Close
Article

Six Ways to Transform Your Internal Audit into a Value-Added Function

Internal Audit

“Managing our audit costs.” That’s a popular phrase in any budgeting process. Banks seek to determine if they are testing controls at the right cadence, over-testing or duplicating efforts.

Internal Audit (IA) has historically been seen as a cost center, not a value-added process. It doesn’t produce income and its value isn’t visibly impactful to the bottom line. IA is not always seen as a part of the organization, but more as an outsider. In the past, it was at times seen as a department you sent people who were perceived as less competent — a place to begin “their life in audit.”

Over the past 20 years however, the audit process has been evolving from process-based to risk-based. As the process evolves, chief audit executives have a great opportunity to demonstrate how IA adds value. There are times auditors will identify an issue that will significantly impact a business unit, but IA’s best opportunity to demonstrate its value is outside the audit process. The previous two paragraphs spoke of a “risk-based audit process.” A “risk-based methodology” is required for IA to show its true value. While it may seem semantic, there is a clear distinction. An audit process only considers events within an actual audit, a methodology is a never-ending cycle that contains the audit process, but goes further to include monitoring, risk assessment methodology, training, relationship-building and effective audit committee reporting.  It’s the employment of a risk-based methodology that leads to auditors becoming “trusted advisors.”

Here are six ways to transform your audit process into a methodology to enhance business value:

1. Establish a quarterly monitoring process

A highly effective way to stay current on evolving risks and changing business environments is to implement a quarterly monitoring process in which higher risk business units are reviewed and communicated with at least quarterly. This type of process can help the IA department identify emerging risks on a timely basis, monitor key risk indicators, and raise issues earlier which can drive cost savings.  It also allows your auditors to communicate with the business units outside the audit process. 

2. Continuously update risk assessments

Risk assessments are the heart of any IA department methodology. Even today, with the evolution of risk-based methodologies, risk assessments are only conducted annually. They never account for a changing business environments, regulatory events or the results of a recent audit. They also put undue pressure on resources at the end of the plan year as auditors are trying to complete the audit plan. Making risk assessments “living” documents that are updated based on events makes them relevant throughout the year. This helps ensure the audit plan remains up to date and reflects the risks the organization faces. Auditors will also be grateful as they will only be updating risk assessments at the end of the plan year that have not been updated recently. 

3. Make training a priority

“The auditor just doesn’t understand the business” is probably the most damning statement a stakeholder can make about any auditor or audit department. It implies auditors lack the necessary skills to even perform an audit, which would be a direct violation of the Professional Care standard in the International Professional Practices Framework. Therefore, training should be a main priority for any IA department. It should combine classroom and practical experience. Sending auditors to classroom training is easy. However, getting auditors practical skills is more challenging. Arrange for auditors to spend time with the business units outside the audit process to observe the business processes, ask questions, and learn the nuances of the business. This allows the auditors to do two things: Build relationships that help develop credibility and learn the context of the business so they can raise impactful, relevant and credible issues. When an auditor can do that, they will be seen as a “trusted advisor.”

4. Promote collaboration with business stakeholders

The importance of auditors interacting with stakeholders on a regular basis cannot be understated. Understanding what business leaders expect, their objectives and how they’re meeting them, and what they see as risks should be one of an auditors most important tasks. The information gained in these meetings and discussions can greatly affect monitoring, risk assessments and audit scoping.  It can help harmonize the audit process, build consensus on issues and positively impact the control environment.  Failure to meet stakeholder expectations relegate an audit to something the business unit has to endure, leaving little room for IA to provide any meaningful added value.

5. Forge relationships to build credibility

Relationships for most check and challenge functions are important, but even more so for IA. When auditors effectively build relationships, the audit process becomes less contentious and more cooperative, efficient and effective. IA’s ability to impact control environments and raise issues revolves around their credibility. Credibility is built on trust. And trust is built on relationships. It’s generally easy to tell when auditors have not spent the time to build relationships. Every issue is debated with incredible pushback. The audit process becomes long and cumbersome. Cooperation is at a low point. And, at the end of the audit, the business fails to see the risk and issue audit is raising but acquiesces and complies “because audit said we had to.” 

6. Enhance audit committee reporting

The final place IA can add value is in the board room through audit committee reporting. The information the chief auditor provides the committee may be the only view the committee gets into the control environment of the organization. What does the audit committee need to know and at what level?

Most chief auditors will report on audits completed, audit plan progression and key audit findings.  However, reporting needs to go deeper into issue aging. How long have issues been outstanding?  On time remediation, are issues addressed in the promised time frame?  Once management says the issue is cleared can IA validate that the remediation was effective and sustainable? What are the issue trends? BSA? Credit? Compliance? Does audit see any emerging issues?  There are many different types of information that can be discussed at the audit committee.  Whatever that information is, the chief auditor needs to be able to tell the control environment story succinctly and effectively.

In a formal risk governance framework, IA is the third line of defense. When things go wrong, it quickly becomes the first line of accountability. People ask how you know your audit function is effective.  It’s certainly easy enough to tell when it doesn’t work: something breaks. The lack of controls or high-impacting risk events aren’t enough to validate audit’s effectiveness, which could just be a run of good luck. Chief executives and chief auditors need to look further to make that determination. It can be useful to look at the methodology, how risk assessments are being completed, and training or audit committee reporting. A good place to start, however, is to just ask the stakeholders. They can tell you if you have an effective audit function.