9 minute read
Making internal audit a value added partner by Shipra Khandelwal
making internal audit a value added partner
by Shipra Khandelwal
Advertisement
changing role
“In this world nothing can be said to be certain, except death and taxes”, Benjamin Franklin wrote in 1789. If he was alive now, he might have added auditors to the list.
Governance in the financial industry is being set up as three lines of defense, where the first line is business units, who are the creators and owners of risk. The second line is the risk management and compliance functions, which are responsible for monitoring and controlling the first line. Lastly, the third line is the Internal Audit function, whose primary objective is to provide independent assurance that an organization’s risk management, governance and internal control processes are operating effectively. Since Internal Audit is an independent unit, it reports directly to the board of directors and audit committee. While the third line internal audit function is fully independent, it still looks at governance in a piecemeal fashion. The focus is on whether individual units are meeting their laid-down processes and controls, and if these processes and controls are effective.
The role of internal audit has changed with time. As demonstrated in Table 1 below, nowadays the FSB wants internal audit to go beyond this remit to produce an opinion on whether the whole risk governance framework seems appropriate, which is much more judgmental.
Table 1: Responsibilities of the three lines of defence under FSB recommendations (FSB 2013a)
auditing risk culture
Internal audit functions have a critical role to play in assessing the risk governance framework, including the risk culture of the organization, and informing executive management and boards of directors the results of their work. For many internal audit functions, this role represents a major change to their mandate and to the nature of work they have traditionally carried out. Delivering on this new mandate carries with it important implications for the skills and capabilities of the internal audit function itself.
”Internal audit, acting as the eyes and ears of the board but independent of management, is in a unique position to judge and advise whether the tone from the top is being adhered to across an organization. Through internal audit, a board can satisfy itself not only that the tone from the top represents the right values and ethics but, more importantly, that this is being reflected in the actions and decisions throughout the organization.”
Dr Ian Peters, Chief Executive, CIIA, July 2015
The internal audit function can play a fundamental role in providing either assurance or consulting on risk culture to the company’s governing bodies. Internal Audit can seek to understand whether an organization’s values are disseminated among people in the organization, and adopted by them, or demonstrate whether the results are the ones expected.
”“Culture is the product of a number of different drivers within firms and is shared by many influences that drive the behavior of everyone in an organization.”
FCA Business Plan 2017/18
To be able to deliver on this evolved role, auditors need to be seen as business partners rather than as police. This will definitely help in evolving the overall risk culture in the organization. So what prevents Internal Audit from doing so?
negative perception
The internal audit function is frequently perceived like an internal cop, and internal auditors like enemies. Risk and Control functions do not really like to talk to them. Time spent with internal auditors is often seen as a waste of time and energy. They are seen as people who are just there to point out mistakes whether relevant or not. People often either do not want to share information with them or would not share information adequately, hence making the task of internal auditor often very difficult and stressful.
The typical mindset is ”How can we get rid of them as fast as possible?” instead of ”Can they really add some value to my work?” Internal audit and external audit are both treated in the same way, no matter that one is internal and the other is external.
new paradigm: a win-win approach
There are several ways to create a win-win approach for both risk and control functions and internal auditors.
1. The annual audit plan
The annual plan of internal audit is generally either motivated through mandatory regulatory audits or on the basis of what could be of interest to supervisors. Hence it’s only the supervisors who are seen as stakeholders. Instead of working in isolation while making annual audit plans which might lead to only auditing the areas from a helicopter view, it would be truly useful to involve various internal stakeholders from risk and control functions, who might be able to provide ideas on which areas they feel need closer audit cooperation.
It is often observed that auditors can get obsessed with checklists which are generally made from past experiences of regular audits. The problem with that is that it isn’t always in the dynamic business context and may not actually address the specific threats the company faces. If, instead of working from a checklist the auditors could work through threats and risk analysis, then they would end up with a set of recommendations that described the whole issue from threat to impact.
Adopting a risk-based annual audit plan, developed by incorporating the organization’s highest risk departments, business units, processes, and respective controls, would make effective use of internal audit’s limited resources and thereby add value through efficiency.
Internal audit can also be proactively helpful. Instead of just auditing existing programs, truly make them your partner. Bring them in to help with your decisions if you are making changes to your program or identifying a new compliance technology to implement. They should have a seat at the table early, because it’s better to get their opinion up front before a problem occurs rather than afterwards.
The reasons for control failures or lack of controls can be manifold. We as humans are often not able to spot all our mistakes, hence the need for random checks. If these mistakes are spotted by regulators, along with the risk function it is the internal audit function which also gets a hit, as it was their job to identify such gaps. Consequently, it is always better that internal audit identify issues rather than regulators.
2. Risk-based audit
3. Proactive partners
4. When mistakes occur
5. Collaborative tone
When an auditor or auditee views and approaches an internal audit as a foe, the trajectory of the audit can be altered. At the end of the day, we want to maintain good working relationships with colleagues while still achieving the objectives of the audit. It is the responsibility of the auditor to set the tone of the audit in the opening meeting. This can be done by approaching the audit in a collaborative manner, and reinforced throughout the course of the audit by having respectful and open conversations with subject matter experts.
When internal audit is viewed as a foe, the intent can be perceived as a way for the auditor to point out the “dirty laundry” of the auditee, pick apart processes and procedures, and exercise personal agendas. Instead, the auditor should foster a spirit of collaboration throughout the course of the audit. This means that there is some give and take with the auditee, leading to many meaningful conversations and brainstorming on ways to correct or improve issues. When a spirit of collaboration is shown, the audited department is much more likely to reciprocate the same spirit of collaboration. This collaboration leads to the full accomplishment of the objectives of the audit.
Equally, the auditee should be open and forthright during audits and not make it difficult for internal audit to do their job. Don’t fight things that are clearly issues, instead focus on working with audit to identify the best way to fix the issues. At the same time, internal audit should not make mountains out of molehills or assume that the reason for an issue (small or large) is that compliance is inept. Instead, dig for the root cause of issues. Mistakes happen, and often external factors out of compliance’s control (e.g., staffing shortages) can lead to issues. Identifying those root causes and helping identify solutions is what makes internal audit truly valuable.
A formal feedback process after the completion of audit between the internal audit department and auditees can help nurture their relationship in a healthy way.
Internal movement of resources from internal audit department to auditee functions and vice versa is a useful way to get a holistic perspective on both functions, which at the end will help in better dialogue between functions and hence make the internal audit process more efficient
Internal auditors are risk assessment and internal control specialists. Their expertise in these areas enables them to help management analyze risks to the organization and design controls to mitigate those risks. Auditors add value to internal control design by performing audits, researching issues, and benchmarking with peers on best practices.
6. Constructive feedback
7. Exchange of resources
8. Internal consultants
conclusion
Today’s auditors must be much more attuned to opportunities for enhancement, as adding value is widely considered an integral part of the audit process. Careful attention to the organization’s risk profiles and the information requirements of various players in the organizational governance framework represents an ongoing challenge to audit practitioners and is key to ensuring that the value they add is maximized.
If an internal audit has a friendly tone, clearly stated intent, and a spirit of collaboration, it will be successful! For an auditor, there is nothing more fulfilling than to get to a closing meeting for an internal audit and have the audited department thank you for auditing them. It can happen!
Disclaimer
The views expressed in this report are purely author’s views in her personal capacity. It is though inspired from real life experiences but has nothing to do directly or indirectly for any organisation in particular. The views are based on practical experience by working in different industries.
author
Shipra Khandelwal
Shipra Khandelwal is a specialist in governance and risk. She is a qualified chartered accountant and currently works with one of the largest Nordic banks. She is responsible to support ‘The Business Customers’ division with their risk & compliance-related activities.
During the course of her 18 years, Shipra had gained a wealth of knowledge. She had worked in various roles such as at a leading stock exchange, as a corporate treasurer and also GRC professional in a leading European Bank. In addition, she has also been active during the financial crisis of 2007 and helped corporates through different consulting roles both with a domestic financial risk consulting firm and big fours.
