Home > Risk > New advice for internal auditors

New advice for internal auditors

There’s a new article that merits our attention. It’s from the software vendor, MetricStream.

Strengthening Internal Audit’s Business Impact makes some good points:

  • From corporate policemen to strategic advisors, internal auditors have come a long way over the past decade. Today, boards and leadership teams are looking to them not just to point out where internal controls are inadequate or ineffective, but to provide insights on how the business can improve its efficiency and operating effectiveness.
  • One of the simplest ways for internal auditors to create value is to ensure that their objectives and plans are always aligned to business objectives.
  • Internal auditors might even want to challenge the business objectives to ensure that they are precise, attainable, and practical.
  • Many audit training programs focus on enhancing the technical skills or domain expertise of the audit team, but it’s just as important that they build the team’s business knowledge as well.
  • Reporting is internal audit’s opportunity to weave together what they’ve seen and observed into one cohesive set of insights that can help the business catalyze efficiency, performance, and growth.
  • When business leaders understand which audit issues are most likely to impact the achievement of their goals, they can then prioritize their responses.
  • Agile auditing focuses on responding more dynamically to changing risks and stakeholder expectations.
  • While traditional audits are often planned based on the capabilities and capacities of the audit function, agile audit plans tend to focus more on what the business needs.
  • Internal auditors today have the opportunity to create real business impact.

These are all good points.

BTW, they are a software vendor, so I suggest ignoring their comments about technology and its use by internal auditors. There is frequently a great deal of value, but its neither certain nor the same for every organization.

My thoughts:

  • Internal audit has progressed significantly over the last decade. Perhaps half have moved away from annual audit plans to ones that are far more dynamic (in line with agile auditing, although that term is newer than the practice of continuous audit planning). There is still a lot of progress to be made to bring the other half to a more dynamic process and everybody to more of a continuous planning activity than one that is quarterly.
  • The reference to insights is very important. When we developed the Core Principles, we were referring not only to the traditional comments in the audit report, but also to the insights we have as professionals that may or may not be backed by hard evidence, but should be shared with leadership.
  • The idea of “aligning to business objectives” seems passive to me. It sounds like you pick the audits you want to do and then identify which are the objectives to which they might relate. I very much prefer to consider the objectives, what is relied on to achieve them, and then plan audits to provide related assurance, advice, and insight. Add to that ensuring that we only perform audits where there is a strong likelihood that our results will provide valuable information to leaders of the organization.
  • The idea that internal audit challenges the setting of business objectives is, itself, challenging. It’s fair that we say something if we don’t believe the processes for setting the objectives are sound. For example, we should point out situations where functions like Compliance were not consulted, or if the impact of technology advances has not been considered. I think it’s also fair if the objectives of a team or business unit are not properly aligned with those of the enterprise as a whole, or are in conflict with another department, business unit, etc. But I am not sure we should challenge them based only on whether we think they are the right objectives.
  • I agree entirely with the need to make sure auditors understand the business. But let’s not forget other soft skills, such as interpersonal communications, listening and interviewing skills.
  • There’s a lot I could say about reporting. Let me just make two points. 1. It’s not about reporting, it’s about communicating. 2. Tell them what they need to know, not what you want to say.
  • If you cannot explain why something is important and how it affects the achievement of objectives, maybe it isn’t and doesn’t – and management should ignore you.
  • We can and should have a significant impact on the business, but that requires that we audit what matters, when it matters, and communicate the assurance, advice, and insight leaders need for success.

I welcome your thoughts.

  1. July 27, 2020 at 8:55 AM

    The idea of “Tell them what they need to know, not what you want to say” is very good advice but my question is how to find out that. So auditor should find the audit universe that fit with what they need to know?

    • Norman Marks
      July 27, 2020 at 9:27 AM

      Thank you for the question.

      1. Please move from an audit universe to a risk universe
      2. Understand what they are trying to accomplish (objectives) and what they depend on
      3. Talk to them and listen to what they are doing in running the business, what and whom they depend on, what has to work for if they are to be successful, where they spend their time, and more.

      I cover this in Auditing that Matters

  1. July 27, 2020 at 8:24 AM
  2. July 31, 2020 at 6:22 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: