(This article was contributed to Corporate Compliance Insights by Mr. David Chiang, the Director of Professional Services with ACL Services Ltd. – a Vancouver-based software company that provides audit analytic technologies to the Governance, Risk and Compliance market.)
When Siemens, one of the world’s largest companies, was recently shaken by internal fraud and abuse scandal, their corporate board members realized that they needed to enhance their ability to oversee such a large organization. The Siemens case impacted the company’s governance structures all the way up to the board and C-suite level. And board members around the globe have watched the case carefully as a cautionary tale of the inherent challenges in governing large organizations. Being a board member is a serious commitment in this regulatory age.
Board members are by law required to be good stewards of their organizations, which means that when compliance risks and key exceptions emerge, the board (and its designated audit committee) need to be informed immediately. That’s why today’s strongest boards are developing better, more direct reporting relationships with the Chief Audit Executive (CAE). In the past, the relationship between the board and the internal audit department was focused on financial reporting, with a strong emphasis on financial statement audits and other public disclosures. Today, boards need to view the CAE as their “agent on the ground” – an independent leader who can provide objective, targeted insight into regulatory compliance, business processes, and corporate controls.
As the board chair of a university and a member of several audit and finance committees including that of billion-dollar community not-for-profit organization, I’ve seen first-hand why it’s critical to establish and support an effective internal auditing department. Internal audit needs to comply with industry best practices and develop a strong reporting relationship to the audit committee. Just as board members are playing a more active part in ensuring airtight corporate controls, the internal audit team and the CAE are expected to provide increased oversight into all areas of the business. An audit charter, agreed to and signed off at the board level, provides a formal structure to uphold this new working reality.
The audit charter should clearly outline the tasks and responsibilities of the internal audit department, IT, and the role of technology in audit activities and continuous monitoring. Many audit charters also specify that internal audit must comply with industry best practices. The Institute of Internal Auditors promotes industry best practices through its globally recognized Professional Practices Framework, also known as the Red Book. A key advisory in the Red Book indicates that internal audit teams should use industry-recognized audit analytics. The guidance states:
Technology is critical today to help internal audit effectively report to the board and the audit committee. CAEs may have a higher profile role to play, but in the vast majority of global organizations, internal audit has not received additional staff or financial resources. So how can the internal audit team address these new challenges?
The audit charter must ensure internal audit is using technology that is optimized for all team members – not just technically-proficient auditors – and that protects the organization from the knowledge-drain risks of staff turnover, or process and product changes, acquisitions, divestitures and growth. The right technology must provide adequate staff training, professional support, and offer a scalable, sustainable solution with a significant and measurable ROI.
Companies around the world have realized that effective audit analytics represent the best way to monitor financial transactions, corporate controls, and identify key exceptions, fraud, errors and abuse. Board members want to be sure they can rely on internal audit to inform them of significant unusual transactions and exceptions – without finding excessive false positives. We’re now seeing some of the biggest installations to date of continuous auditing technology. For example, Siemens is one such company. Aiming to become a world leader in transparency and compliance, the company is using technology to support a variety of initiatives. Global leaders understand that audit analytics enforce the myriad of regulatory rules and that the corporate mandate is strengthened with improved controls in key business processes such as the purchase-to-pay process, general ledger and beyond.
Today’s economic climate is marked by change and uncertainty. Audit committee members are feeling the pressures to be more knowledgeable, more aware of technology, and more directly connected to the internal audit team and the CAE. Where audit committees once focused on the basic financial health of an organization, they’re now looking to internal audit to analyze the company’s strategic framework, executive compensations, corporate communications, and even social responsibility. Board members want the CAE to report these findings directly. And as the IIA outlines, internal audit departments should maintain a balanced scope of work that targets risk through an operational, financial, compliance and strategic lens – a lens that will become more focused with the use of audit analytics.
As GRC audits take prominence on the international business stage, it’s clear that technology is not just the responsibility of IT departments. Risk and compliance monitoring must be supported by strong, effective governance, and boards need to be confident that internal audit has the skills and industry-recognized technology it needs to maintain objective business insight. It’s the best way to stay on the leading edge, and to fulfill our responsibilities to stakeholders.
David Chiang can be contacted at: david[underscore]chiang[at]acl[dot]com.
PDF 
