As I have discussed in past columns, internal audit efforts must be risk-based and contribute to the long-term assurance needs of the organization and its board. A formal risk-assessment audit must be completed at least annually and the results of that assessment should direct audit priorities.
Over the past five years, a focus on short-term results (quarterly financial results and meeting current regulatory requirements) has driven the priorities of management and consequently the organization toward a short-term perspective. Similarly, internal auditing’s efforts have moved toward this short-term focus, boiling down priorities to whichever audits the company needs to complete in the immediate quarter.
The turn of the calendar year is an excellent time to refocus sights on the long-term horizon. For example, what does the organization want to achieve in the next three to five years, and what does it need to do to get there? Certainly, each organization will have different goals, objectives, issues, and challenges, and no single “standard” long-term internal audit plan will work; but I took a shot at it anyway, and present the results below.
The Top 12 Internal Audit Priorities
Over the next three to five years, internal audit departments should evaluate their organizations’ efforts in the following areas and provide their “opinions” to management and the board.
The enterprise risk-management program. To my thinking, ERM is a silver bullet for improving governance and organizational results because it identifies your key objectives—and managing risks that accompany those objectives is effective governance. Whether your organization is a proponent of COSO’s risk-management framework; the Australian risk-management standard; the governance, risk, and compliance guidelines from the Open Compliance and Ethics Group; or other standards, it is time for organizations to take ERM to the next level. Completing an internal audit of the organization’s ERM efforts will provide everyone with a baseline assessment report that also will reveals gaps in risk management.
The top three most significant business initiatives. Over the past 15 years I have promoted (indeed, strongly encouraged) the auditing of the top three most significant IT initiatives. This year and going forward, I now firmly believe in auditing the three most significant business initiatives, with a very robust analysis of the IT component for each of these initiatives. (For more insight, click here for my Oct. 3 column on the importance of auditing IT initiatives well.)
The business-continuity program and the disaster-recovery program. BCP and DRP are on everyone’s list of top 10 priorities; the problem is that they always rank in the bottom half. It is now time to ensure that the organization’s resiliency efforts are truly operational. Establishing a robust preparedness capability is also one of the best investments an organization can make; auditing BCP and DRP efforts will assist the organization greatly in ensuring that the proper attention is given. An effective business-continuity capability is absolutely essential, although being able to recover IT is of course critical.
The information-security program efforts. Protection of an organization’s assets is a critical activity; for some companies it is the most critical activity. Auditing an information-security program is also a long-term effort involving many audits over many years, and it is time to start that long-term assurance effort. A very simple starting test: Has the effectiveness of your security efforts been discussed at the board level this year?
The overall governance regime. Corporate governance; organizational governance; performance accountability; governance, risk, and compliance —governance goes by many names. Internal auditing provides assurances to management and the board regarding an organization’s governance, risk-management, and controls processes. Therefore, fundamentally, internal audit should provide an opinion regarding the overall governance “regime,” regardless of the exact term your company uses to describe its efforts. Sustainable development and corporate social responsibility issues also should be considered.
The compliance and ethics program efforts. Compliance and ethics efforts have received enormous attention (and funding) in the last five years, and this will continue over the next five years. Depending on the internal audit department’s past efforts, audits of the compliance and ethics programs should either drill down into specific opportunities or become much more high-level to provide an overall assessment.
Records management. Some people may disagree with including this item on my list or ranking it so highly. My point for including it is that if your organization has not started upgrading its records-management program to reflect today’s regulatory requirements and technological capabilities, then the organization is “at risk.” An audit of the records-management program will assist in the determination of what opportunities for improvement do exist. There is nothing worse than having a policy and not following it.
The quality of the enterprise information for decision making. Information is critical to every organizational effort. The quality of the organization’s information will directly affect organizational results and, therefore, should be assessed on a regular basis—by management and by internal audit. Information management will become more critical every year.
The anti-fraud program. Sarbanes-Oxley (and equivalent governance-related legislation elsewhere) was passed to reduce the occurrence and impact of fraud and to increase the reliability and integrity of financial statements and related management assertions. Anti-fraud programs need to be established (or strengthened) as a result of these new governance requirements. The board and management need to know that these programs work effectively.
The IT function’s efforts to meet business needs. This audit priority is extremely diverse. The IT function performs a broad range of services and it has a substantial impact on business results. As a result, the IT audit priorities require a more detailed risk assessment to determine what the audit priorities should be. Fundamentally, evaluating the IT function’s efforts to meet business needs is a core audit requirement. Assessing IT’s effectiveness, efficiency, and “customer service” are the three main components of an effective IT shop. Deciding on further IT audit “focus” beyond these areas needs to be based on a more formal IT risk-assessment audit.
The bottom line: It is time for executives to lead, managers to manage, boards to govern, and auditors to provide assurances to the board and management that things are as people say they are. Your next audit-planning effort should make this clear—to everyone.
Board and executive management service requests (consulting and assurance projects). This audit activity is an important catch-all to assist with the specific or unique needs of the organization. It is also included in my top dozen to highlight the need for a customer service “philosophy” by the internal audit function. The percentage of the audit budget allocated to this important activity will differ widely, but it lets the board and management know that internal audit is responsive to the board’s assurance and consulting needs. Of course, these “special” audit projects should be of significant value to the organization, and they should not distract from the delivery of the overall audit commitment.
Process management, including continuous process improvement. My last audit priority relates to improving organizational performance. I label the audit priority “process management”; your company might call it a Six Sigma program, while others might call it a corporate quality-management initiative. This audit priority is focused on encouraging and confirming that there is an organization process-improvement program in place, whatever the title. If the organization has not established an organizational program to improve its performance on a sustainable basis, it is at risk.
Defining The Long-Term
As I mentioned previously, each organization is different, and its internal audit priorities will be different, too. Still, for any organization, internal audit’s priorities should be risk-based and should focus on the organization’s governance, risk-management, and control processes. Corporate-wide “themes” of cost efficiency, cost effectiveness, strategic management and control, quality management, process improvement, and so forth will (and should) influence your internal audit efforts over coming years. You also should ensure that the internal audit plan has a strong linkage with the organization’s strategic plan.
The bottom line: It is time for executives to lead, managers to manage, boards to govern, and auditors to provide assurances to the board and management that things are as people say they are. Your next audit-planning effort should make this clear—to everyone.
No comments yet