Revolutionizing Your Internal Audit Function

INTRODUCTION

To be effective and successful internal auditors, it has been long known that internal audit is less about presenting internal audit results but more about engaging executives and board members about business challenges and in supporting the development of strategies that mitigate associated business risks. Previous research suggests expectation gaps between executives, board members and internal auditors are forever widening. The research further suggests that in order for internal auditors to close this gap, they need to relook at their approaches, find effective ways of meeting expectations and possibly “revolutionize” their function to consistently meet ever increasing expectations. As a familiar quote by Henry Ford “If we always do what we always did, we always get what we always got” suggests that if we want changes, we need to change. We cannot expect changes if we following the same process.

Before we go into the discussion of how we could possibly revolutionize our internal audit functions, let us first understand what exactly we mean by a revolution………..

What is a Revolution?

If you really want to lead a revolutionary internal audit function, there’s one cold hard fact you must begin with – you can only be a revolutionary if you’re part of a true revolution. Wearing blue jeans in an investment bank doesn’t make you a revolutionary. This isn’t about fashion – it’s about changing the world in which you work in. Revolution isn’t just about beating the competition or being the badass of your industry. It’s not about harassing the people who work for you with drill sergeant orders. Sam Walton (Walmart) caused a lot of trouble … but he did it on the way to a revolution that changed the way Americans buy things. The wreckage he left behind was a mom ‘n’ pop business model that didn’t really work for its customers or communities. A revolution isn’t just gaining market share or raising shareholder value. Coke versus Pepsi doesn’t make a revolution. Coke and Pepsi versus tap water sixty years ago, was, indeed, a revolution. That changed human behaviour and created an enormous ecosystem around the manufacture, marketing and distribution of these soft drinks. Enron created skyrocketing shareholder value … in fact they watched the skyrocket much more closely than they watched their original business concept, which cratered not far off the launch pad. Revolution means changing the order of things in your marketplace, in your world … and changing them for the better. It is about anticipating changes in your environment, making the needed changes and constantly adapting. The way we do things now may not necessary be the same and probably won’t be the same in the next few years.

This article covers certain topics that you may or may not know but the intention of this article is for you to at least consider some of the points being made and hopefully assist you on your journey to “revolutionizing” your internal audit function so as to adapt to the current and very volatile business environment. The topics I will be focussing on include:

• An environment which is constantly changing
• How the internal audit fraternity has attempted to adapt to changes
• Some emerging risks and challenges
• Fraud and the various areas around it
• Internal audit strategic partnerships and how to enhance performance
• How best to deal with changes from an internal audit perspective

KEY FACTORS TO CONSIDER

 A Changing Environment

The world, as we know it today, is changing and changing at a fast pace. Do any of us recall those days when internal auditors were merely seen as compliance officers or investigators? Well, that has also changed. Not only should we be seen as assurance providers but also advisors or consultants in assisting the business achieve its objectives. It is expected of us to not only play in an assurance capacity but also in advisory one. Stakeholders rely on internal auditors not only for objective assurance purposes but also on business insight. They are expecting internal auditors to be the catalyst for positive change. We should become part of the business team without losing our independence and objectivity.

So with all these changes taking place, how has the Institute of Internal Auditors, the guardian of this profession, responded? As previously mentioned internal audit has evolved from a compliance function to one of being an advisor as well. The definition of internal audit has changed from being a solely appraisal function to one of being an assurance and consulting provider and has in the recent past developed an internal audit mission statement, namely “To enhance and protect organizational value by providing stakeholders with risk-based, objective and reliable assurance, advice and insight”. This statement basically calls for the strengthening and safeguarding of organizational value and expects internal auditors to operate at a level that displays both intuition and business savvy considering the current risky business environment.

A Risky Environment

So what makes this business environment so risky not just from a South African perspective but from a global one? Let me delft into some survey opinions to get you into the right frame of mind. A 2015 Institute of Risk management South Africa Report on South African Risks highlighted the top 5 risks in terms of Likelihood as well as the top 5 risks in terms of Consequence. Whereas the first focuses purely on the probability of the risk occurring, the other emphasises the magnitude of the risk. What was startling in this report was that 3 particular risks appeared in both top 5 categories. These included Corruption, Critical Infrastructure and Unemployment.

Then in a 2015 Global Audit Committee Survey produced by KPMG, suggestions were that the number 1 challenge and concern as suggested by Audit Committee Members included Uncertainty and Volatility (politics, economics, regulatory). This certainly implies that we operating in an environment that is unclear, unpredictable and uncertain. Although challenging, it does create further opportunities for us as internal auditors to play an even more important role.

Fraud is also another key risk that is becoming ever more prominent considering the weak global economy. Do we as internal auditors consider the probability of fraud when developing our engagement objectives OR do we not regard this as our job.

Prevalence of Fraud

How prevalent is FRAUD? Let us have a look. In a 2015 annual global fraud survey on average 75% of 768 senior executives surveyed from a broad range of industries worldwide experienced fraud. The overall picture is that fraud is definitely on the increase leaving businesses feeling more vulnerable than before. The report suggests that number 1 incident of fraud is the theft of company assets and stock closely challenged by procurement fraud. What was however noticeable is that different types of fraud seems to more prevalent in certain countries or regions. For example corruption and bribery seems to be more prevalent in India whereas procurement fraud seemed to be more prevalent in the Gulf States.

Internal Audit and Fraud

With this increase in the prevalence of fraud and fraud becoming a key risk to organizations especially from a globalisation perspective, the IIA standards clearly outlines internal audit’s responsibilities with reference to the following standards:

• Standard 1200 – Proficiency and Due Professional Care – indicates that we must have sufficient knowledge to evaluate the risk of fraud but not expected to have expertise of person whose primary responsibility is to investigate fraud;
• Standard 1220 – Due Professional Care – indicates that we must exercise due professional care by considering the probability of fraud;
• Standard 2060 – Reporting to Senior Management and Board – indicates that we must report periodically on fraud risks;
• Standard 2120 – Risk Management – indicates we must evaluate the potential for fraud and how the organization manages fraud; and
• Standard 2210 – Engagement objectives – indicates we must consider the probability of fraud when developing our engagement objectives.

As internal auditors we cannot disregard fraud as it needs to be considered throughout our planning processes as we do have certain responsibilities.

Just to elaborate a bit further on fraud, I would like to quickly give you some insight into the impact of different fraud controls on Fraud losses and Fraud duration. A 2014 report by the Association of Fraud Examiners on fraud analysis looked at the impact of different controls on the average losses suffered and the duration of the fraud scheme. Each control was associated with the percentage reduction of both monetary losses and duration. In terms of monetary losses, proactive data monitoring/analysis was the biggest control contributor to the reduction of fraud (59.7%) followed closely by Employee Support Programmes with 55% reduction. Regarding the reduction in the duration of fraud; anti-fraud policies, dedicated fraud functions, fraud training, fraud hotlines, proactive data monitoring and surprise audits all came top.

With the ever changing business environment, and fraud raising its head quite frequently, we as internal auditors cannot operate alone. We need to build relationships. As the famous saying by Hellen Keller goes “Alone we can do so little, together we do so much.”

Building partnerships with Management

To build a strategic partnership we first need to understand what it entails. In simple terms, it is an agreement between 2 parties to help each other or work together in order to make it easier for each of them to achieve the things they want to achieve. It is about creating a win-win situation without compromising good and ethical business practice. One key ingredient to building this partnership is to seek commonality and a shared vision. Certainly everyone comes with different strengths and weaknesses however, the best partnerships work because the vision and values are shared. Building the internal audit partnership from the following threads will definitely strengthen the relationship:

• Create some sort of certainty around performance uncertainty. We can possibly do this by using a combination of financial and non-financial data to provide insight, hindsight and foresight;
• Identifying risks by backing it up with some sort of evidence such as trends or indicators;
• Making use of company data and information to better anticipate performance;
• Building a platform to report on emerging risks relevant to the organization; and
• Be an enabler to management for better decision making.

By using the aforementioned guidance and advice we would be in a better position to strategically partner with management. We are then able to assist them to improve the performance of the organization by helping them navigate through the seas of business uncertainty.

So how best can we play this role? Firstly, we need to understand the business. We need to understand its strategic intent, its business imperatives and how each part/process/activity fits into the puzzle. We need to understand the responsibilities of the different role players and have an appreciation of their goals. We ultimately need to understand the workings of the engine. Without this knowledge, our attempts to build this partnership is very limited.

Articulating Business Performance Integration

Directors and senior management need to recognise that performance, risk, operational activities and assurance are all inter-linked. The inter-relationship between what goes on in one division or business unit and how it impacts another must be clearly understood. The need is for joined-up thinking and to avoid any type of silo based mentality. After all, a chain is only as strong as its weakest link.

Formalising the links between performance, risk management and assurance activities can begin by making reference to the strategic planning process which links strategy and performance across all levels of the organisation. In developing its strategic plan, an organisation begins by defining its strategic focus, and then elaborating on how it will deliver its commitments under the plan and how it will measure success. The detail of the plan breaks this down into significant corporate annual targets and associated action plans which outline how all the various business activities contribute to the achievement of the strategies.

The strategic maps that define how performance targets will be achieved can be complemented by risk maps that identify the key threats to successful delivery at each level of the organization as well as assurance information that can provide an assurance gap analysis. At the same time, responsibility for management of those risks can be specified by identifying “owners” of risks, and including details of such ownership in the performance management system. In other words, performance management, assurance and risk management can become fully integrated systems.

The net result is a performance, risk and assurance “scorecard” that run in parallel and perform strategically important and complementary roles.

The underlying aim of this train of thought is to ensure that all levels of staff are:

• Aware of the strategic intent;
• Aware of the risks that may affect performance in the areas over which they have responsibility;
• Understand the levels of assurance that can be afforded;
• Take responsibility for management of those risks; and
• And ultimately get performance, risk management and assurance activities working in parallel to ensure achievement of corporate objectives

CONCLUSION

The only constant in this world is change. We as service providers need to evolve and adapt with this change before we get deemed as being irrelevant. So how best do we as internal auditors adapt with this change?

• Understanding the business – get to know the strategy and how each process fits into the bigger picture. Identify what would be deemed important or key to the business and how each part of the business impacts the other. Be able to justify the importance of assurance and having a conversation around the impact of having no assurance;
• Build assurance processes into the core processes of the business. Let it speak more to the core of the business;
• When building a risk profile for purposes of planning ensure you have substantive evidence for the risks identified;
• Understand the business activities that impact performance and the reasons for good performance or the lack thereof; and

• Provide better insight into the business through the use of previous audit, risk and governance data in order to provide forward thinking information.

As internal auditors we are and will constantly be facing challenges. Our challenges will vary from soft issues such as internal audit politics, to harder issues such as resource constraints, to issues of value adding, a concept that can mean different things to different people. Nonetheless, our responsibilities are clear. The need is not only for us as internal auditors to provide the required guidance that can be trusted and believed in, but also be able to have the ability to discern the true nature of a situation thereby displaying more accurate and deeper understanding of the organization. As internal auditors we need to adapt to this ever changing environment and operate at a level that displays both business savvy and intuition.