Leveraging Internal Audit for Success
Auditors are often reluctant to respond to the question "so what do you do for a job?" out of fear that the person who asked this question has a negative perception of auditors and the profession. Unfortunately the reality is that in some circles this a commonly held perception. This can stem from a lack of understanding of the profession, a bad audit experience or plain old ignorance.
What needs to be realized is that an internal audit can be leveraged for success by the auditees and that it can be a positive and fulfilling experience to be audited. Blasphemy I hear some of you say! So let me try and change your mind. In this article I have provided advice on how to position yourself and your department for a positive audit experience. And remember, it can still be a positive experience even if audit issues are raised.
A smart auditee will leverage an audit for their benefit. Do you have process gaps because you are unable to obtain the requisite resources to be effective? An audit issue may be the support you need in convincing executive management that the resources are required in order to achieve department objectives.
Best case you get confirmation of a job well done, worst case you get free advice on how to improve your processes and controls.
A few definitions (from the Institute of Internal Auditors (IIA)) before we get started for readers new to the audit world:
- Internal Audit: Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.
- Risk: The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood.
- Controls: Are any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. ? Examples are management review and approval of an action undertaken by an analyst, and segregation of duties in an accounting system.
Now on to my advice for leveraging internal audit for success:
- Understand Your Risks and Mitigating Controls: A well managed department will have a strong understanding of the risks it faces in attempting to achieve its objectives and the controls that mitigate those risks. This is effective management and not an activity undertaken just in preparation for an audit. Ideally the risks and controls are documented and there is broad awareness of them across the department. The IA team will be assessing whether your controls are designed and operating effectively to mitigate the risks faced, so this is fundamental for success.
- Conduct a Periodic Self-Audit: A department that is proactive and takes risk management seriously will have established a control self-assessment program (often as part of an enterprise-wide program), whereby the effectiveness of controls are tested by management on a periodic basis. Management would have increased confidence going into an audit if they know that their controls have been validated as effective. If control weaknesses are identified, management would have an opportunity to address them prior to any audit.
- Designate an Audit Liaison: Appoint an audit liaison from your department who will be the primary contact point for the IA team. This will facilitate coordinated interactions and an organized exchange of information. It will likely reduce the number of communication channels between the two parties and therefore reduce miscommunication.
- Report Known Issues: If issues have been identified through management's control self-assessment or other activities, it would be prudent to report them to the IA team at the beginning of the audit. Better that than the IA team identifying the issue and forming a view that the department has a poor control environment because the issue was not self-identified and no remedial action has been taken. Keep in mind that for the most part, auditors are not looking for something an individual is personally doing wrong. They are looking for deficiencies in procedures and practices and by eliminating them the department increases the probability of achieving its objectives.
- Document Control Execution: Ensure that the execution of controls is documented (manually on paper or in an IT system) at the time of execution and is stored in an easily retrievable manner. Documenting control execution is not done just for the benefit of the IA team, but it certainly does allow for a more efficient audit to be conducted. At the beginning of an audit the IA team will be requesting documentation associated with each of the department's key controls.
- Educate the Auditors: It is a common criticism of audit teams that they lack an understanding of the department and processes that they are auditing. Auditors are risk and control experts and have a skill-set that allows them to move from process to process and be effective at evaluating controls. The independent view that they provide is a key part of the value of auditing in that the IA team may identify control weaknesses that management who are immersed in the processes day-in and day-out may not be able to see from the inside. Take the time upfront to teach the IA team how your department operates as this can eliminate misunderstandings and confusion later on.
- Ask Questions: You have every right to ask questions before, during and after the audit. Leverage the knowledge and expertise of the IA team to your benefit. They have great insight and can be strong partners.
- Be Open and Transparent: This should go without saying, but experience demonstrates that not everyone is transparent. Do not fabricate or alter evidence! If controls do not exist or have not been executed consistently and properly, last minute catch-up rarely yields the best outcome.
- Provide Timely Responses: An audit is usually a short and time-bound activity. Providing a timely response to requests from the IA team will allow them to meet their reporting deadline and will get them out of your hair sooner. In addition, delayed responses often pique the professional skepticism of the IA team that something may not be right. Perception is reality.
- Respect the Independence of the Internal Audit Department: The IA team usually has a reporting line to the Audit Committee so that it is independent from the organization's management. Decisions on what issues to report, how to report them, what risk level to assign and the overall report opinion are solely theirs. Please respect their professional judgment and independence.
- Maintain a Positive Attitude: Yes an audit can be a challenging and overwhelming experience, especially for the first time. Be positive throughout and keep in mind what can be gained from the experience. There is no need to be resentful.
My recent posts include: