Internal Audit - An Evolution - Mazars - Ireland

The recent financial crisis has underlined the importance of Internal Audit and has placed the internal audit function at the heart of the key risks facing an organisation.

Internal auditors have to align their work more closely with Board priorities within a more robust risk and strategic management framework, and contribute more towards the effectiveness and efficiency of an organisation’s operations and activities. And we will have to be smarter about the way we do this as the organisations we work for will have fewer available resources.

Balancing success and risk

The primary purpose of any organisation is to be successful in achieving its strategic priorities, but preferably within a controlled risk environment. The various codes and guidelines that formulate our governance philosophies promote that boards should provide strategic leadership of the organisation with a framework of prudent and effective controls which enable risks to be assessed and managed. While it is acknowledged that for individual organisations risk appetites may vary, it is certain that the risk environment is constantly changing and this is especially true in the current economic climate. When Internal Audit is properly focussed and directed, the correct balance is struck between the management of strategic success and risk, and the benefits to the organisation are very tangible.

Evolving priorities

Over time an organisation’s appetite for risk will change or indeed the risk environment will change - Internal Audit should tailor its stance accordingly. In the recent economic downturn, organisations were less likely to take major risks. Boards and management would have wanted assurances on a variety of concerns across their organisation and Internal Audit was well positioned to support the Board and deliver on its requirements. During this time of economic volatility, an internal audit function’s approach would have focused more specifically on the efficiency and effectiveness of processes and operations while providing assurance to the board and management on their key concerns.

Raising the bar

But will this change in focus form the roadmap for how Internal Audit is utilised in the longer term? Probably not. But the lessons we have learned during this difficult economic period has forever raised the bar for those charged with governance, and indeed for Internal Audit. During the second half of 2010, Audit Committees have already started to report a return to a more normal risk management agenda, moving away from a sustained period of what can only be described as crisis management during a very severe economic downturn. This does not however mean returning to paying lip service to risk management efforts. Audit Committee agendas will now continue to include a more significant focus on an effective risk management framework to ensure that it concerns itself with those priority areas which might cause the organisation to fail in achieving its strategic objectives. Risk management efforts from the past have in most cases proven to be ineffective and there will now be a need for a deeper and more robust understanding of risk and related internal control design. And Audit Committees will look to the assurance functions, specifically the internal audit function, to monitor these priority risks and management controls in place to oversee strategic priorities.

Organisations will invest in the areas of governance, risk management and compliance, but this is not merely an exercise to bolster public profile. It will have to deliver value for money, and the internal audit function will contribute to assessing the value delivered. Critically, the internal audit function has not been in the direct firing line in a lot of organisations during the deterioration of our economy, but will certainly be seen as part of the solution. This has resulted in internal audit functions being redefined across every industry, and perhaps more significantly so in the banking sector where regulation has increased and there has been wholesale change effected at every level in the now primarily state-owned banks. There has also been a clear message that corporate governance needed to be renewed and strengthened after the crisis, not only to strengthen risk management and decision making, but in publicly funded entities to also regain public approval and trust. Internal audit is vitally important in this as regulation alone cannot guarantee the ethical behaviour of boards. Internal auditors will play an important role in promoting a culture of openness, enquiry and challenge.

New challenges

In addition to lessons learned from these recent changes in the economic environment, the current challenge for all businesses and organisations is to do more with less. Therefore finding more effective and efficient ways to operate without having to take unacceptable risks. This will impact on the approach taken by Internal Audit as auditors will be expected to contribute to identifying potential savings and efficiencies that can be gained, and to provide assurance that value for money is achieved. Fewer available resources to implement controls may also increase the risk profile of some audit areas as it may reduce the level of segregation or oversight. Organisations will seek to rely more on technology as part of the control environment which requires Internal Audit to be in a position to assess IT risks and controls. There has also been a sharp increase in fraud activity in the last three years, which can perhaps be attributed to a combination of greater incentive and increased monitoring of financial management and controls, in effect tightening the purse strings. Internal audit is seen as one of the key contributors to prevent and detect fraud, and for monitoring control design that would underpin the desired assurance levels.

Keeping pace

Internal Audit functions are now more committed to providing an assurance function that is aligned with business priorities. The role of Internal Audit has undergone significant growth and now includes a variety of requirements, including an increased focus on:

• management of risks and strategic priorities, with a view to provide assurance to the Board on its primary concerns and ensuring that a balance is achieved between strategic success and effective risk management;
• governance, to promote a more transparent and challenging culture in the organisation;
• effectiveness and efficiency of operations and value for money in the context of the organisation having to achieve more with fewer resources while still able to ensure that key risks are adequately managed;
• IT risks which will form part of most audit and assurance projects as a result of increased use of and reliance on technology.

Existing priorities such as compliance reporting and regulatory checks will however still feature on audit plans, which therefore suggest that internal audit functions will be under increasing pressure to deliver on its objectives with existing resources. And the internal audit function may not currently possess all the necessary skills and expertise to meet these expectations. This will mean rapidly filling those vacant positions with highly skilled and qualified resources, while also looking at outsourcing options to gain the necessary skills and experience. It will also require Internal Audit to redefine the way it does its work, including increased use of technology and tools and adopting a more risk based approach to ensure core audit time is allocated to key priorities. Internal Audit functions will continue to develop integration with other assurance functions, such as external auditors, risk managers and quality assurance functions, to ensure maximum efficiencies of the combined efforts of these functions.

The way forward

In summary, the recent financial crisis has highlighted a lot that was wrong in how we govern, manage and run our organisations. We have learnt some valuable lessons and the focus is now on a new agenda which encompasses more robust risk management, increased and more transparent governance, adequate control design and acceptable levels of assurance. Internal audit functions look across each organisation at the various functions that input into this framework and therefore have a key role to play in our economic future.

Profile summary:

Corné Mouton is a director in the Governance, Risk and Internal Control division in Mazars. He provides outsourced internal audit and compliance services and specialised advice to Boards and Audit Committees in the private and public sectors.

This article appeared in the March 2011 edition of Accountancy Plus.