Traditionally, the role of an internal audit (IA) function has been to test financial and compliance controls and then report its findings to the appropriate oversight. But in recent years that role has evolved. Increasingly, the IA serves as a proactive advisor on a wide range of enterprise risks.
And an IA, with its cross-functional perspective, is in an ideal position to help companies anticipate and mitigate a variety of risks, improve business financial and operational processes, and evaluate strategies. To help tap into the value of an IA, companies must ensure that internal auditors have the skills and resources they need to succeed.
Here are five ways businesses can enhance the value of their IA function:
- Expand its focus. Historically, the IA has focused on financial and compliance risks. But its skill sets and position in the company make it ideally suited to participate in managing other risks, including:
- Information technology (IT),
- Merger and acquisition (M&A),
- Foreign corruption, and
- Business continuity risks.
To maximize its value, the IA should go beyond being simply a reporting function, and take a more forward-looking approach. Auditors are well equipped to help identify and assess risks, and even help businesses anticipate and avoid obstacles before an adverse event occurs.
- Use internal auditors as consultants. Instead of waiting for an IA to report possible control or compliance deficiencies, companies should tap auditors’ expertise to evaluate and improve controls and ensure compliance before problems arise. The IA can also highlight ways to improve processes and eliminate waste and inefficiency.
- Make the most of technology. Advances in technology make it possible to greatly enhance an IA’s value. Continuous auditing, for example, is an automated approach that allows auditors to gather critical information and identify problems in real time. This is a dramatic improvement over the traditional approach, in which the IA tests a limited number of samples and then reports its findings after the fact. Tools, such as data analytics and predictive modeling, enable the IA to spot anomalies quickly and focus its resources on the areas that present the greatest risk.
- Conduct quality assurance reviews. To evaluate IA performance, competence and objectivity, businesses should conduct regular quality assessment reviews (QARs) of their audit department. The Institute of Internal Auditors’ Code of Ethics requires Certified Internal Auditors to undergo a QAR at least once every five years. QARs may be conducted by an external reviewer or consist of a self-assessment with an external “validation.”
- Assess internal auditors’ skills. As the demands on IAs increase, it’s important to ensure that a company’s internal auditors have the skills and training necessary to meet these demands. Companies should recruit internal auditing personnel from a broad range of backgrounds, including those with information technology, management consulting and engineering expertise, among others. If these skills are lacking, companies should consider outsourcing the IA function to a consulting firm or “co-sourcing” with an external firm to help fill any internal skill gaps.