During my 14 years of experience, I have been asked several times how an internal auditor can add value to the organization. Such a question is most commonly asked by process owners, managers, senior management executives, and audit committee members.
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.Institute of internal auditors
Although the IIA definition clearly states that having an independent internal audit function that provides a well-defined assurance and consulting activities can add value to the organization's operations. But without understanding the criteria for being valued, an internal auditor can not see himself as a valuable asset/source or advisor within the organization.
Remember, value addition is the consequence of efforts made by the internal auditor.
Internal auditors must understand the perception of what constitutes value in the eyes of various stakeholders. One of the biggest challenges for internal auditors is addressing every stakeholder's expectation. Such stakeholders include Board and Audit Committee members, Senior and Executive Management, Line Managers, external auditors, and regulatory authorities.
Each stakeholder thinks differently about the internal audit function. In contrast, those charged with Governance may think that auditors need to identify emerging risks and recommend suggestions to mitigate them. Meanwhile, middle to lower-tier management expects auditors to suggest highly objective solutions for operational and day-to-day issues.
Therefore, the internal auditor is expected to suggest pragmatic solutions to reduce risk, optimize costs, and improve processes & operations, resulting in increased profits and financial gains.
An internal auditor can be seen as a trustworthy advisor and asset if the breadth and depth of his auditing activities address the following:
During my early days in internal auditing, I hardly focused on the organization's strategy, direction, goals & objectives. Based on the audit plan, I tend to focus more on the operational processes and ignore the bigger picture.
The organisation's different functions work in tandem to achieve long to short-term objectives. However, if one department tries to achieve its goals at others' expense, then it can impact the company's overall profitability. For example, one department is motivated to achieve higher sales or higher production of units by lowering the product's price or quality, affecting the organization's bottom line profits, and impairing the customer's confidence.
Here the Internal auditor's role is to see the alignment of strategic goals with the departmental goals. Not just one department but all the core departments. The problem stems when no strategy is formulated or strategic goals and objectives are poorly communicated or vague.
The strategy document is a set of the organization's long to short-term objectives, where it wants to be in the next 'x' years, and how the financial plan supports the strategy. Even if the management knows about the strategic and departmental goals & objectives, it has been seen that management fails to build enough capacity (resources+capital) to achieve those goals. The Board, senior management, and the rest of the organization were unaware of this problem. They kept reinventing the same wheel every year and making small tweaks to the existing budget, thinking they had aligned their budget with the so-called strategy.
Another aspect the internal auditor should look into is the identification of new and emerging risks. Even if the management has identified the risks, the organization must design a plan and strategy to mitigate those risks.
Due to the market malpractices and lack of robust regulatory monitoring, Companies tend to abuse and violate the laws and regulations, earn financial gains or enjoy the ease of doing business, or indulge in committing fraud with customers, suppliers, and stakeholders. The auditor may find it difficult to convince the management of their wrongdoings, and instead, he is being bullied for creating obstacles.
The auditor's role is to develop an audit plan covering the organisation's core activities, operations, and processes. Hence identifying the areas for improvement and resolving the misalignment between strategic and departmental priorities.
The Institute of Internal Auditors "IIA" has updated its model "three lines model." They have emphasized the importance of effective governance structures and processes to achieve strategic goals and objectives. The model requires the contribution of core functions of the organization, be it the first line of defence (operations, sales, accounting & finance, marketing, production, etc.), the second line of defence (risk management & compliance), and the third line of defence (internal auditors).
While new risks are emerging, and the importance of having a risk management function increases, the internal auditors' role is also vital in addressing the risks on a timely basis and suggest recommendations to mitigate them. Both risk management and audit functions work independently from each other; however, the role of the internal auditor is not limited to recommending internal controls but:
The internal auditor needs to broaden his understanding related to power structures. Corporate governance is the distribution of authority and resources by Shareholders and Board, among various entities within the organization. These power structures expect the internal auditor to provide an independent opinion on the progress towards fulfilling the organization's objectives.
The value is created when all lines of defence collectively contribute towards fulfilling the organization's goals. The power structures require the internal auditor to confirm that such delegation of authorities and resources are well designed and properly implemented.
The Board relies on the information provided by the first, second, and third line of defence to make informed, risk-based decisions. The first line of defence provides information related to organization activities and planned and actual outcomes, while the second line of defence provides additional assurance on the risk-related issues. However, independent of the first and second lines of defence, the internal auditor provides assurance or attestation, which carries the highest degree of confidence and objectivity.
The internal auditor also has to foster a good relationship with all tiers of management and within his team and peers. This will build trust with the management, resulting in easy access to information, a smooth audit process, and more efficient and effective audit performance. Hence, the concerns and recommendations from the auditor are taken seriously. The auditor is not pressured to settle on less.
Before the internal auditor starts working on operations, he needs to understand the Organization's customers around which the products revolve around. Why do customers buy our products, and what is the value proposition? The product may be a tangible item or a service; the Internal auditor should understand:
The above list is just a glimpse of what an internal auditor can do. However, this provides the auditor with a way to communicate and collaborate with the management and shall focus on the core business processes, compared to auditing the organisation's financial aspects.
Compliance with laws is the responsibility of everyone in the organization. Usually, the compliance function is independent of the first line of defence. Internal auditors are the biggest compliance advocates, but they shall not overdo it. Internal auditors should understand why compliance with regulation is important.
The internal auditor shall review the Compliance function, its compliance testing plans, observations noted by the Compliance department, and how well the management has addressed those issues. The duo of the internal auditor and compliance function strengthen the internal control environment.
Compliance testing involves the identification of relevant laws & regulations applicable to the organization. Further, the internal auditor should review the internal documents, policies, procedures, charts, etc., to ascertain the internal controls' design, which leads the management to comply with the regulation.
However, due to inadequate monitoring from the regulator or poor malpractices in the market, the organization tends to leverage this opportunity to their benefit. This can be anything from misleading the organization's customers, violating regulatory limits, inadequate reporting, etc.
This may lead to fraud, and the role of the Compliance officer is seen as an inspector. Therefore, the Compliance function should directly report to the Board or Audit Committee to ensure their voice is heard at the highest level.
I never considered becoming an internal auditor while completing my professional accountancy qualification. With the rapid transformation of businesses and new ways of doing business, the internal audit function does include professionals from other backgrounds. The institute of internal auditors advocates for having a diversified pool of talent within the internal audit department.
Traditionally, Internal auditors are more comfortable communicating with the CFOs or Finance Managers as they are from a similar backgrounds. However, with the advent of new technologies that have disrupted the financial world, an internal auditor's role becomes more prominent in the identification of new & emerging risks and challenges the status quo.
Finance Managers/CFOs are the gatekeepers of the organization's financial resources. The Internal auditor should evaluate what would go wrong if these gatekeepers fail to perform their duties diligently. An error or fraud can rip apart the Company's reputation among its stakeholders & regulators and may lead to huge financial losses or possible closure.
Now the use of modern accounting applications & systems, cloud-based computing, SaaS providing financial and operational solutions, and various other digital solutions are of pivotal importance for the internal auditor. Automation of processes and reliance on systems to generate reports and alerts paved the way for quick decision-making and reporting.
The internal auditor's role is to highlight the bottlenecks within the financial management processes and promote a new mindset to change and adopt new technologies. Automating inefficient and poorly connected processes may lead to further inefficiencies. Therefore, merely installing a new application will not solve the issues.
These are the few things I have witnessed during my career; indeed, this is not the end. Due to pandemic, the world has evolved faster; therefore, the internal auditor needs to evolve and understand new risks and opportunities. The internal auditor's role is to re-assess the risks, plan, and perform the work that focuses on the organization's most important aspects, therefore adding value in stakeholders' eyes and those who are charged with governance.