By using best practices, internal audit functions can significantly enhance the probability of a successful transformation and virtuous governance.
The role of internal audit has been ignored in all discussions on governance i.e. Strategy, Governance, Ethics, Risk Management and other boardroom processes have historically been a "no - go" area for Internal Audit. However, Today, this is no longer the case because independent assurance on governance is now seen as crucial. The reasons as to why internal audit has been ignored needs detailed examination that we should dive into. But before we get there, let me ask a few questions;
- Is it lack of independence of the audit function?
- Is it conflict of interest?
- Is it that the audit is conducted by staff members who do not understand modern concepts of auditing?
- Is it the competence of the audit staff? (Is it that auditors are not up-to the industrial best practices?)
- Is it the perception of the audit’s work by the audit client?
- Is it that there is no full top management commitment to the audit functions?
Now, let us figure out the answers;
The quality of audit work is directly correlated with independence and importance accorded to the internal audit function in an organisation. The poor status of the internal auditor is the main reason why competent staff are reluctant to take up this work. As a result, most companies do not have an efficient and effective internal audit department. The head of internal audit needs to be elevated in the hierarchy to a level consistent with that of the Chief Executive Officer (if applicable) or more to minimize discounting of internal audit inputs and enhance the quality of internal audit activities. Internal Auditors should be catalysts for improvement without compromising their independence.
Internal auditors also have a special responsibility since no specific set of guidelines exist for best practices in ‘Governance’. A few suggested concepts in this regard are:
a) Internal auditors must identify forces that impact governance, understand the core components of corporate culture and an effective ethical framework.
b) The internal auditor needs to continuously update himself of the changing times and technologies and sharpen his skills. This can be achieved through obtaining membership from professional bodies like #ISACA, IIA etc. and attending trainings organised by the local chapters e.g. ISACA Kenya Chapter hosts training events like annual conferences, evening talks, breakfast talks where professionals meet to share knowledge and experiences in their lines of duty (s). By acquiring and applying skills to the most critical points, building personal, professional credibility, recognizing and responding to the needs, internal auditors can become indispensable, hence speeding good governance.
c) They must constantly fine tune their knowledge of these influences; and they must articulate, and recommend to management and audit committee, actions that will help the organisation against both traditional and emerging risks;
d) Management and organisational objectives must be the focus of internal auditing practice, and internal auditing must be fully integrated with organisation i.e. understand the impact of organisational governance maturity on internal audit's role.
e) Internal auditing approaches must be flexible and adaptable, emulating today’s changing environment. This will require the review of phases of the strategic planning/ implementation process.
f) Internal auditors must be creative and aggressive as they seek strategies to add value, safeguard assets, and promote effective governance.
However, recognizing the need to sharpen focus for bringing change is the easier but implementing strategic change and measuring the results is by far the greater challenge. Too often internal audit change initiatives fail, and the desired outcomes are never realized.
It is not too late to revive the audit function in our work environments. By incorporating proven change management and project management techniques throughout the transformation process, internal audit functions can implement change initiatives quickly and effectively. One part of internal audit's consultancy work would be to work with the management to improve systems, processes and methods of working. With regard to using information technology (IT) tools to simplify processes, internal audit could identify control weaknesses prior to the system going live.
By identifying loopholes and strengthening the system during the development of the system is desirable as it is cost effective than trying to change the system at a later date, this will allow for the controls to be fully tested and not delay the implementation of the project.
Internal audit may be able to offer a proactive approach, which may provide advice on a framework for risk management on the project, facilitate risk identification, assessment and mitigation through the implementation of controls.
Successful internal audit transformations involve four key best practices:
1. Good planning at strategic and tactical levels;
2. Project management techniques to ensure that plans are achieved;
3. Change management techniques to facilitate change, improve communications and facilitate stakeholder buy-in;
4. Dedicated staffing for the transformation initiative.
Conclusion
By using best practices, internal audit functions can significantly enhance the probability of a successful transformation and virtuous governance. In addition, many of the tools and strategic approaches used in the transformation process have applications that go beyond the transformation process and can be used to enhance basic internal audit strategies. I have seen the value of using these best practices and referencing to standards like #ISACA standards, ISO/ IEC, ITIL, etc. to ensure the most effective transformation possible, and it is well worth the additional time and effort they require.
“Together, We Work Smart”.
This article was originally published on here by Veronica Rose, a certified Information Systems Auditor and an Author.
