It is not uncommon for CAEs to read thought leadership that highlights internal audit‘s inability to meet stakeholder expectations and room for improvement (e.g., here, here, and here). While these insights may provide specific examples of what internal auditors should do to improve their perceptions, the “how-to” of these articles usually include recommendations that indirectly infer the thought leader should be hired to fix the problem. In this article, we will provide six best practices that you can implement on your own.
What Is Considered a Good Audit Best Practice?
Audit best practices can be a subjective concept. The idea of audit best practices implies all audit departments follow standard operating procedures. Since there are differences between departments and the expectations from management, audit best practices vary from group to group. Let’s start by establishing good auditing practices. Every audit department should meet the IIA Standards, with regulatory compliance, and with management expectations. Meeting these good auditing practices usually includes performing risk assessments, completing high-quality audit work, producing audit reports, following up on issues, and reporting to the audit committee. Most departments work very hard to continually improve their performance in the standard practices. Once these good audit practices are met, CAEs will push the internal audit department to reach for audit best practices.
Thought leaders are a wonderful source of information for best practices. They typically have a good understanding of audit processes, the audit profession, and have direct access to multiple organizations to observe what works and what does not. Good audit best practices push the department to continually improve beyond the basics and add valuable audit results to the organization. These improvements also push CAEs to think beyond the current practice and consider where the industry will end up over the next several years.
While these improvement opportunities were top of mind during the CAE Leadership Forum’s August meeting, it was equally refreshing and exciting to hear event panelists Rob Goldberg, Partner at Sunera, and Norman Marks, Internal Audit author and semi-retired CAE, share their perspectives on what internal auditors can change today to continually improve our stakeholder’s perceptions.
Of the many lessons learned during their presentations, Rob and Norman shared six audit best practices that world-class internal audit departments and CAEs use that, if implemented or acted on, would help other CAEs be more effective and leave their Audit Committees more satisfied with their internal auditors. The audit best practice recommendations below help CAEs develop an improvement strategy for the internal audit department.
1. Internal Audit’s Role in Risk Management
What should internal audit be doing as it relates to the management of risk? Norman believes there are multiple things CAEs can do.
First, the CAE can seek to understand how the organization identifies risk and manages uncertainty in their organization. One of the most significant risks an organization can face is its inability to identify and respond to risk events. The CAE can and should provide an assessment of how the organization manages risk to the organization’s board of directors.
A CAE can also meet with business managers to better understand what they spend most of their time on and how that helps or hinders the organization from achieving its objectives. To help facilitate early discussions, the CAE can share and discuss relevant articles or thought leadership with business managers or discuss any adverse effects that could be experienced due to changes to people, processes, or technologies.
The CAE’s ultimate goal is to provide relevant information to the people who may need it the most. After multiple meetings, the CAE should be more knowledgeable and versed on how the organization’s principal risks are managed and be better equipped to provide insight and perspectives to business managers in future meetings.
2. Implementing a Continuous Risk Monitoring Process without Breaking the Bank
Upon contrary belief, thousands of dollars do not need to be spent on application and license fees for risk and internal audit professionals to carry out their risk assessments and risk-related responsibilities.
According to Rob, in order for internal auditors to move towards a continuous risk monitoring process, they need to be able to receive and provide risk updates in real-time. Before his role at Sunera, Rob was a Vice President in Walmart’s internal audit department. Rob assigned his direct reports and other internal audit managers to maintain different relationships with business managers across the globe to continuously monitor risk.
After each meeting, every team member would document their meeting notes on a Walmart shared drive and highlight keywords and topics discussed. That way, when another team member is preparing for a new meeting with a business manager, they can search the shared drive for critical terms and topics they may discuss and find more relevant and timely information to share.
And Norman agrees. To continuously monitor risks, internal auditors need to have regular business-oriented contact with executives. And to be able to meet with executives regularly, internal auditors need to share relevant business insights from what has been learned elsewhere in the organization.
3. Risk Resources Worth Considering
Now that the CAE has a much better appreciation of how to carry out risk management and continuous risk monitoring activities, what resources can be leveraged to find information to help facilitate a risk discussion and program?
While Norman did not mention it during his remarks, first and foremost, every risk and internal audit practitioner should read World-Class Risk Management, authored by Norman. His book is, in my opinion, the best guidance available for individuals to help organizations better manage risks by making more informed business decisions. And yes, it is that easy to buy it on Amazon.
Norman did, however, mention several methods and resources CAEs, Internal Auditors, and risk practitioners can use to help them carry out their responsibilities. First, he recommended that everyone should have, and continually improve and develop, their network of other Internal Audit, risk, and business professionals. Conversations are usually the quickest and easiest way to understand how different organizations may have resolved a similar problem.
Other resources Norman recommended to the audience included the Open Compliance and Ethics Group (www.oceg.org), the IIRC (http://integratedreporting.org/), Deloitte’s Risk Angles Series, and risk-related thought leadership published by Accenture.
I would also add Norman’s Twitter feed (https://twitter.com/normanmarks) for exciting and relevant business events and articles, and Norman’s blog (www.normanmarks.wordpress.com) two invaluable risk resources.
4. Aligning Internal Audit’s Mission Statement and Value
Most internal audit departments have mission statements that reinforce why the function is there, and they usually revolve around helping the business’s success. However, when you read most audit reports, the output, or value provided, does not necessarily reflect the mission statements. They’re usually what is wrong and what will be done to fix it.
Rob challenged the audience to improve our alignment by considering a change to the way we communicate. Instead of focusing on “here’s what’s wrong,” the focus should be on “here is how you can operate more efficiently,” or “here is what will go wrong in the future if we don’t make a change now.” Answers to these forward-looking questions should better align the value provided by internal audit with what is promised in their mission statement.
Additionally, Rob recommended that Internal Auditors and CAEs improve their ability to persuade and influence when we stop using internal audit jargon in our communications. Internal communications, especially to the audit committee, need to include less audit speak and more business terms used by your organization.
5. Audit Reporting – Less Is More
Speaking of audit reporting, why are audit reports so long? In my short time, I’ve seen and heard of examples of egregiously long audit reports. One that comes to mind would take 10 – 15 pages to summarize all of the audit procedures performed and not have any issues to report in certain instances. I’ve also heard partners at internal audit co-sourcing firms exclaim that their internal audit reports do not contain useful information until a client gets to the sixth page of the audit report.
Norman mentioned that the Institute of Internal Auditor (IIA) standards do not require internal auditors to write an audit report. Most organizations require their Internal Audit team to communicate the results of their engagement. To fulfill this requirement, Norman instructed that internal audit should seek to understand what their audience needs to know and why.
Rob added that CAEs should ask themselves the following question: What can we stop including in our audit reports that will not affect the value we provide to our stakeholders? If we look introspectively, a CAE could probably easily cut out 30 – 40% of the information included in the audit report without affecting our customers.
Potential areas to remove or significantly reduce could include the background, scope, and objectives sections of the audit reports. If an audit report uses the issue, business risk, recommendation, and action plan format, CAEs could consider removing the recommendation altogether if the agreed to action plan sufficiently remediates the issue. Finally, if an audit issue does not highlight a significant risk to the organization, the CAE should question whether or not it needs to be reported at all.
As an aside, if you do want to add more information to an audit report, consider giving credit where credit is due. Norman mentioned that for engagements where managers and team members were adequately managing their risks, he would highlight the individuals, by name, in the audit report. This allowed internal audit to spread their goodwill and even provided opportunities for executive managers, including the CEO, to thank employees for a job well done.
6. Be Project, Not Process, Oriented
When asked about potential future changes to the Internal Audit industry, Norman explained that mature internal audit departments, and their projects, will become more project-focused, and not necessarily process-focused.
To illustrate, he explained that Apple’s CAE makes it a point to hire risk-oriented project management professionals as internal auditors. Because of their risk and project management expertise, Apple’s internal auditors are embedded in different organizational projects and initiatives. If a project executive made a change that could result in an unacceptable level of risk, the internal auditor would bring it to their attention. And if they disagreed on their response, executive management would be involved.
To carry the point forward, also keep in mind that most strategic initiatives of an organization usually involve a special project team to work on and succeed. Those CAEs who seek to identify these types of audits, and align their audit plan with work catered to these projects, should have a much more risk-focused audit plan than the CAE who has a rotation of audit processes her team audits every three years.
Tom O’Reilly is the Field Chief Audit Executive and Connected Risk Advisor at AuditBoard. In his role, Tom meets, collaborates, and shares internal audit and connected risk strategies and tactics with the AuditBoard community and customers to help improve the practice of internal audit and how second and third line functions work together. Connect with Tom on LinkedIn.