An expanded view of integrated auditing means combining internal audit with all of the second lines of defense
Integrated auditing isn't a new idea. Organizations have tried to bring together specialized audit areas, such as finance, operations, and IT audit, and others for a long time. They realize that leveraging these areas into a single audit can not only make the audit process more efficient, but the crossover and sharing of knowledge can provide better insights into the key risks of the function or process being audited. Now, companies are pushing further into integrated auditing to integrate more of the second lines of defense, including such areas as risk management, fraud, and compliance.
In the latest edition of our video series "MISTI on Audit," Joel F. Kramer, vice president of audit curriculum at MIS Training Institute, talks about the benefits of integrated auditing, how he sees it evolving, and some of the challenges along the way to achieving fully integrated audits.
"Integrated auditing started many years ago when we decided as a department that when we went to do certain audits it would be good if we could combine our IT auditors with financial and operational auditors and look at the entire organization or function at once," says Kramer.
He says some companies are starting to take a more expansive view on the idea of integrated audit, one that he supports. "Where we are going now with this, as I see it, is combining internal audit with all of the second lines of defense," says Kramer. "It involves combining the SOX people, the compliance people, the fraud people, the risk people, the ethics people, as well as the internal audit people to look at risks and ensure that we have the right controls against these risks. If you can look at it with one seamless team rather than continually coming back to re-audit the same people, it can be more efficient and effective."
"The major benefit is that you look at an area—be it a subsidiary, a function, a process—you are looking at it comprehensively as one group," says Kramer. "And it's even more important if you bring the SOX people, the compliance people, the fraud people, etc., and you look at it as one team and we address risks with the group just once rather than repeatedly coming back to it."
Integrating auditing does have some drawbacks and may not make sense in larger organizations where each discipline needs to be highly specialized. "On the drawbacks side, I think that for a period of time it is a very comprehensive requirement of communication and effort from the audit team," says Kramer.
When it works though, it can help audit departments do more with less. "It just makes sense," says Kramer. "It's not easy to get there; it's a quantum leap. It involves integrating the second and third lines of defense, but the results can be terrific to the organization."