Are you doing what you should to keep your organisation safe?
- Is your audit plan focussed on the right areas for the year ahead?
- Are you keeping pace with the changes to the organisation and its risk profile?
- Is there a drive to be ahead of business change and provide increased advisory work?
All valid thoughts when putting together both the internal audit strategy and the internal audit plan. But as internal auditor leaders, does this lead to us neglecting the audit basics that underpin our purpose – keeping an organisation compliant and safe? And for those with first-line responsibilities, do you understand how internal audit are obtaining the right balance?
What are the basics?
All organisations need to comply with critical regulation and legislation. From keeping employees safe from harm to preventing environmental damage. This includes safeguarding customer data, providing board and investors with accurate information, and the basics of financial control. Failure to comply with these requirements is costly financially and in terms of reputational damage.
Alongside this are commitments to customers, as well as the delivery of stated business objectives and investment returns. Each organisation has its own profile of risks and risks appetites. The policies, processes, procedures and controls within the organisation are designed to run the business. To help it grow and keep it safe.
Creating the right balance through sound planning
Internal audit, risk and compliance teams need to have a solid understanding of the organisation strategy, objectives and associated risks to provide an excellent service to the Board and Executives.
This might be obtained through:
- Stakeholder engagement;
- Developing a knowledge of the key processes that are essential to keep that organisation safe;
- Understanding the compliance requirements; and
- Developing an awareness of known changes to the external and internal risk environment.
Internal audit should obtain agreement with the Audit Committee, Board and Executives on it’s remit, strategy and plan and how it balances both risks to performance objectives (some might call the “exciting” audit work), with the critical requirements to keep the organisation safe.
Building the right strategy
The internal audit strategy, part of the IIA Standard requirements, provides an opportunity to address this through conversations that ensure the delivery of expectations. Auditing compliance and foundational controls might not be considered the exciting part of internal auditing, but it is critical. Just as finance teams are expected to provide accurate financial results, internal audit teams are expected to provide assurance on the core foundations of the organisation. Even more so with the current uncertainties and the nature of transformation so many organisations are undertaking.
For internal auditors, imagine that you don’t review these foundational areas at all (not even a little look). And a risk materialises because the business focus or the external factors changes. Would you want to be asked why you had not prioritised this?
Food for thought
How should internal audit be contributing most effectively to keeping the organisation safe and ensuring this work is keeping pace with the other priorities?
- Ensure alignment of principal risks and material disclosures to key control frameworks (as required under Provision 29 of the UK Corporate Governance Code).
- Conduct assurance mapping including all internal and external assurance activities to identify areas of duplication or gaps.
- Use technology to automate foundational assurance work, enabling your auditors to focus on prioritised risks and exceptions.
- Ensure that the whole internal audit team understand your organisations risk profile and strategic objectives.
- Capture and respond to incidents that arise, ensuring the right data is being brought to management’s attention.
- Listen to the organisation and speak their language, and don’t underestimate the value of those stakeholder meetings and audit conversations.
Conclusion
In a world where organisations are looking to reduce costs and drive efficiency, functional leaders come under pressure to demonstrate their value. For internal audit it can be tempting to do this through focussing on strategic objectives and evidencing their alignment with the business priorities.
However, at its heart, internal audit must provide the evidence that the business needs most. The early warning signs of something going awry that will potentially permanently harm the organisation. The requirement to keep the organisation’s foundations in place cannot be overlooked.
