How to get the most from your internal audit
04 December 2023
Internal auditing is often described as an independent and impartial assurance, and in many instances, is used as a premeditated consulting activity with the ultimate aim of bringing operational value and/or improvement to an organization’s actions.
The goal here is to evaluate and enhance the effectiveness of risk management, control and governance procedures. In other words, internal auditing monitors the effectiveness of the internal control processes traditionally instilled by management. A quality audit will allow the business to achieve its purposes by delivering a systematic and well-ordered approach to its management systems. If done well, it will also ensure that those systems are efficient and in compliance with relevant laws and regulations.
But due to an increasingly complex risk landscape, internal audit (IA) teams are experiencing increased difficulty in developing plans that adequately address the risks that organizational leaders around the world feel most exposed to.
Challenges have emerged or gotten steeper because of myriad forces affecting business operations and processes – from COVID-19 and labor shortages to an increasingly remote workforce and technology acceleration.
In fact, in a recent PwC 2023 Global Internal Audit Study, which surveyed more than 4,600 business leaders in 81 countries, CEOs said that they consider macroeconomic volatility and inflation to be the top threats to their company for both the near and medium term. Yet, not even half of respondents said their company’s IA plan has addressed those risks.
So, why the misalignment?
It likely involves a lack of communication and shared purpose. An internal audit is meant to provide management and stakeholders with information about the business, so the scope of the audit can be as broad or limited as needed. Audit tests can focus heavily in some areas while ignoring others. This flexibility, however, especially in times of emerging risk, can leave many leaders not knowing where to begin, or avoiding an audit altogether. But this is precisely the moment when both leaders and their IA teams should see the challenge as an opportunity.
Unlocking potential
In conjunction with the above study, PwC indicated that one of the easiest ways to establish alignment is to cultivate more in-depth risk conversations between the first, second and third line of the company (management, risk management/compliance, IA team) to help break down barriers and find new opportunities together.
That said, according to PwC, several steps that an IA team can take the lead on include:
- Offering a viewpoint on new or draft business strategies and plans. Team members can maintain objectivity while still offering a perspective based on their cumulative experience and ability to see risk differently.
- Authoring discussion papers or presentations on emerging risk areas or topics – outside of regular audit reports – that can offer an early warning or spark discussion.
- Summarizing findings from multiple audit reports into broader root causes and themes at a company level – which can also be mapped to trends in the industry.
- Bringing in expertise from first- or second-line teams, or external advisors, to broaden debates and offer other perspectives.
- Sharing materials from industry or technical sources or communities of interest, which can help highlight industry-level trends or emerging risks.
- Agreeing on value-based metrics and KPIs, which can be measured against the value they add to stakeholders.
At the end of the day, internal auditors live in a world of risk. They look for holes, inefficiencies, inconsistencies and compliance issues. Understandably, their efforts sometimes evoke anxiety within resource-strapped organizations, but the value of these detailed examinations is irrefutable: by understanding and addressing risk, they help convey credibility, confidence and a competitive advantage.
And as PwC pointed out in synopsizing their study: with improved engagement, and a willingness to see risk differently, organizations can unlock the potential of IA, and better focus on the specific things companies can do to address the threats that today’s CEOs are most concerned about.