In my line of work, I’m often asked exactly what internal auditing is supposed to be. According to the International Standards for the Professional Practice of Internal Auditing, the answer is pretty straightforward: “Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations.”
You might want an answer more expansive than those 19 words. So this month, let’s take a step back from the fine points of executing internal audits, to re-acquaint ourselves with what internal audit is and how you can make it helpful to your job.
Internal auditing provides opportunities for companies to improve based on independent analysis and advice. Internal audit also helps the board and senior management monitor the organization. To preserve the integrity and independence of audits, auditors maintain a delicate balance between offering advice (mainly consulting services) and providing opinions about a process, system, account balances, or other subject matter (assurance services).
The size and complexity of internal auditing functions are as diverse as the range of operating environments, risk appetites, and business and audit objectives that a company can have. The scope of audits can also vary from project to project within a company, depending on an auditor’s focus (for example, on high-risk business processes, or key management and technical controls). Ensuring appropriate audit focus is one of many reasons that management should communicate with auditors, and vice versa, early and often for every audit project.
What Does Internal Audit Do?
Internal auditing provides strategic, operational, and tactical value to an organization. For example, when evaluating information security, the internal auditor informs the board and management about whether:
business units understand the importance of security and are adhering to policies;
key information assets and systems are sufficiently secure;
programs exist to update and strengthen safeguards constantly against internal and external security threats; and
the organization’s policies are reasonable.
The internal auditor might also independently validate that the organization’s information security efforts are proactive and effective against current and emerging threats. To provide this level of assurance, the internal auditor may compare current organizational practices with industry practices and regulatory guidelines.
Notably, auditing provides only a reasonable level of assurance. Auditors cannot provide an insurance policy against every possible fault or deficiency, particularly regarding activities that cannot be totally controlled, such as collusion or management override.
What is Management’s Role?
An internal audit engagement typically has three phases: planning, testing, and reporting. Management has a vital role to play in each one.
During planning, senior management should first focus on the audit plan (the auditor’s “roadmap”) and ensure that business managers understand audit’s purpose, focus, and approach. An open, positive discussion with the audit team regarding these defining factors helps both management and the audit team communicate their expectations up front.
Audit planning should focus on critical or sensitive risks, but all risks should be considered. To this end, active involvement by management in audit planning can contribute to the overall success of an audit. Management should ensure that things they consider to be risks are addressed by the audit plan. Both the auditor and management should be identifying areas of risk.
Management should also discuss the evaluation criteria auditors will use to assess the activity being audited. Lastly, managers and auditors should broadly discuss planned audit testing, although auditors must have the authority and discretion to select tests they deem appropriate and the transactions being audited.
An open dialogue between senior members of both management and the audit team does much to avert misunderstandings and resolve disputed findings.
During testing, management facilitates the auditors’ access to appropriate people, systems, and facilities. Management should confirm the presentation of the facts by the internal auditor, ensuring that the auditors have considered all the information available. The audit team leader and senior executives of the areas being audited should meet regularly—perhaps even weekly, and at a minimum at least once during each audit phase—to discuss audit progress, identified issues, and potential actions.
An open dialogue between senior members of both management and the audit team does much to avert misunderstandings and resolve disputed findings before the audit team issues its draft report. The audit team should communicate critical findings to management as early as possible, even outside of the established meeting schedule. These findings may also be reviewed during regular meetings, but prompt notice is necessary and usually appreciated.
During reporting, the internal audit team communicates its analysis and recommendations. Management receives and reviews the findings, develops corrective actions, and may even begin implementing changes.
Management should ensure the presentation of the findings is appropriate. They should also determine whether or not they are willing to accept the level of risk identified. If not, they should develop a realistic action plan with specific goals and timelines. And managers shouldn’t agree to recommendations that they can’t actually do. (Too often I see management agreeing and, in the same breath, saying: “We will put in a business case to get the necessary resources.” If they don’t have the resources, they’re not in agreement.)
If, on the other hand, the company is willing to accept the risk, this should be clearly stated.
The Bottom Line
Audits exist to assess how well a business unit meets the performance goals of the organization, as dictated by the CEO, CFO, board, investors, and others. Accordingly, management’s goal is to demonstrate how well operations, controls, and results meet the needs of the business. During audit planning, managers should work with the auditors to ensure the audit scope, goals and objectives are appropriate. Thus, prompt response to the auditors’ requests for information and records throughout the audit process—planning, testing, and reporting—is for the benefit of the business, not its auditors.
Auditors exist to provide the board and senior management with an objective, independent assessment of a business unit or program (such as information security), including what they see as key opportunities for improvement. To prepare their opinions and conclusions, auditors need to review evidence of the risk-management efforts and assess performance. If managers are able to demonstrate performance and show that accountability has been established and effectively discharged, it will result in a positive audit report. It’s that simple.
The ultimate goal of management throughout the audit process should be to demonstrate that their efforts meet the expectations of the CEO, board of directors, and investors. Likewise, the auditor’s requests should be aligned with these overarching needs; that is, to support responsible performance within a sound and ethical business environment.
Accordingly, auditors and managers should work to help each other reach common goals—auditors striving to earnestly, honestly, and competently assess program effectiveness, and management working to help auditors complete valid assessments. In that vein, auditors always look for sound management practices.
Always remember that managers, not auditors, are responsible for defining and implementing solutions to issues found in the audit. Thus, it is in everyone’s best interest to have a cooperative, collaborative audit process that respects the independence and discretion of all participants. Auditors should listen to management. And for its part, management should encourage staff to be open and honest with auditors. Have you talked with your auditor lately?