During my 14 years of experience, I have been asked several times how an internal auditor can add value to the organization. Such a question is most commonly asked by the process owners, managers, senior management executives, and audit committee members.
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.Institute of internal auditors
Although the IIA definition clearly states that having an independent internal audit function that provides a well-defined assurance and consulting activities can add value to the organization's operations. But without understanding the criteria for being valued, an internal auditor can not see himself as a valuable asset/source or advisor within the organization.
Remember, value addition is the consequence of efforts made by the internal auditor.
Internal auditors must understand the perception, what constitutes value in the eyes of various stakeholders. One of the biggest challenges for internal auditors to address the expectation of every stakeholder. Such stakeholders include Board and Audit Committee members, Senior and Executive Management, Line Managers, external auditors, and regulatory authorities.
Each stakeholder thinks differently about the internal audit function. In contrast, those charged with Governance may think that auditors need to identify emerging risks and recommend suggestions to mitigate them. Meanwhile, the middle to lower-tier management expects auditors to suggest highly objective solutions for their operational and day to day issues.
Therefore, it is expected that the internal auditor will suggest pragmatic solutions to reduce risk, optimize costs, improve processes & operations, resulting in increased profits and financial gains.
An internal auditor can be seen as a trustworthy advisor and asset if the breath and depth of his auditing activities address the following:
During my early days in internal auditing, I hardly focused on the organization's strategy, direction, goals & objectives. Based on the audit plan, I tend to focus more on the operational processes and ignores the bigger picture.
The different functions of the organization work in tandem to achieve the long to short term objectives. However, if one department tries to achieve its goals at others' expense, then it can impact the overall profitability of the Company. For example, one department is motivated to achieve higher sales or higher production of units by lowering the product's price or quality, affecting the organization's bottom line profits, and impairing the customer's confidence.
Here the Internal auditor's role is to see the alignment of strategic goals with the departmental goals. Not just one department, but all the core departments. The problem stems when no strategy is formulated, or strategic goals and objectives are poorly communicated or vague.
The strategy document is a set of the organization's long to short-term objectives, where it wants to be in the next 'x' years, and how the financial plan supports the strategy. Even if the management knows about the strategic and departmental goals & objectives, it has been seen that management fails to build enough capacity (resources+capital) to achieve those goals. The Board, senior management, and rest of the organization are not aware of this problem and kept on reinventing the same wheel every year and make small tweaks with the existing budget, thinking that they have aligned their budget with the so-called strategy.
Another aspect the internal auditor should look into is the identification of new and emerging risks. Even if the management has identified the risks, the organization must design a plan and strategy to mitigate those risks.
Due to the market malpractices and lack of robust regulatory monitoring, Companies tend to abuse and violate the laws and regulations, earn financial gains or enjoy the ease of doing business, or indulge in committing fraud with its customers, suppliers, and stakeholders. The auditor may find it difficult to convince the management of their wrongdoings, and instead, he is being bullied for creating obstacles.
The auditor's role is to develop an audit plan that covers the core activities, operations, and processes of the organization. Hence identifying the areas for improvement and resolve the misalignment between strategic and departmental priorities.
Institute of Internal Auditors "IIA" has updated its model "three lines model." They have emphasized the importance of effective governance structures and processes to achieve strategic goals and objectives. The model requires the contribution of core functions of the organization, be it the first line of defense (operations, sales, accounting & finance, marketing, production, etc.), the second line of defense (risk management & compliance), and the third line of defense (internal auditors).
While new risks are emerging, and the importance of having a risk management function increases, the internal auditors' role is also vital in addressing the risks on a timely basis and suggest recommendations to mitigate them. Both risk management and audit function work independently from each other; however, the role of the internal auditor is not limited to recommending internal controls but:
The internal auditor needs to broaden his understanding related to power structures. Corporate governance is the distribution of authorities and resources by Shareholders and Board, among various entities within the organization. These power structures expect the internal auditor to provide an independent opinion on the progress towards fulfilling the organization's objectives.
The value is created when all lines of defense collectively contribute towards the fulfillment of the organization's goals. The power structures require the internal auditor to confirm that such delegation of authorities and resources are well design and properly implemented.
The Board relies on the information provided by the first, second, and third line of defense to make informed and risk-based decisions. The first line of defense provides information related to organization activities, planned and actual outcomes, while the second line of defense provides additional assurance on the risk-related issues. However, the internal auditor, being independent of the first and second line of defense, provides assurance or attestation which carries the highest degree of confidence and objectivity.
The internal auditor also has to foster a good relationship with all tiers of management and within his own team and peers. This will build trust with the management and result in easy access to information, a smooth audit process, and a more efficient and effective way of performing the audit. Hence, the concerns and recommendations from the auditor are taken seriously. The auditor is not pressurized to settle on less.
Before the internal auditor starts working on operations, he needs to understand the Organization's customers around which the products revolve around. Why customers buy our products, and what is the value proposition. The product may be a tangible item or a service; the Internal auditor should understand:
The above list is just a glimpse of what an internal auditor can do. However, this provides the auditor a way to communicate and collaborate with the management and shall focus on the core business processes, compared to auditing financial aspects of the organization.
Compliance with laws is the responsibility of everyone in the Organization. Usually, the compliance function is independent of the first line of defense. Internal auditors are the biggest advocates of compliance, but they shall not overdo it. Internal auditors should understand why compliance with regulation is important.
The internal auditor shall review the Compliance function, its compliance testing plans, observations noted by the Compliance department, and how well the management has addressed those issues. The duo of the internal auditor and compliance function strengthen the internal control environment.
Compliance testing involves the identification of relevant laws & regulations applicable to the organization. Further, the internal auditor should review the internal documents, policies, procedures, charts, etc. to ascertain internal controls' design, which leads the management to comply with the regulation.
However, due to inadequate monitoring from the regulator or poor malpractices in the market, the organization tends to leverage this opportunity to their own benefits. This can be anything from misleading the organization's customers, violating regulatory limits, inadequate reporting, etc.
This may lead to fraud, and the role of the Compliance officer is seen as an inspector. Therefore, the Compliance function should directly report to the Board or Audit Committee to ensure that their voice is heard at the highest level.
I never thought of becoming an internal auditor while completing my professional accountancy qualification. With the rapid transformation of businesses and new ways of doing business, the internal audit function does include professionals from other backgrounds. The institute of internal auditors advocates for having a diversified pool of talent within the internal audit department.
Traditionally, Internal auditors are more comfortable communicating with the CFO's or Finance Managers as they are also from a similar background. However, with the advent of new technologies that have disrupted the financial world, an internal auditor's role becomes more prominent in the identification of new & emerging risks and challenge the status quo.
Finance Managers/CFOs are the gatekeepers of the organization's financial resources. The Internal auditor should evaluate what would go wrong if these gatekeepers fail to perform their duties diligently. An error or fraud can rip apart the Company's reputation among its stakeholders & regulators and may lead to huge financial losses or possible closure.
Now use of modern accounting applications & systems, cloud-based computing, SaaS providing financial and operational solutions, and various other digital solutions are of pivotal importance for the internal auditor. Automation of processes and reliance on systems to generate reports and alerts paved the way for quick decision making and reporting.
The internal auditor role is to highlight the bottlenecks within the financial management processes and promote a new mindset to change and adopt new technologies. Automating inefficient and poorly connected processes may lead to further inefficiencies. Therefore, mere installing a new application will not solve the issues.
These are the few things which I have witnessed during my career, and certainly, this is not the end. Due to pandemic, the world has evolved faster; therefore, the internal auditor needs to evolve and understand new risks and opportunities. The internal auditor's role is to re-assess the risks, plan, and perform the work that focuses on the organization's most important aspects, therefore adding value in stakeholders' eyes and those who are charged with governance.
So how did you add value in your organization. Do share your thoughts and experience in the comments below.