By Dennis Keglovits, LockPath
Special to GRC & Fraud Software Journal
May is International Internal Audit Awareness Month, the perfect time to consider the challenges and trends in the internal audit arena, as well as how auditors can drive their organizations toward a more optimal state of governance, risk management, and compliance.
Determining audit scope
First step: What are we auditing and why? Determining where to look is one of the biggest challenges auditors face today.
The majority of companies use risk assessments to determine their auditable entities and help with scoping specific activities. Once the auditors know what they will audit, narrowing the scope of the audit to finish within the desired time period is the next hurdle.
Beyond that, audits aren’t just looking at financial risk any more. The overall focus should be linked to management’s strategic objectives to ensure optimal value.
Finally, working with the auditees to understand the existing process and gathering the applicable supporting documentation can prove more valuable for both the auditor and auditee.
Having the right skill sets available at the right time is a challenge for internal audit teams. Teams are under pressure to do more with less, but risks are increasing and projects are becoming more complicated.
Couple that with the fact that auditors are occasionally tasked with assessing risks in an area outside their expertise, and the result is an audit with poor results. The right creative mix of outsourcing and technologies is the key to an effective and efficient audit.
Auditors use data analytics to focus the scope of audits by pre-emptively analyzing the data to identify specific trends and unexpected patterns.
If inconsistencies in a high-risk area are identified, that area should likely be audited. Automated techniques allow auditors to look at an entire population instead of a small samples, increasing both efficiency and thoroughness.
Employees and partners are increasingly testing themselves and reporting results to internal audit. To validate controls, the auditors perform independent checks on these self-assessments. Self-testing drives down the expenses associated with select audits and eases the staffing challenge, without impacting the results.
IT audit function
Assessing cyber risk is a huge responsibility for internal auditors. Surveys tend to show that a majority of companies are concerned about cyber risk, but few believe they have adequately addressed or even adequately audited the risk area.
Most have defined a separate IT audit function, but too often this team operates in a silo. That means the organization has not properly incorporated the associated risks and controls into its overall risk appetite and program.
Recommendations for Process and Progress
Traditionally, internal audit teams do an inadequate job of educating the board, executives, managers, and users on the scope and purpose of internal audit functions. International Internal Audit Awareness Month presents a prime opportunity to make education a top priority.
Formalizing a sound audit charter and mission statement is a critical first step.
Hone and practice the mission statement like an elevator pitch—you don’t get many opportunities to articulate the virtues of internal auditing.
Senior executives will be more engaged if they understand the return on investment (ROI) and the excellent value internal audits create by helping any company achieve strategic objectives.
The risk assessment process is another area for critical improvement, which should first be formalized and communicated to auditees and senior management.
Some teams create an internal handbook, but find it difficult to follow when senior management requests a fast-tracked audit. Developing clear documentation that details how audits are executed help foster collaboration with the departments being assessed.
To keep an organization’s operations primed, you have to perform regular check-ups. Effective, regularly scheduled audits provide that third and final line of defense in risk management.
Audit findings must be unbiased and authoritative, providing valuable insight for making decisions, prioritizing efforts, and catching problems before they escalate.
Listen to your audit committee. Problem areas revealed by audits must be addressed to meet standards and optimize operations; follow up and remediate processes as indicated.
The findings of an internal audit in advance of an external audit allow the business to address issues proactively, ensuring fewer external findings and enforcement actions.
Audits aren’t as painful as they used to be. Using spreadsheets to document and present evidence turns audit preparation into tedious work.
Fortunately, audit management can now leverage comprehensive technology known as governance, risk management, and compliance (GRC) solutions.
These cloud-based solutions organize the data collection and collaborative projects required for compiling audits. They automate the assembling of work papers, processing of findings, assessing of audit risk, distribution of reports, and monitoring of time and expense. The systemization of audit activities on a GRC platform streamlines the entire process, increases accountability, and integrates departmental data and procedures into an enterprise-wide view.
With stakeholder cooperation, technology support, and strategic focus, the benefits of optimized audit processes will be realized well beyond the internal audit team. A well-audited organization is prepared to face adverse conditions with resilience and tackle growth opportunities with confidence.
Dennis Keglovits is the vice president of Services at LockPath, a leading provider of governance, risk management and compliance (GRC) solutions.