Strategy Formation Nurtures Internal Audit Value

Internal auditing is vital to enhancing a company's long-term organizational performance. Continually monitoring compliance efforts enables a business to assess and handle its risks.
By Alyssa Martin | March 09, 2009
A sound strategy provides the foundation for all internal audit activity, including development of the internal audit function, audit planning and execution of regular audits. The organization gains considerable value from those activities.

The internal audit function provides the board of directors, audit committee and management with a means for monitoring risks associated with asset protection, loss prevention and compliance efforts throughout the organization.

Through assessing risks, illuminating needs for mitigation, providing assurance for operational compliance, and evaluating the effectiveness of internal controls, the internal audit function supports the organization's overall enterprise risk management objectives.

Internal audit findings enable the board of directors and management to make more informed decisions, thereby enhancing organizational performance. The internal audit department's monitoring and oversight activities also provide continual assurance to all stakeholders.

Forming an Internal Audit Strategy
Industry compliance statutes, stock exchange membership rules or other provisions imposed by an external regulatory or governance entity may require an organization to establish an internal audit function. While such requirements must be met, the internal audit strategy needs to be based on agreed-upon business strategies to be truly effective.

Each organization is unique and affected by various factors, such as its industry, products or services, market, the geographic locations of its operations and customers, the organization's risk appetite and its internal culture. Business strategies acknowledge those factors.

Business strategies also recognize that such factors vary in importance. With an internal audit strategy that recognizes such factors and their relative importance to overall business strategies, the internal audit function can play a crucial role in promoting long-term organizational growth and health.

The Internal Audit Charter Articulates Strategy
The internal audit charter articulates the internal audit strategy and provides direction for all related activities, including internal audit function development and management, audit planning and execution of audits. While specific structure and wording will vary among organizations, all internal audit charters should address the following elements and principles:
Purpose and Scope The internal audit function exists to provide objective assurance for the organization. In performing its services, the internal audit department needs to deploy a systematic approach in evaluating the effectiveness of risk management, governance and internal control processes. Such evaluations address processes and systems for
complying with relevant laws and regulations; processes and systems for safeguarding assets and verifying the existence of those assets; communication and interaction among various governance groups; comparisons of operations results to established goals and objectives; comparisons of operational plans to executions of processes; quality control and continuous improvement efforts.

Accountability and Oversight In larger corporations, the chief audit executive position typically has responsibility for overseeing the internal audit function on behalf of the audit committee. In other organizations, that duty can be assigned to the internal audit director. The audit committee is responsible for hiring that individual and reviewing that person's performance. In some organizations, a compliance and risk officer may also have responsibilities for assessing and mitigating risk.

The chief audit executive or other leader of the internal audit department has direct communication with the audit committee and must prepare and issue a report to appropriate individuals and parties following each annual audit. That individual reports on the adequacy of the internal audit department's resources, and also provides periodic assessments to the audit committee on internal audit activities and findings.

Independence and Objectivity While the leader of the internal audit function reports to a member of executive management at the administrative level, he or she reports to the audit committee at the functional level. This division provides the internal audit department a dual reporting and accountability relationship with executive management and the audit committee. This balance is important to maintain independence and objectivity. To further maintain independence and objectivity, the internal audit department cannot have operational responsibility over any of the activities it reviews, nor can it develop procedures, systems, or engage in any other activities typically subject to audit.

The internal audit department must be free from management suggestions or coercion regarding its activities and decisions, including audit timing and frequency, scopes of audits, and content of reports.

That independence enables the internal audit department to provide findings that are not influenced by conflicts of interest or any explicit bias.

Authority and Access The internal audit department needs to have full, unrestricted access to all organization activities, functions, physical property and records, and personnel.
For organizational support and to ensure open communication, through the chief audit executive or the internal audit director, the internal audit department must have full access to corporate management and audit committee. The internal audit department must also determine the allocation of resources, frequency of audits and techniques needed for audit activities.

Duties and Responsibilities The internal audit department must maintain a professional staff to meet audit charter requirements, and develop an annual audit plan using appropriate risk-based methodology. The internal audit department is responsible for implementing the annual audit plan, reporting its findings, and establishing a quality assurance program that monitors the effectiveness of current efforts and emphasizes the importance of continuous improvement.

The internal audit department needs to provide the audit committee with significant measurement goals and results for comparison. The department must also evaluate periodic changes and events that affect risks.

Professional Standards and Ethics The internal audit function needs to comply with the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing.

The standards define basic principles for internal auditing, provide a framework for performing internal audit activities, establish a basis for evaluating internal auditing performance, and foster improved organizational processes and operations.

The overall standards incorporate specific standards for attributes, performance, and implementation. The institute's code of ethics also includes a code of conduct that emphasizes the importance of maintaining integrity, objectivity, confidentiality, and competency in all internal audit activities.

Importance of Strategy for Ongoing Internal Audit Activities
Organizations operate in dynamic environments that are continually subject to external change. Internal environments change, too, and the internal audit strategy needs to continually assess the risk potential that always accompanies change. Significant change scenarios that the internal audit strategy must adapt to include:

›New Organizational Structure An organization's structure may change, for example, from a partnership to a publicly-held corporation. Such a transition brings new compliance and governance requirements. In response, the company must implement related policies, processes and systems, along with necessary monitoring and oversight.

›Turnover Among Key Personnel Key individuals leaving the organization can signify a substantial loss in knowledge, talent and insight. People taking their places may possess considerable positive qualities, too, but require time to acclimate themselves to new roles and responsibilities, and to the organization itself.

›Implementation of New Technology While change management policies address introductions of major information technology hardware or software capabilities, difficulties unforeseen by the vendors or the information technology department may emerge in migrating financial and operational processes to that new technology.

›Mergers and Acquisitions Mergers and acquisitions require assimilating all of the differences that exist between two businesses into one cohesive organization. Even with careful preparation, such assimilation may require resolving differences not recognized during initial planning.

›Re-engineering and Restructuring Initiatives A re-engineering or other internal restructuring effort encompasses reorganizing business units and departments, reassigning individuals to new jobs and responsibilities, and devising new processes. While such a transformation delivers long-term benefits, it also requires implementing new practices and performance measures, as well as new monitoring and oversight activities.

›New Product Launches Introductions of new products or services may bring unanticipated challenges in producing or delivering those items, as well as uncertainty in how well those new products or services will be received by customers.

›Significant Financial Growth Substantial earnings or sales growth may create difficulties, too. Supporting such growth can strain the capabilities of existing equipment, facilities, information technology infrastructure, personnel and control processes. That can lead to setbacks that negate previous gains. The internal audit strategy also needs to incorporate quality assurance and continuous improvement activities. Such activities include assessing the efficiency and effectiveness of the internal audit department based on established standards; evaluating annual risk assessments; examining techniques and methodology used for testing controls; ensuring that audits and conduct comply with the Institute of Internal Auditors' standards and code of ethics.

Long-Term Benefits of Sound Internal Audit Strategy
A sound internal audit strategy provides the foundation for internal audit development and planning, and provides the direction for all internal audit activities, including annual audits. Based on that strategy, the internal audit function delivers considerable value to the organization.

Internal audit findings address a range of operational aspects and those reflected in financial reports. Those findings give the board and management greater context and a broader frame of reference to apply in evaluating financial statements.

While generating insight for evaluating current or past results, the internal audit function also plays a vital proactive role in enhancing long-term organizational performance. By continually monitoring risks associated with asset protection, loss prevention and compliance efforts, the internal audit department enables the organization to assess the likelihood and potential impact of a related risk.

Using enterprise risk management methodology, the organization can then determine how those identified risks align with the company's risk appetite, and determine what steps to take to mitigate any unacceptable risks. That allows the organization to respond effectively to change. That continual monitoring and oversight provides assurance and promotes confidence and trust among all stakeholders.

Alyssa Martin is the Dallas executive partner and the firm-wide partner in charge of the risk advisory services group at Weaver and Tidwell LLP. Reach her at (817) 332-7905 or (972) 448-6975.
Array ( [REDIRECT_REDIRECT_STATUS] => 200 [REDIRECT_STATUS] => 200 [HTTP_USER_AGENT] => CCBot/2.0 ( [HTTP_ACCEPT] => text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 [HTTP_IF_MODIFIED_SINCE] => Tue, 25 Sep 2018 17:56:54 UTC [HTTP_HOST] => [HTTP_CONNECTION] => Keep-Alive [HTTP_ACCEPT_ENCODING] => gzip [PATH] => /sbin:/usr/sbin:/bin:/usr/bin [SERVER_SIGNATURE] =>
Apache/2.2.15 (CentOS) Server at Port 80
[SERVER_SOFTWARE] => Apache/2.2.15 (CentOS) [SERVER_NAME] => [SERVER_ADDR] => [SERVER_PORT] => 80 [REMOTE_ADDR] => [DOCUMENT_ROOT] => /datadrive/websites/ [SERVER_ADMIN] => [SCRIPT_FILENAME] => /datadrive/websites/ [REMOTE_PORT] => 51354 [REDIRECT_QUERY_STRING] => url=articles/3314/strategy-formation-nurtures-internal-audit-value [REDIRECT_URL] => /app/webroot/articles/3314/strategy-formation-nurtures-internal-audit-value [GATEWAY_INTERFACE] => CGI/1.1 [SERVER_PROTOCOL] => HTTP/1.1 [REQUEST_METHOD] => GET [QUERY_STRING] => url=articles/3314/strategy-formation-nurtures-internal-audit-value [REQUEST_URI] => /articles/3314/strategy-formation-nurtures-internal-audit-value [SCRIPT_NAME] => /app/webroot/index.php [PHP_SELF] => /app/webroot/index.php [REQUEST_TIME_FLOAT] => 1545231035.258 [REQUEST_TIME] => 1545231035 )