Internal audit: power surge

There has been something of a sea change in the expectations and importance
placed upon internal audit teams in recent years. Board directors look to
internal audit as a primary source of assurance concerning the adequacy and
operating effectiveness of internal control systems, since ultimately these
inform much of their major decision-making.

At the same time, they are looking to internal audit to focus their time on
the things that really matter to the business and then to provide timely,
informative reports, which facilitate action to address the root cause of
problems not just the symptoms.

Change for the better

Leading internal audit teams have welcomed the change because it enables them
to improve their impact upon their organisation’s risk management and, in turn,
positively affect the value created by internal audit.

The primary stakeholders of internal audit – the board of directors, audit
committees and senior executive management – have come to recognise the valuable
role that internal audit should perform and have set their expectations

These heightened stakeholder expectations emerged as a major theme in a
recent Ernst & Young survey of Fortune 1,000 chief audit executives (CAEs).
The survey also revealed that CAEs’ dialogue with the audit committee is now far
more extensive, interactive and real-time than ever before. The majority of
respondents said that the audit committee chairman now interacts with the
internal audit function outside formal committee meetings, at least monthly if
not more frequently.

Meanwhile, there is evidence that audit committee chairmen are looking to
internal audit as a source of advice as they discharge their own duties and want
internal auditors to flag up current and emerging control issues and their root
causes. Members of Ernst & Young’s audit committee leadership network spoke
recently about the need for a ‘much deeper and more strategic relationship with
internal audit’.

Similarly, executive managers have set their expectations higher; they look
to internal audit for a reliable appraisal of the system of internal control –
for which they are responsible – and, most importantly, they want advice as to
how internal control should be improved.

Admittedly, internal audit is one of a number of groups seeking to get air
time with senior executives, so it is a critical to ensure their interaction is
relevant, concise and value adding. The good news is that there are a number of
strategic ways that internal audit can step up to the challenge.

Firstly, it needs to focus its efforts on the risks that really matter. This
means switching work away from low level, routine controls towards the matters
that are central on the executive radar screen.

Producing reliable information that answers stakeholders’ important questions
is another key element to raising internal audit’s profile with senior
executives. In the past, internal audit reports have summarised problems
identified during audit assignments and the actions plans to fix them.

Today, leading teams are investing much more senior staff time to produce
reports that convey conclusions, trends and advice that fix the fundamental
causes of problems.

There is a growing need to make audit reports clear and concise. Issues need
to be prioritised so that reports focus on the most significant matters. Changes
are also needed to ratings systems to facilitate the rapid escalation of
important matters.

We are also seeing a noticeable shift towards greater emphasis on oral
reporting rather than the written word. Presenting audit conclusions to
management provides a better opportunity to influence decisions. As a
consequence, leading internal audit teams are investing in the relationship
management and presentational skills of their personnel as well as their
technical skills.

Finally, co-ordination of all risk related work is needed. Convergence
initiatives are required to eliminate the potential for inconsistency and
duplicate reporting especially as stakeholders commonly receive reports from
different risk and assurance-related functions within the organisation
addressing similar issues.

Internal audit teams are now communicating results with shorter timescales
than ever before. Executives are challenging internal audit to produce their
reports more quickly so that they can get on and address issues sooner.

Top of the agenda

The demand for immediacy and near real time feedback of audit conclusions is
a trend that is set to continue.

For internal audit, this represents a major opportunity to influence change
for the better because the matters raised are topical, resident on the executive
agenda and impact the people tasked with improving it.

The best internal audit teams have already recognised that their stakeholders
now expect comprehensive, clear and concise feedback about the issues that
matter to them. They also recognise that this step change presents a major
opportunity to influence decision making within the organisation, thereby
improving the quality and reliability of the control environment.

The challenge now is how best to face up to the new requirements – and put
internal audit on the front foot.

The most successful teams have tackled the new expectations as a major task
with a significant impact on the ways work is planned and executed, not just the
way in which it is reported.

Top internal audit traits:

• Conclusions on the quality of risk management and internal control by each
major business area

• Details of the most significant control exposures the group faces,
highlighting the impact and root cause of control weaknesses and the
appropriateness of management’s remediation plans

• Management’s understanding of the risks and their capability to manage them

• New and emerging control themes that the business needs to address

• Consistency with the views of other risk and assurance related functions

• Comparisons against other firms, chances to take advantage of new trends

• Prioritisation of the portfolio of improvement opportunities arising from
reviews of the control environment

• Views on management’s proposed approach and capability to fix control
weaknesses and their track record in fixing known issues

• Assessments of the suitability of internal controls in the light of
strategic plans/anticipated change both market and internally initiated

• Opportunities to reduce the overall cost of control associated

Stephen Gregory is a partner and leader of Ernst &
Young’s financial services global business risk services business

Related reading