How to establish a progressive internal audit program that covers all the bases

Larry Rieger, CPA, Partner, Crowe Horwath LLP

The internal audit: It’s a necessary part of conducting business that, done right, can at once assess operations, identify areas for improvement, manage risks and help maintain compliance. Now more than ever, audit committees, chief financial officers and other stakeholders need greater assurance that internal controls and risk management procedures are effective and efficient.
Internal auditors can help restore stakeholder confidence and reduce the cost of the audit process by adopting four key principles of a more progressive internal audit model, says Larry Rieger, a partner at Crowe Horwath LLP.
Smart Business spoke to Rieger about deriving greater value from an internal audit function that is more central to building financial and operational excellence with confidence.
What are the main concerns that may not be addressed by current audit models?
Crowe Horwath LLP and partner organizations commissioned a set of three surveys to determine whether companies’ internal audit groups were meeting current business needs. In the survey, stakeholders indicated that internal auditors excelled in reviewing financial controls and transactions and testing past events; what was lacking was the ability to inform stakeholders of the company’s current status and what should be done to improve in the future.
Most audit committee members (75 percent of the respondents) echoed the stakeholders’ concerns by stating that risk management practices were an integral part of a company’s ability to avoid and/or plan for surprises. The ideal audit model would not just provide for traditional compliance audits but would address these concerns surrounding assurance, business performance processes and risk management efforts.
What specific changes should internal audit departments make?
Auditors will need to be smarter about where they spend their time by relying more on automated tools and using workflow methods that allow them to focus on the high-level controls.

  • Leveraging the work of others is one way that internal auditors can be more efficient with their processes and time. They can rely on the monitoring metrics and reporting that business managers are already using to manage their operations. Internal auditors can determine which of these reports they can accurately use during assurance audits and home in on the areas where problems are indicated.
  • When businesses are better managed, process owners can be held accountable for developing and owning controls at the business level and the internal auditors are unburdened. Internal auditors are then able to focus more on the principles of the new internal audit model.
  • Audit executives must focus resources on the constant review and enforcement of the four principles. Managing resource demands wisely allows for internal auditors to address areas of high and emerging risk while also providing continuous coverage to the principles of the new audit model.

 
What are the four principles of a progressive internal audit model?
Compliance: This traditional internal audit role can be streamlined through closer collaboration with management. Audit departments can save time and resources when testing past events and transactions to determine compliance with laws and regulations by taking advantage of reports that managers already use to monitor controls in their unit.
By relying on the work of business unit managers as a starting point, auditors can focus on the issues that are red-flagged during the audit of the control processes. For example, reports generated by a business’s IT department can help auditors to determine whether control processes in place sufficiently safeguard security and adequately provide for an appropriate segregation of duties.
Assurance: Continuous monitoring systems generating real-time reports allow anything outside the bounds of tolerance to be detected as early as possible. By regularly reviewing control reports generated by a system, auditors can provide a level of continuous assurance that supports stakeholder confidence that everything is under control at all times. For example, if expenses in a certain business unit are out of line, the monitoring system at the business-unit level would send an e-mail to the appropriate person. Or, the accounts of delinquent customers could be flagged so that no new sales would be made to those customers.
While a continuous monitoring system does require an upfront investment, it pays off by lessening the burden on the internal auditors’ resources, allowing them to focus on the high-level items.
Business performance improvements: An area that is often lacking in the audit function is the ability to actually improve business operations. By identifying problems, and then taking it a step further by recommending ways to improve, the internal audit can and should add value to the organization as a whole. Comparing their reports to benchmarks and best practices, auditors have the knowledge to support such recommendations as shifts in resources or operating procedures, or new technology investments.
Risk identification: Again, auditors can tap into information that already exists in business units — this time regarding each unit’s own risk-management activities that are already in place. This makes the process of ongoing monitoring of risk less time-consuming and more integrated. Key risks are always changing; stakeholders require as much knowledge as possible concerning the company’s risk exposure as a whole within a business environment that is constantly in flux.
Larry Rieger, CPA, is a partner at Crowe Horwath LLP. Reach him at (214) 574-1000 or [email protected].