Adding Value to Internal Audits (#134)
/In this podcast episode, we discuss how to improve the results generated by internal audits. Key points made are noted below.
When you conduct internal audits, there’s going to be a report at the end, and that report contains findings and recommendations. How do you get the greatest implementation value from that report?
Selecting the Right Topic
Well, the first issue is making sure that you have the right topic that someone wants to implement. And this is the key issue in internal auditing – planning up front to do the right projects. Now, if you listen to the outside auditors, the only role of the internal audit staff is to monitor a “robust” system of internal controls. And of course, to help them conduct their annual audit.
But does that mean you’re adding value? Well, if the internal audit staff is doing work that reduces the workload of the outside auditors, and that reduces the fees of the outside auditors, then there you go – you’re adding value. But let’s get real here. First, the audit only happens once a year, or maybe there’s a quarterly review if the company is publicly held. So what does the internal audit staff do the rest of the time?
So let’s focus on that other part of the year when there’s no audit to support. And again, we’re talking about adding value. There are a few ways to do that. One is to take a bit of a different view of controls auditing. Rather than trying to create a “robust” system of controls, which I think means an “oppressive” system of controls, what about creating a “streamlined” system instead?
A Focus on Streamlined Controls
In this case, the trick is to not overload the company with too many controls. This is not easy, since you have to judge the risk of eliminating a control. But think of what that means to the concept of adding value. It means that the internal audit staff looks at the whole company not as a system of controls, but instead as a system of business processes that it should help make as streamlined as possible.
This doesn’t always mean eliminating controls. It could mean shifting them around or automating them so that they’re less intrusive. And think of how easy it is to implement a streamlining suggestion. Of course it will be installed. And that’s a way to add value.
The Internal Auditor Liaison
Another way to add value is to assign each internal auditor to be a liaison with a department manager. If you’re an internal auditor and you’re a liaison, that means you set up a meeting on regular basis to meet with that manager. Let’s say it’s once a quarter. And your job in that meeting is to listen to the manager and find out what kinds of problems there might be that the internal audit staff can help with.
By doing this, you reorient the concept of the internal audit function. Instead of turning up unexpectedly and rooting around for problems, you are asked to come in and help with a specific problem.
Now, there will be times when you do show up unexpectedly, especially if you’re investigating a report of fraud. But the rest of the time, with this approach, adding value is easy.
Addressing Risk
But it doesn’t mean that the internal audit department turns into some kind of public service function. There are some areas where there is risk, and you need to examine those areas from time to time. So this concept of adding value to internal audits – to some extent – becomes a scheduling issue.
You need to create a mix of reviewing high-risk areas, and doing fraud investigations, and so on with the work requests being funneled back through the liaisons.
The Internal Audit Feedback Loop
And the more work the internal audit does that’s being requested by the various department heads, the more it gains their confidence, and therefore the more requests they make, so you end up with this feedback loop that keeps increasing the types of projects that add value.
But again, you need to do the other types of work too. So this is where some marketing comes in. It might be useful to have an internal audit newsletter that goes out to the rest of the company. And in that newsletter, you talk about the ways in which the department has been helping the rest of the company, and talking about projects completed, and results achieved, and so on. This means that you’re making the company disproportionately aware of the department’s role in certain activities, while still fairly quietly working on other projects, too.
Follow-Up Audits
So far, I’ve been talking about adding value through the carrot approach – which is to make the rest of the company like you more. There is also the stick approach, where you tell senior management which departments have not been implementing your recommendations, and ask to have the offending people thumped on the head. If you follow this path, then there need to be follow-up audits to see if the initial recommendations were implemented.
The stick approach is not popular, but it is still needed. There will be times when you make an unpopular recommendation, probably to mitigate a risk, and it causes extra work. So of course no one wants to implement it. Still, it has to be done, and knowing that the auditors will come back later to check on the situation is important.
So, does this carrot approach of streamlining controls and helping departments essentially turn the internal auditing department into an internal consulting department? To an extent, yes. But it’s just a matter of emphasis. The overall mission of the department remains the same, but it’s easier to add value to the work it does. And keep in mind that you need to mix in the stick approach too, to make sure that the tougher recommendations are also implemented.