The value of the Internal Audit function is becoming increasingly critical to the strong corporate governance, risk management, effective internal control, and efficient operations of any organisation.
The Institute of Internal Auditors (IIA) framework defines internal auditing as: ‘An independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes’ (IIA 2004:8).
It is a common fallacy that the Internal Audit function exists to pick holes in management’s operations. This is not at all the case! Fundamentally, the internal audit activity is now much more part of the organisation and less introspective. It involves the organisation more in the audit process and produces recommendations that contribute to its objectives. At the same time, the internal audit activity has to be careful not to lose its independence and objectivity because of moving closer to the operations.
Here are six ways that the risk-based auditing supports combined assurance and adds value to your organisation:
1. Business focussed approach assisting the organisation to achieve its objectives
Risk-based auditing ties all aspects of internal auditing together: objectives, processes, risks, controls, tests and reports. The relevance of any test can be seen in relation to the entire risk management framework because of the relationships set up in the risk and audit universe. This is not always possible where standard audit programmes are used, as it is not always clear why the test is being carried out; what the significance is of a control that is found to be defective; what risk the control is treating; and what objective is being threatened by that risk.
2. Inclusive audit approach facilitating buy in and ownership from management
As a result of the organisation being closely involved in the risk and audit process through risk workshops, risk and control self-assessments, combined assurance activities etc., management can relate to the benefits of the audit output clearly. Management is far more likely to support the audit work when they are involved in the process and can see how the audit’s recommendations relate to the achievement of their business objectives.
3. Optimal level of assurance supporting the achievement of business objectives
Risk-based auditing is more efficient because it directs audits at the high-risk areas, as opposed to simple rotation of predominantly financial areas, which may not represent the greatest risk. Risk-based auditing ensures that the risks, that matter most to the organisation (linked to key objectives), are audited and that management takes ownership and accountability for the mitigation and monitoring of these high-risk areas on an ongoing basis.
4. Enhanced priority ratings of findings and recommendations
Findings and recommendations can be ranked to provide the greatest value added in terms of the risks mitigated relating to the achievement of business objectives.
5. Improved risk mitigation
Risk-based auditing should highlight key risks that are inadequately controlled or over-controlled, thus improving risk mitigation and overall business efficiency.
6. More effective use of audit resources
With risk-based auditing, the audit plan is determined by the nature and number of risks on which the audit committee requires assurance. It differs from the alternative approach, whereby the resources available determine the audits that can be conducted. It also ensures that resources are directed towards auditing the most significant risks.
In order for the auditor to add value to and improve the company’s operations, it is important for the auditor to understand the business objectives of the organisation and the risks that threaten or need to be taken (opportunity) to achieve these objectives. Knowing where the biggest risks lie, makes it easier for the internal auditor to focus their audit effort on the areas where the most value can be added.
Acknowledgments: University of South Africa (UNISA), Course in Risk-Based Internal Auditing.
Other interesting and related articles include:
‘4 ways auditors can add value to your organisation’ written by M. Black, BarnOwl SA: http://www.barnowl.co.za/insights/4-ways-auditors-can-add-value-to-your-organisation/
‘The risks of risk management’ written by C. Burt, Halex Consulting Limited UK:
Written by J. Crisp
BarnOwl Risk, Compliance and Audit Software
BarnOwl is a fully integrated governance, risk management, compliance and audit software solution used by over 200 organisations in Africa, Europe and the UK.
BarnOwl supports risk and control based auditing and ensuring that risks that matter to the organisation are audited and aligned back into risk management.