Challenges, Trends and Recommendations
May is Internal Audit Awareness Month. What better time to discuss the challenges that come with preparing for audits and what companies can do to be better prepared? This article highlights trends in IA, insights into how auditors can continue to push their organizations forward and advice on how to better manage communication with the board by making education a priority.
Determining Audit Scope
What are we auditing and why? Determining where to look is one of the biggest challenges auditors face today. The majority of companies use risk assessments to determine their auditable entities and help with scoping specific activities. Once the auditors know what they will audit, narrowing the scope of the audit to finish within the desired time period is the next hurdle. Beyond that, audits aren’t just looking at financial risk anymore. The overall focus should be linked to management’s strategic objectives to ensure optimal value. Finally, working with the auditees to understand the existing process and gather the applicable supporting documentation can prove more valuable for both the auditor and auditee.
Having the right skill sets available at the right time is a challenge for internal audit teams. They’re under pressure to do more with less, but risks are increasing and projects are becoming more complicated. Couple that with the fact that auditors are occasionally tasked with assessing risks in an area outside their expertise and the result is an audit that provides less-than-effective results. The alternative is employing a creative mix of outsourcing and technologies to get the audits done – and in an effective and efficient manner.
Auditors are using data analytics to focus the scope of audits by pre-emptively analyzing the data to identify specific trends and unexpected patterns. If inconsistencies in a high-risk area are identified, that area will likely be audited. Automated techniques allow auditors to look at an entire population instead of a smaller sampling, increasing both efficiency and thoroughness.
Employees and partners are increasingly testing themselves and reporting results to internal audit. To validate controls, the auditors perform independent checks on these self-assessments. Self-testing drives down the expenses associated with select audits and eases the staffing challenge without impacting the results.
IT Audit Function
Assessing cyber risk is a huge responsibility for internal auditors. Surveys tend to show that a majority of companies are concerned about cyber risk, but few believe they have adequately addressed or even adequately audit the risk area. Most have defined a separate IT audit function, but too often, this team operates in a silo, which means the organization has not properly incorporated the associated risks and controls into its overall risk appetite and program.
Recommendations for Process and Progress
Traditionally, internal audit has done an inadequate job of educating the board, executives, managers and even users regarding the scope and purpose of the internal audit function. International Internal Audit Awareness Month presents a prime opportunity to make education a top priority.
Formalizing a sound audit charter and mission statement is a critical first step. Hone and practice the mission statement like an elevator pitch — you don’t get many opportunities to articulate the virtues of internal auditing. Senior executives will be more engaged if they understand the return on investment (ROI) and the value internal audit brings by helping the company to achieve strategic objectives.
Another critical area for improvement is the risk assessment process, which should be formalized and communicated to auditees and senior management. Some teams create an internal handbook but find it difficult to follow when senior management requests a fast-tracked audit. Developing clear documentation that details how audits are executed will foster collaboration with the departments being assessed.
To keep an organization’s operations primed, you have to perform regular check-ups. Effective, regularly scheduled audits provide that third and final line of defense in risk management. Audit findings must be unbiased and authoritative, providing valuable insight for making decisions, prioritizing efforts and catching problems before they escalate.
Listen to your audit committee. Problem areas revealed by audits must be addressed to meet standards and optimize operations; follow up and remediate processes as indicated. The findings of an internal audit in advance of an external audit allow the business to address issues proactively, ensuring fewer external findings and enforcement actions.
Audits don’t have to be as painful as they used to be. Using spreadsheets to document and present evidence turns audit preparation into tedious work. Fortunately, audit management can now leverage comprehensive technology known as governance, risk management and compliance (GRC) solutions.
These cloud-based solutions organize the data collection and collaborative projects required for compiling audits. They automate the assembling of work papers, processing of findings, assessing of audit risk, distribution of reports and monitoring of time and expense. The systemization of audit activities on a GRC platform streamlines the entire process, increases accountability and integrates departmental data and procedures into an enterprise-wide view.
With stakeholder cooperation, technology support and strategic focus, the benefits of optimized audit processes will be realized well beyond the internal audit team. A well-audited organization is prepared to face adverse conditions with resilience and tackle growth opportunities with confidence.