The past few years have been a dynamic period for internal audit, with a significant shift taking place in internal audit's mandate: For many internal audit organizations, the focus is no longer limited to financial reporting and compliance risks, but now includes key business risks and related controls -- from cyber security and IT, to key strategic and operational processes.
Yet, according to a recent survey by the Institute of Internal Auditors, for many -- or perhaps most -- internal audit organizations, audit coverage still lags in two key risk areas: business and strategic risks, and the overall effectiveness of the company's risk management processes.
n our own ACI surveys, audit committees consistently point to the need for internal audit to "deliver greater value" to the organization. How can audit committees help ensure that internal audit is properly focused and fully utilized -- and delivers the value it should? We offer the following suggestions:
Consider the need to redefine internal audit's mandate. Internal audit is most effective when it is focused on the critical risks to the business, including key strategic and operational risks and related controls -- not just compliance and financial reporting risks. Internal audit should constantly monitor how changes in the operating environment impact the business.
In today's global, digitized environment, a broad range of critical risks need to be managed -- from cyber security and social media, to risks posed by market expansion, M&A, and the global supply chain, to talent management and culture -- and internal audit should be assessing these risks and associated controls.
Leading internal audit functions are also reviewing the company's overall risk management processes and working with management to continuously improve these processes. We're even seeing internal audit being asked to take the lead in coordinating with other governance, risk and compliance functions within the organization to identify duplication -- and, more importantly, potential gaps -- in coverage.
How involved can, or should, internal audit be in these areas while maintaining the requisite focus on financial reporting and internal controls? To answer this question, and to get the most value from internal audit, the audit committee should work with management to determine the right balance of coverage. Competing expectations of the audit committee, CEO, CFO, business unit leaders, risk and IT officers, and others may, without proper planning, pose significant risks: internal audit may lose focus, the quality of its work may suffer, and its resource and skill-set requirements may be poorly defined. To help minimize these risks, it is critical to have clear, company-wide agreement on internal audit's mandate.
Make sure internal audit has the right resources and skill sets. With an increased focus on the company's key strategic and operational risks, internal audit may need to acquire new skills -- for example in IT, risk management, operational knowledge (supply chain, shared services, outsourcing), continuous auditing, data analytics, strategic planning and more -- by training, hiring new talent or sourcing from outside service providers. Of course, the audit committee should continue to ensure the adequacy of internal audit's resources and skills in the assessment of compliance and financial reporting risks and controls.
Reinforce internal audit's objectivity and independence, and its accountability to the audit committee.As internal audit becomes more involved in helping the organization manage critical strategic and business risks, and improve risk management processes, there is a greater need for the audit committee to help ensure internal audit's "objectivity." A direct, open line of communication between the audit committee and the chief audit executive becomes even more important, and here the audit committee chair plays the key role.
Internal audit should be moving towards a higher value-add model and functioning as an increasingly valuable resource -- a trusted adviser and consultant -- to the audit committee. However, this likely will not occur without the backing and support of the audit committee for internal audit to expand its mandate -- with the right focus, resources and independent perspective.