Internal Audit Alternative Approach
Chances are that this is one more paper on internal audit that you have read and also probably sat through numerous presentations at various conferences over the years where audit experts have talked about issues around internal audit and what needs to be done to get more value from internal audit.
You may start wondering, "If I have read all of this before, what am I going to gain from reading this again?"
It is not my intent to simply repeat what you already know about internal audit. In general issues brought out during internal audit are not limited by organizational processes and lack of controls per se, but also refect on the persons performing the internal audit and the audit process.They are about demonstrating real value and rewards arising from internal audit rather than telling everyone in the organization on what was or is being done wrongly
From our experience in auditing large and mid-sized organizations, I would say that organizations need to review their internal audit strategy when signals outlined below are noticed:
- When every employee is complaining;
- When most of the staf is working on reactive mode;
- When reports generated within cannot be relied upon ;
- When top lines are not growing and botom lines are having a negative gradient;
- When there is a feeling that too much money is being spent without commensurate returns;
- When metrics are not in line with organizational objectives;
- When initiatives are taking more time to mature than envisaged initially;
My approach here is to outline 'common sense', applied- in-the-feld of internal audit, staying away from the usual process and control jargons, desist from giving recommendations from 10000 feet altitude and rather stay close to ground and give recommendations that can be put into action immediately.
"How do you eat an elephant? One bite at a time". The same is true while carrying out internal audit. Many enterprises go for the whole elephant when dealing with internal audit though this big bang approach to internal audit has more ofen not proven efective and benefts realized get unnoticed due to scatering efect of the whole initiative. From our experience of assisting many clients in their internal audit process we realized that internal audits focused across few processes really benefted organizations not only to realize beneft but also demonstrate the gains easily to all the stakeholders. Once the benefts are visible it becomes easy for organization to get buy-in about the internal audit process and helps in performance improvement. It also becomes easy for organization to replicate the model across other organizational processes untouched initially by the audit process.
The efectiveness of internal audit will probably be a lot higher if audit is done in a manner to achieve a series of many small milestones, instead of one huge milestone that may or may not be easy to achieve. A series of small accomplishments will keep internal audit on track and make the organization feel good about the audit process. If you end up eating the whole elephant, that's wonderful. But don't forget to enjoy the bites along the way.
Another phenomenon that has been observed in case of many large organizations is presence of multiple audit functions with fancy nomenclatures doing audits exclusively for Quality, Health, Safety and Environment, Information security, Service excellence, Risk, Customer processes, etc. In such organizations the frequency at which departments are subjected to audit, leads to 'audit fatigue' for staf. Seriousness of the entire audit process is lost due to multiple generations of audit reports shared on a monthly basis with the management.
The explosion of data in organizations due to Information technology revolution in the past decade has necessitated the need to change the approach of internal audit. The internal auditors should no longer focus merely on past data for accuracy and analysis but see how organizations are using the information technology tools to set experiments and capture data that aids them in business decision.
The performance measures of internal audit should not be the usual metrics such as number of audits done in a year, percentage of audit completed as per plan or number of non compliance reported; rather there should be a metric with respect to Dollar spent in audit per Dollar audited, percentage of budget audited and percentage of risk audited.
Just as the way we do our businesses has changed with the advent of information and communication technology the approach to internal audit also requires a paradigm shif in thinking by the management. No longer should internal audit process be used as a tool for postmortem of past performance but leverage the internal audit to set the right path for organizational growth.
Internal auditors should be capable to audit the data capture mechanisms and experiments set up by the organization and then verify if the data captured is consistent and reliable for decision making process. The primary focus of the auditors should not be tallying vouchers and accounts but should be to ofer valuable inputs on the ability of organization to make use of the extraordinarily large quantum of data available for future business decisions. In a nutshell, the internal audit function needs to reorient itself from merely being a cost centre to become a revenue generator and proft centre. Such a shif will be the game changer for the internal audit function and help in redefning and widening the role of internal audit in achieving organizational success.