Seven priorities that should be on every internal auditor's 'to-do' list
As internal auditors, we work in complex and demanding environments where business, technological, social, and other dynamics challenge us to meet the increasing expectations of the board and senior management. While many internal auditors find it difficult to keep up with the cycle of risk-and-control reviews, there is no alternative. Failure to demonstrate how we add value will eventually result in stakeholders viewing internal audit as irrelevant.
The following actions are crucial to avoid this outcome.
1. Be Pre-Emptive, Not Only Reactive
We cannot rely exclusively on after-the-fact reviews. Auditing programs and transactions after they occur is integral to our work and allows internal auditors to determine how effective or poor business dynamics are. But a risk-centric approach, now central to our role, begs anticipation of negative outcomes and the sounding of an alarm when conditions suggest that trends, patterns, decisions, and structures are likely to result in value loss to stakeholders.
This does not mean we co-manage. We must remain independent so we can be objective. Yet merely telling our clients how much was lost or what mistakes were made, is not enough. We cannot move forward if we only look backwards.
2. Perform Root Cause Analyses When Evaluating Findings
Every experienced internal auditor knows there are "findings" in name only because the clients were aware of the problem before the review was performed, but they can't identify the source. In all cases, but these in particular, what the clients need most is information about why the issues happened. Recommendations will yield inadequate results if they address only symptoms while bypassing the root cause.
Describing and quantifying conditions and impacts is essential because as internal auditors we are the eyes and ears of the board and senior management, but we should go beyond listing problems to research the factors that caused the nonconformance. This will take some additional work, but it is indispensable so management can address the source of problems and avoid their recurrence.
3. Hire the Best and Develop Well-Rounded Internal Auditors Through Training
Technical skills are central to our work and cannot be neglected. Every industry and every organization will have its own list of hard skill requirements, but soft skills are increasingly essential for success. We cherish auditors with multiple degrees and certifications who have a great memory for accounting and compliance requirements, but we don't work in seclusion. We need to interact within and outside our unit, facilitate meetings, know what to ask and how, be perceptive about human interactions, collaborate with our clients to determine what matters most to them, and diffuse difficult situations. By strengthening our individual and collective skills and competencies and acting with enthusiasm and a sense of urgency, the organization will notice us.
4. Explain to the Audit Committee and Senior Management How Our Work Links Objectives, Risks, and Controls
The traditional practice of focusing almost exclusively on control deficiencies has resulted in internal auditors being perceived as the "gotcha" and the "no" people. We can change that image by providing a more comprehensive picture of the true benefits we offer our clients. In addition to identifying control breakdowns, we must explain how those deficiencies allow risk to hurt the organization and jeopardize the achievement of objectives. As such, they concern everyone whose duty it is to protect and enhance stakeholder value.
5. Promote Continuous Change and Improvement Within and Outside the Internal Audit Unit
Are we agents of positive change or guardians of the status quo? Without stability and predictability organizations can quickly turn chaotic, but excessive reluctance to embrace change will make the organization obsolete. In a world of constant change, successful organizations must be innovative, flexible and resilient. As internal auditors we are well positioned to help the board and management evaluate strategic needs, assess the readiness for change, gauge the operational and technological ingredients for success, and verify that human factors are in place to help the organization thrive.
Competition is relentless, public sector funding is limited, and revenue growth is narrow, so internal auditors should work with management to capitalize on opportunities while improving efficiencies. By helping the organization identify, promote, and successfully implement change initiatives, we are simultaneously helping to create a culture of continuous improvement.
6. Broaden Our Image from Service Provider to Corporate Leader and Trusted Advisor
There is no denying that internal audit is a service function within organizations. Does that mean we must be silent, invisible, and static? Not at all. We should offer hindsight, insight, and foresight. This focus on the past, present, and future will result in internal auditors being sought after for our thoughts on organizational structures and practices. Over time the perception will shift from being providers of compliance-centric services to one of valued experts who can review and advise corporate leaders on governance, risk management, and control topics.
7. Embrace Technology
We are far from living in a paperless society, but organizations that rely disproportionately on paper tend to be slow, inefficient, and burdened by heavier operating costs. While every process can't be automated immediately or easily, we must help our clients capture better data, protect it, understand it, and use it effectively through automation. Within our own practices we must increase the use of data mining and analytics to understand the intricacies of the programs and processes we review, and to tell our clients things they don't know. Lastly, given the increasing scope of our work, technology can help us provide better coverage at a lower cost.
We can play a critical role evaluating key risks and controls, promoting appropriate ethics and practices, and supporting initiatives that create value for the organization's stakeholders. It is a virtuous cycle where consistently delivering these items makes us relevant, and by being relevant we are invited to continue delivering our services. When we apply these seven actions we will keep this virtuous cycle from being interrupted and ensure our relevance well into the future.