june 2017 59 Internal audItor
74% of agile internal audit functions redirect resources to help their organization
manage or respond to disruption, according to PwC’s 2017 State of the Internal Audit Profession study.
value — particularly in the area of
disruptive risks — through assurance
and consulting activities such as delving into the likelihood of specific risks
to their organization and assessing the
organization’s readiness to respond to
emerging risks. Several use the term
health checks for these services.
Inventory the Categories of Projects in the Audit Plan Consider the
mix of proactive/reactive evaluations,
emerging/existing risk focus, short/long
durations, and equal/variable coverage.
Use the inventory to determine whether
the mix embraces a risk-based and
value-adding mentality. Some internal
audit functions have difficulty breaking the historic cadence of hitting every
location or every department in a set
time frame, but the objective is managing risk where it is most likely to manifest, not ensuring full coverage.
Evaluate the Nature and Timeliness of Internal Audit’s Procedures
Assess whether they are tailored to
project needs or predefined protocols.
Do all projects have a similar planning and fieldwork duration? Does
the department use the same testing
techniques across every project? Is
there such a long duration between
when a project is identified, put on
the audit plan, scheduled, performed,
and reported that the relative risk has
changed by the time it is ultimately
reported on, reducing the project’s
impact? If the audit committee
requested an evaluation of a select risk
topic by the following week, could
Alternate audit procedures and
reporting options allow flexibility in
delivering important messages.
Driving collaboration often falls upon
internal audit because of its unique
vantage point within the organization.
When done well, this responsibility
makes it easier for both management
and the audit committee to understand the broader risk landscape and
delineate between the lines of defense.
It also unites the lines of defense in
addressing disruption-related risks as
they materialize. Given the organization’s size, maturity, and industry, the
internal audit function may be serving
across multiple lines of defense at the
same time. But even then, there is an
opportunity to promote a common risk
universe and risk language by:
Ʌ Inventorying all of the organization’s various second-line or risk-oriented functions within the first
line. Understand what other risk
assessments are being performed by
those teams and if there is opportunity for alignment.
Ʌ Adjusting the frequency and nature of communications between
the second-line functions to
understand whether any overlap
or duplication exists, as well as
whether there are opportunities
to transition certain risk activities
back to the second line.
Ʌ Reassessing how the department
audits the second line of defense
and whether that could impact the
“reliance” strategy internal audit
places on such functions. Some
internal audit functions adopt criteria where partial or full reliance
can be considered over certain
risks monitored by the second line
to free up time for internal audit
to focus on high-risk, strategic, or
Be BusIness MInded
Stakeholders and chief audit executives
(CAEs) agree that internal audit functions should comprise future business
leaders. Business acumen positions
internal audit functions to help their
organizations manage disruption.
The question that many organizations
struggle with is: Do you hire auditors
and teach them the business, or do you
hire from the business and teach them
how to audit? In either scenario, the
ultimate goal is to develop business-minded professionals who operate true
to internal audit’s mandate and professional standards. Internal audit should:
Ʌ Evaluate the training and development balance among general soft
skills, internal audit methodology
and approaches, IT technical skills,
and business acumen. Some internal audit functions have embedded
auditors within the business as it
is developing new projects and
services to bring a risk-and-controls
mindset, while concurrently learning more about the business.
Ʌ Build business acumen through the
recruitment of diverse backgrounds,
degrees, and certifications to promote more organic knowledge sharing among the team.
Be FlexIBle By desIgn
Alternate audit procedures and
reporting options allow flexibility
in delivering important messages to
management and the board without
the burden of self-imposed constraints. Methodologies are helpful,
but internal auditors need to reflect
on whether their actions are focused
on risk understanding and reduction or self-imposed protocols. Many
internal audit functions are adding