Today’s business environment changes rapidly to adjust to evolving conditions and government priorities. In these times of economic constraint, internal auditors can do so much more than simply test for compliance with policy and regulations; they can be assessing the adequacy and reliability of the controls and identifying improvements in the processes and business systems.
This requires increased communication and cooperation between managers and internal auditors. The success of this collaboration depends on managers’ willingness to accept and embrace internal audit as a value-added function.
For internal audit results to provide value, managers must respect the independence and objectivity of the internal audit function. In turn, the chief audit executive must build solid relationships with managers based on trust, respect, openness, and ongoing communication. “Unlocking the Power of Internal Audit” (CGE May 2014) talked about audit as a trusted advisor and stressed the importance of collaboration between management and internal audit. Together, they must be able to discuss risk to the achievement of corporate objectives and the effectiveness of the associated controls and mitigation strategies. This will help ensure that audit is focused on the risks that matter to senior management most.
The Institute of Internal Auditors (IIA) has developed a systematic approach to enhance communications on risk management and control based on clearly defined roles and responsibilities along what it refers to as “three lines of defence.” Management control is the first line of defence. Operational managers own and manage risks, and are responsible for implementing corrective actions to address deficiencies. The second line of defence is the oversight functions established by management such as risk management, comptrollership, and compliance. Internal audit acts as the third line of defence by providing independent assurance on the effectiveness of governance, risk management, and internal controls, and by providing advice and assistance on the manner in which the first and second lines achieve risk management and control objectives.
However, to effectively do this, internal audit must move beyond simple compliance audits. It must not only ensure controls are working but also provide strategic advice and assurance. Carmen Abela, in “Unlocking the Power of Internal Audit,” introduced the important role of audit, in collaboration with management, in providing oversight, insight and foresight. Oversight to provide timely and accurate assessments of controls; insight to understand the current control, risk and performance environments; and foresight to help the organization identify emerging risks and mitigate future impacts.
This requires auditors to understand the business, the operational and administrative systems, and the information that is being used for decision-making. The fastest way to accomplish this is through data analytics – as long as senior management ensures that internal audit is given independent access to the data necessary to test key controls, and monitor and assess indicators of risks.
Long a staple of internal audit, data analytics is no longer a nice-to-have – it is a requirement. It provides auditors with the ability to perform descriptive, diagnostic, prescriptive and predictive analysis. Descriptive to identify and explain what happened; diagnostic to understand why it happened; prescriptive to develop recommendations to address the issue; and predictive to look at what will happen and to prepare for it. The descriptive and diagnostic analyses support audit’s oversight role; the prescriptive analysis provides audit with independent insight into the efficiency and effectiveness of operations; and predictive analysis provides foresight into emerging areas of risk. Through data analytical techniques, audit can contribute to the continuous improvement of risk management processes, the efficiency and effectiveness of the governance and control frameworks, and improve information for management decision-making.
As with all aspects of government operations, while technology is critical to success, it remains underutilized. The exploitation of the power of analytics requires management support in ensuring that the data has integrity and that it is accessible to audit. It also requires auditors to develop the skills to be able to obtain, analyze and interpret information in meaningful ways.
One of the most important value-added contributions internal audit can make is the independent review – based on a solid understanding and assessment of the operational environment – of the changing and emerging risks and the functioning of critical controls.