The Transformation of Internal Auditing [CPA Journal, The]

Challenges, Responsibilities, and Implementation

The field of internal auditing has transformed significantly over the past decade. Several factors have contributed to this change, including the increased complexity of a globalized marketplace, high-profile fraud and corruption scandals, new laws and regulations, and increased demand from stakeholders for greater assurance. (See Exhibit 1 for some specific shifts that have occurred with respect to internal auditing.) Within the profession, internal auditing serves as a corporate conscience and guiding force that helps to ensure that business decisions and management operations remain consistent with an organization's mission, strategies, and goals.

Given the continually changing climate, auditors must take on additional responsibility to aid organizations in managing risk. Exhibit 2 highlights key qualities that internal auditors should possess. Although internal auditing presents certain challenges, businesses should strive to implement an enterprise-wide internal audit system mat takes advantage of the advice provided below.

Adding Value

The Institute of Internal Auditors (IIA) defines internal auditing as "an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes" (http://www.theiia.org/ theiia/about-the-profession/intemal-auditfaqs/?i=1077).

Internal auditors would do well to frequently revisit this definition and ask themselves several related questions: Is our internal audit department designed to add value? Are our internal audit processes systematic and disciplined enough to sustain that value? Are we willing to change areas that need change?

To truly add value to an organization's operations, internal auditing has to remain relevant to stakeholders, such as management and the board of directors. Internal auditors are the eyes and ears of the organization, and they can constructively improve the entity's risk management and internal control processes, while also providing assurances as to the effectiveness and efficiency of these processes and management operations. When properly designed, internal audit activities can significantly improve the business as a whole.

Emerging Concerns

Although internal auditors often report to management and the board of directors, they are generally accountable first to their company's audit committee. The following sections present some of the key concerns of audit committees that internal auditors should keep in mind.

Risk assurance and governance. Although the focus on risk management has, for some time, been a key trend in the field of internal auditing, audit committees continue to consider it a major area of concern. The ?? has issued guidance on how to provide internal audit opinions regarding the risk management, internal control, and governance activities of an organization by updating standards within its International Professional Practices Framework.

Enterprise risk management. Wim enterprise risk management (ERM) becoming a top organizational priority, organizations' internal audit plans are being aligned with key enterprise risk areas to provide assurance that mese risks are being managed effectively and kept in check by management.

Fraud. Fraud has become a major area of concern for organizations worldwide. Internal auditors are being asked to assess and monitor fraud risks and controls, detect and investigate vulnerabilities, and provide advice on how to remedy these weaknesses.

Governmental regulation and reform. The increasing complexity of compliance laws and regulations has prompted internal auditors to help track regulatory changes and compliance issues.

Aligning an organization 's internal audit plan to its strategic plan. Internal auditors can play a significant role in assessing strategic risks and guiding the expansion of business plans. They can also aid in the acquisition of a new company, the launch of new products and services, or the modification of a business' organizational structure to achieve operational excellence.

International Financial Reporting Standards. Although U.S. Generally Accepted Accounting Principles (GAAP) remains the standard for U.S. businesses, there is a good chance that International Financial Reporting Standards (TFRS) might become the standard in the near future. In general, IFRS requires increase transparency and greater disclosure around the methods and reasons for the accounting treatment of certain transactions.

Ethics. Internal auditors are being called upon to help maintain a high standard of ethical behavior in their organizations by assessing the design and operation of thirdparty services; whistleblower policies; and ethics and compliance programs, including the handling of reported violations and subsequent disciplinary actions, when warranted.

IT security. The move toward cloud computing, mobile computing, and virtualization have raised serious concerns about the security, integrity, and privacy of information. Internal auditors are being asked to audit these risks and the controls used to manage them, while also getting involved in other GG areas, such as data analytics, disaster and data recovery, system access management, change management, and software development life cycles.

Doing more with less. Risks might be infinite, but resources aren't Thus, the task of improving risk and control management while also minimizing costs continues to be at the forefront of every internal auditor's mind.

Knowledge, skills, and abilities. Given the growing importance of internal audits to the organization, much emphasis is being placed on the skills and qualifications required by auditors, as well as on their development, training, and retention. Many organizations are seeking a certified internal auditor (CIA) at the same time that many professional practitioners are pursuing the CIA designation as a means of demonstrating their internal auditing knowledge, skills, and competence.

Challenges of Internal Auditing

The changing environment has created numerous challenges that internal auditors must face while performing their duties. The following sections highlight three of these issues.

Coping with expanding responsibilities. Today, internal auditors are not only asked to assess financial controls, but also to enhance governance, risk management, and control processes within an organization. Their responsibilities have expanded significantly to include strategy audits, ERM audits, ethics audits, operational audits, quality audits, GG audits, supplier audits, and due diligence in mergers and acquisitions. Internal auditors also have an obligation to understand how and why certain assumptions have or have not been made with respect to organizational strategy audits. For example, if an entity's management wants to launch a new product and assumes that it will get 20% of the market share within the first year, internal auditors need to question how such an assumption has been validated and how the organization might be impacted if those targets are not met.

Managing information. In order to add value to an organization, internal auditors need to efficiently integrate and disseminate information in various ways - vertically, with management and the board of directors, and horizontally, with other functions related to governance, risk, and compliance. Sharing information and intelligence with the right people at the right time is absolutely critical in decision making. In other words, information is only as good as the hands it gets into and the timeliness with which it gets there.

Keeping pace with changing business risks. The traditional model of creating an annual audit plan cannot be sustained any longer; in fight of ever-changing business risks, internal audit plans need to be flexible. More importantly, internal auditors must prioritize preimplementation activities over postimplementation activities when an organization undergoes transformational changes, such as establishing new goals, restructuring the enterprise, implementing management and personnel changes, engaging in mergers and acquisitions, and implementing new GG innovations.

Implementing an Enterprise-wide Internal Audit Program

For an internal audit activity to be supported across an enterprise in an effective and sustainable manner, it must meet the objectives described below.

Act as a resource for risk information. Internal auditors should present information and discoveries in a way that allows decision makers to make good choices. Auditors can't control the future, but they can help control the likelihood of future success by advocating sound risk management and internal control practices.

Balance a risk-based approach with an objective-driven approach. The traditional approach to risk management - listing out and managing hundreds of risks - is no longer an efficient one. With the growing need for better risk management policies and lower costs, there needs to be a stronger focus on key business objectives that set boundaries for risk assessment This helps related activities remain relevant and manageable.

Get involved at the top. Internal auditors must collaborate with management and the board of directors to ensure mat an organization's mission, strategy, and goals align with its purpose and values. They should ask relevant questions: Are the right people setting and approving strategy? Is the board providing risk oversight in the strategy planning process? Do the proposed strategies support the core values?

Maintain excellent talent. An internal audit department requires a balanced mix of internal recruits, external recruits, and third-party consultants. There should be an emphasis on training, including functional and industry certifications. In addition, the internal auditors' Code of Ernies includes the principles of integrity, competence, objectivity, and confidentiality, which must be followed by internal auditors and supported by management and the board of directors with unwavering conviction.

Prioritize people. Many internal auditors believe that people represent the most important area of an internal control environment. But when it comes to auditing, more time is usually spent on processes and technology than on people. If internal auditors want to save costs and manage risks more effectively, they must leverage an organization's people in the process and ensure that the right people have been placed in the right positions to do the right thing. Exhibit 3 provides an example of an internal control system.)

Utilizing Technology

Faced with multiple types of audits and increasing responsibilities, internal auditors can quickly find themselves overwhelmed. Fortunately, technology offers an advanced solution - it helps streamline and simplify audit processes, organize data, and automate time-consuming and resource-intensive workflows. The following sections address several ways mat technology can enhance internal audits.

Integration. In a shift to simplify and improve the efficiency of internal audits, many companies opt for a single, integrated audit management platform. Such platforms extend across the enterprise, transcending business and functional silos, facilitating collaboration, and minimizing redundant processes and effort.

Audit workflows. An integrated audit management system helps streamline the complete internal audit life cycle and establishes the "systematic and disciplined approach" recommended by the DA that closely maps each business objective to various compliance areas, business and functional areas, processes, risks, and controls. The end result is a structured, organized, and value-driven approach to internal auditing, which is an essential part of the broader risk management concerns of an enterprise.

Risk assessments. Advanced audit management systems are usually equipped with a centralized repository or library of all the risks and controls mat might affect an organization. This enables internal auditors to facilitate a targeted, risk-based internal audit that better supports business activities and key business objectives. Automated systems can help internal auditors save substantial time and effort in their risk assessment and tracking process.

Risk prioritization. Internal audit systems can support the quantification of relevant inherent risks and residual risks. They provide an aggregate view of an organization's risk profile, enabling internal auditors to prioritize and plan their activities more effectively.

Resource management. An integrated internal audit system allows internal auditors to efficiently plan and schedule audits for an entire enterprise and to deploy resources so that the most relevant and significant risks are addressed first. The system also helps standardize audit processes and methodologies for consistency in work quality; this, in turn, supports the quality assurance and improvement program required by the IIA.

Reporting. Using a robust audit management system, internal auditors can efficiently organize audit data to support their recommendations and can gain management support for taking action. Some systems are equipped with powerful dashboards that provide real-time visibility into all the audit activities across the enterprise. This improves audit tracking and enables audit progress to be measured against key milestones for timely execution.

Continual monitoring. Internal audit systems help automate the monitoring of risks and controls, provide alerts and warnings for risks that require attention, and track corrective actions recommended by internal auditors and implemented by management. Information from multiple audits can be aggregated and easily plotted on maps or graphs to track audit trends.

A Multifaceted Role

The current generation of internal auditors must strive to become as wise as an organization's board of directors, as savvy as an organization's management, as diligent as its accountants, as intelligent as statisticians, and as persuasive as attorneys. In other words, they must play a multifaceted role, while maintaining the highest levels of professional integrity in order to help their organizations avoid harmful risks and seize beneficial opportunities. It is not only a tall order but also a great responsibility. There is no doubt that audit competencies and skills will continue to be in high demand, especially as the HA endeavors to turn internal auditing into a universally recognized and accepted profession around the world.

There is no doubt that audit competencies and skills will continue to be in high demand.

Gaurav Kapoor is the chief operating officer of MetricStream, Inc., Palo Alto, Calif Michael Brozzetti, CIA, CIS A, CGEIT, is the president of Boundless LLC, Philadelphia, Pa.