise, if the future internal auditing would be mainly around auditing digital applications.

Each industry will have its separate focus. An e-commerce company which has probably a few terabytes of data added every day would have a totally different set of issues with a manufacturing company going in for Industry 4.0 concepts of digital transformation and automation.

With a plethora of digital technologies finding their way for business use, right now the interest of the internal audit department is to have awareness sessions , on data analytics, bots & RPA, cloud, AI, social media, blockchain,drones’ etc.

to be continued…….

Note from the author: It may be useful to benchmark the thinking on internal audit activity in your organisation with the above. For assistance write to [email protected]