Eight Steps Internal Audit Should Take to Aid Risk Management

This is Part II – Risk Management and Monitoring of a revised six-part series on the internal audit value chain (IAVC).

“According to the IIA, Internal audit can serve as a disruptor, relentlessly challenging the status quo and identifying and focusing on emerging risks, while factoring the rapid pace of evolving risks.” 

Initial publication – June 27, 2018. Updated – May 15, 2020.

W

henever it comes to talking about internal audit’s role in risk management, things always get a little dicey.  Everyone agrees that internal audit has a vital part to play in risk management, but just where to draw the line is still a controversial topic.  Some think internal audit should play a lead role in risk management, setting the risk management agenda, provide assurance, insights, and advice to management on risk issues while collaborating in a consulting capacity to help the organization achieve objectives. Others take a more purist position, stating that internal audit should only be there to audit the risk management function.

It’s not surprising. There are widely divergent views on the job of internal audit in general. As an internal auditor, I often ask clients and stakeholders what they believe to be my role. The answers tend to vary widely depending on the maturity level of the client’s internal controls environment. Some see internal audit mainly as the function in charge of the Sarbanes-Oxley (SOX), and the Office of Management and Budget (OMB) compliance, while others say that it is to uncover fraud or malfeasance. The one standard reply, however, that internal auditors are the “controls experts,” rarely changes. I wonder what responses these clients and stakeholders will provide as answers to the same question post-COVID-19.

That makes me ponder. Where did I fail in educating clients and stakeholders about internal audit’s roles and objectives?

If stakeholders have a narrow and incorrect idea of the problems we solve as internal auditors, what are we doing collectively to change that perception?

This well-known quote by psychologist Abraham Maslow illustrates how easy it can be to incorrectly define a problem: “If the only tool you have is a hammer, then every problem looks like a nail.” If stakeholders view internal auditors as only “control experts,” then I can correctly rephrase Maslow’s quote to say: “If our only tools as internal auditors are controls, then every problem looks like a potential risk.”

If we want to think more broadly and entirely about the role of internal audit in risk management, we need to think beyond controls. The unprecedented impact from COVID-19 emphasizes the need for internal audit to view problems as potential risks (emerging and evolving risks) and think beyond controls.  Internal audit must proceed with caution.  Identifying, prioritizing, and mitigating risks (including emerging risks and threats, and the pace of rapidly evolving risks) belongs to the risk owner—management. In the process of adding value by helping management solve problems, they recognize as vital; internal audit can provide support without compromising its independence.

  • Understanding your organization’s strategic objectives is a starting point.
  • Providing support for management to identify and mitigate risks that impact the accomplishment of your organization’s strategic goals and objectives is the next logical step.
  • This is the first step towards performing audits and reviews that matter.

So then, what tools are required for the modern internal audit function to assist management and the Board of Directors navigate the volatile and complex risk environment to create value?

In Part – 1 of the Internal Audit Value Chain (IAVC) – “Many Internal Audit Failures Stem from Misalignment with the Company Strategy,” I provided justifications for internal auditors to think in the context of a “value chain” and the steps required to maintain that “value creation” objective as a starting point. Creating value is not enough.  Steps must also be taken by internal audit to help their management teams to “capture value” and “sustain value” for the organization. This requires an End-to-End (E2E) internal audit value chain mindset. 

The internal audit risk management toolbox should include the following to support management, and your organization to succeed without compromising its independence:
• The identification of risks (include emerging risks and factor the pace of rapidly evolving risks)
• The prioritization of risks (avoid being blindsided from risks exposed by pandemics like COVID-19)
• The evaluation of the underlying processes, systems, and management’s capabilities to manage risks
• The design and implementation of internal controls to mitigate risks (especially strategic risks)
• The continuous monitoring and evaluation of controls to determine their effectiveness in mitigating risks

These are essential ways we can create value as internal auditors and help our management teams to capture the value and sustain value. This is how clients and stakeholders should define our roles as “control experts.”

The Internal Audit Value Chain (IAVC)

It’s been well established that internal audit must seek to add value if it is to prove its worth in the organization.  In the first article in this series, “Many Internal Audit Failures Stem from Misalignment with the Company Strategy,” I defined the IAVC and its key components. The IAVC includes “the enterprise-wide initiatives impacting business functions, involving a combination of people, processes, technology, and corporate culture to drive the achievement of strategic goals and sustain profitability.” Internal audit’s role in the value chain requires an understanding of the organization’s:

  1. Strategic direction and alignment
  2. Risk management and monitoring
  3. Operational efficiencies to include Continuous Process Improvement (CPI)
  4. Quality and compliance
  5. Financial management and governance
  6. Responsiveness to create, capture, and sustain value while adapting to the changing business environment.

It’s essential to keep in mind that these priorities are not static and vary as enterprise objectives and needs evolve. In this article, Part two, we are looking, as you have now guessed, at risk management and monitoring.

In the Institute of Internal Auditors’ Internal Auditor publication, “Optimizing Internal Audit,” I defined risk assessments as they relate to ongoing organizational activities to include: an understanding of internal audit priorities that drive annual audit plans and information obtained and evaluated by internal auditors from continuously interacting with stakeholders. Internal auditors simply must have a strong understanding of the macro and micro risks and emerging risks impacting their respective organizations.
Eight Steps to Navigate Volatile Risk Environments

There are eight primary steps internal audit teams can take in collaboration with stakeholders to identify and mitigate emerging and evolving risks that could have a significant impact on their organizations if ignored. They include:

1) THREE LINES OF DEFENSE COLLABORATION: There are many adaptations of the three lines-of-defense (LOD) approach to involve business lines, risk management, and compliance and audit team collaboration in identifying and managing risks. KPMG provided an excellent example of collaboration in a white-paper by Doron Telem titled “The Three Lines of Defense: Making the Transition to a Mature Risk Management Model.” In the paper, Telem asserts that such collaboration, “could entail workshops with management, as well as some external expertise and interviews (including with non-management individuals) to ensure as many issues as possible have been considered.”

I prefer consulting the IIA position paper: “Three Lines of Defense in Effective Risks Management and Control” as the base-line. The IIA paper acknowledges the unique factors impacting every organization that must be considered in coordinating the three LOD duties and the underlying role of each group in the risk management process.

For a recap of the three LOD:
• The first LOD consists of department managers who are the owners of risks.
• The second LOD consists of risk management, control management, and compliance professionals with limited independence identifying and mitigating risks.
• The third LOD consists of risks assurance professionals with greater independence, such as internal audit reporting to the audit committee or other governing body.

Before assigning any Manager as a “risk owner,” steps must be taken to validate that a risk owner has the technical skills to understand the dynamic nature of the risks assigned to them. If a Manager began as a bank teller say 30 years ago, for example, and excelled through promotions into leadership positions, assigning key risks to such a Manager without evaluating his or her skills in the context of the current operating environment would be significantly risky. The threats to banking have evolved a great deal during the past 30 years.

The IIA paper concludes that all three-lines should exist in some form at every organization, regardless of size or complexity. A modified version of this framework is needed to include lessons learned from COVID-19 for any organization, including government agencies and institutions, to identify and mitigate risks effectively.

2) EFFECTIVE RISK MANAGEMENT METHODOLOGY:  According to the IIA’s 2018 North American Pulse of Internal Audit report, Chief Audit Executives (CAEs) need to position internal audit to be an internal disruptor, relentlessly challenging the status quo and identifying and focusing on emerging risks.  According to the IIA’s 2019 report, “over the past decade, the speed at which risks emerge and evolve has accelerated dramatically, compelling organizations to adopt new strategies and reorder priorities to survive and thrive in an increasingly complex risk environment.”

An objective methodology should be used to evaluate and prioritize risks in the context of the organization’s strategic direction. The process should be simple, ongoing, and provide flexibility and agility to make timely changes as new information becomes available. A comprehensive risk assessment methodology should include mitigation strategies in the context of the organization’s resources, culture, processes, technology, and risk tolerance.

Can internal audit adopt a simple risk management framework that provides flexibility to address emerging and evolving risks and the agility to adapt to the changing business environment?  Complexity is the enemy.

To demonstrate its end-to-end value creation, value capture, and value sustainment capabilities, internal audit must focus on simplicity and sustainability. Internal audit can’t provide complex solutions towards addressing complex risk management challenges that are emerging and evolving at an accelerated pace.

3) ESTABLISH CLEAR ROLES AND AUTHORITY:  How much authority does the Operational Risk Management (ORM) function and the Chief Risk Officer (CRO) have in influencing critical decisions at your organization?  For big organizations, ORM is a highly specialized function requiring complex data analysis and modeling skills with the responsibility to identify and monitor risk exposures against tolerance levels.

Executives, committees, and business unit managers making key decisions might not view risks through the same lens as ORM experts. Could there be instances when ORM predicted an incident but lacked the authority to mitigate the risks? It happens all the time.

Small organizations do not need formalized ORM and CRO functions.  However, there must be an independent process with adequate oversight responsibilities to identify and prioritize risks and address challenges related to emerging and rapidly evolving risks.  Any disconnect between ORM or risk management oversight teams’ conclusions and management decisions create challenges for an independent function such as internal audit.

4) CONTINUOUS MONITORING AND ASSESSMENTS:  I have always wondered why the concept of continuous auditing and monitoring is frequently discussed by internal audit practitioners but not often implemented. Plenty of literature exists on this topic. A Deloitte white-paper, “Continuous Monitoring and Continuous Auditing: From Idea to Implantation,” for example, covers this topic in great detail. The paper provides two critical explanations as to why few organizations implement continuous monitoring and auditing.

  • First, management has not seen a clear, strong business case for establishing either continuous monitoring or continuous auditing in their organizations.
  • Second, management lacks a clear picture of how continuous monitoring and auditing would be implemented.

Internal audit should develop a strong business case and provide a clear picture for management to decide on continuous monitoring and auditing.  Given the increasing threats and dynamic nature of risks confronting many organizations, an inflexible or static “annual audit plan and risk management” approach will not provide the responsiveness needed for internal audit to change course, and help management identify and mitigate risks (including emerging risk and rapidly evolving risks) quickly.  Did the organizations that implemented continuous monitoring and auditing respond and adapt better to the COVID-19 challenges? My instinctive answer is, yes.

5) TEST HIGH-RISK CONTROLS, PROCESSES, AND FUNCTIONS: Performing audits and reviews that matter is a critical value-creation step for internal audit.  If it does not impact strategy, does it matter? My instinctive answer here is no.

If the cost of implementing a given control should not exceed the benefits of that control, then some element of prioritization is needed to determine which controls to test and when. Internal controls that mitigate key risks to the organization across various business functions are the logical places to start. Management and internal audit can use other subjective factors to include operational or compliance needs and determine other areas to perform Test-of-Design (TOD) and Test-of-Operating Effectiveness (TOE).

Using limited resources to perform extensive TOD and TOE without a focused approach on risks and strategy implications is not ideal. With adequate planning and emphasis, performing TOD and TOE remain critical tools for internal audit to use in navigating volatile risks environments. Findings from controls testing, or Continuous Process Improvement (CPI) projects create value if recommendations are provided timely, and appropriately documented in a way management can understand. This speeds up corrective actions enabling management to make critical decisions to “capture value” and “sustain value.”

6) CONSENSUS ON FINDINGS AND RECOMMENDATIONS:  For any collaboration to be expected from management, and executive leadership, internal audit should have obtained their blessing on which areas to review as part of annual or periodic audit planning. Perform audits and reviews that matter.  For the three-lines-of defense to function appropriately, stakeholders—including ORM and CRO—must collaborate extensively during the audit planning, execution, reporting, and remediation phases. Without this level of participation, internal audit will run into several roadblocks along the way to navigating volatile risks environments. The interpersonal, problem solving, communication, and technical skills of the internal audit team are the foundations of any effort to obtain consensus on findings and recommendations.

7) FOSTER A POSITIVE CORPORATE CULTURE AND TONE: Quantifying and qualifying the impact of failures of culture and tone, if not adequately addressed, are near impossible in the long term. Consistent shortcomings stemming from the poor tone, sub-culture clashes across different functions within an organization, lack of skills to identify and mitigate key risks, and inability to implement continuous monitoring and adequate oversight are a few examples that could expose an organization to significant risks and losses.

Internal audit will see these dynamics at varying levels while executing our missions. Failures to accept the reality and risks associated with these problems can be directly linked with the inability of the internal audit function to navigate volatile risks environments to create value, capture value, and sustain value.

8) EXCESSIVE RISK-TAKING: There are no easy solutions for regulators to effectively enforce regulations across industries to protect consumers and create desired outcomes. Regulators are often behind the times or allow loopholes—often temporary—in the enforcement of regulations.  Management will often use these loopholes, or the “everyone is doing it” rationale to justify excessive risk-taking. Internal audit must understand external factors and loopholes used by management to obscure the true risk landscape and implement adequate processes to identify and mitigate risks.


Conclusion

While these eight steps are not the totality of internal audit’s role in helping the organization identify and manage risk, they provide a reliable roadmap for internal audit to navigate the volatile and complex risk environment and create value for the organization along the way.

Executives and managers should empower risk management and internal audit teams to help quickly identify risks, prioritize risks, evaluate the underlying process and systems related to risk management, and assess the design and implementation of internal controls to mitigate risks. Significant risks must be identified, and mitigation strategies and controls implemented promptly to avoid financial losses and reputational damage.

Jonathan Ngah, CISA, CIA, CFE, CGFM, is a principal at Synergy Integration Advisors, a professional services firm providing internal audit outsourcing and internal audit co-sourcing services to government institutions, private-sector, and not-for-profit organizations in the US and the Asia Pacific (APAC) regions.

How Internal Audit Can Add Value by Pursuing Efficiencies

This is Part III – Operational Efficiencies of a revised six-part series on the internal audit value chain (IAVC).

Management should empower business unit leaders and internal audit teams to continuously challenge the status quo, starting with mission-critical activities to drive operational efficiencies.

Initial publication – September 23, 2018. Updated – May 15, 2020.

T

here are few efforts company leaders love more than a little old-fashioned belt-tightening.  Well-run companies are on a constant campaign to trim the fat, cut out the deadwood, streamline operations, and get things humming along at a smoother pace. The textbook version of this concept is called “achieving operational efficiencies.” Like most initiatives worth pursuing, there is a significant role for internal audit to play in helping the organization achieve a leaner, meaner, and better version of itself.  In fact, what corporate function is more equipped to weed out operational inefficiency than internal audit? Let me provide a few reasons.

  • Internal auditors have the skills to expertly assess processes,
  • The knowledge of the business functions and operations to understand how things fit together,
  • The proficiency in analyzing big data, and utilizing a risk-focused approach to audit what matters,
  • The distance and independence to evaluate problems with an open mind, and
  • The discipline to make recommendations in a thoughtful, organized way.

Here’s another benefit that internal audit brings to the efficiency table: Trimming the fat can occasionally cut into the bone, removing layers of needed redundancy or oversight.  However, internal auditors, with their expertise in controls and risk management, are better equipped than most to ensure that the pursuit of operational efficiency doesn’t leave a company exposed to potential fraud and abuse, or too thin to adapt and respond to the changing environment or take advantage of opportunities.

The unprecedented challenges from COVID-19 disrupted businesses globally across every sector as of February 2020. Some organizations have responded to the difficulties relatively well, while others continue to struggle. Why?  The efficient use of resources and technology provides management with the flexibility to pivot and the agility to quickly reallocate resources to respond to the pandemic efficiently.  Such organizations typically have well managed  Continuous Process Improvement (CPI) projects, enhanced processes, and lean operations. An essential function of internal audit is to foster improved organizational processes and operations. Reviews are performed in line with the applicable Institute of Internal Auditors (IIA) standards to evaluate the effectiveness and efficiency of operations and programs.

There is no other independent and qualified function within an organization to provide an objective opinion of an efficient or inefficient operation and promote continuous improvement than internal audit. This continues to be part of the “new normal” since the disruptions and challenges from the COVID-19 pandemic.

The push to do more with less is driven by expectations from customers for increased product and service quality and reliability and at competitive rates and reduced costs. In the long-term, customers will not care how a pandemic like COVID-19 impacts an organization. Internal audit teams simply must do their part—in helping management create value, capture value, and sustain value to achieve goals through operational efficiencies.

The Internal Audit Value Chain (IAVC)

It’s been well established that internal audit must seek to add value if it is to prove its worth in the organization.  In the first article in this series, “Many Internal Audit Failures Stem from Misalignment with the Company Strategy,” I defined the IAVC and its key components. The IAVC includes “the enterprise-wide initiatives impacting business functions, involving a combination of people, processes, technology, and corporate culture to drive the achievement of strategic goals and sustain profitability.” Internal audit’s role in the value chain requires an understanding of the organization’s:

  1. Strategic direction and alignment
  2. Risk management and monitoring
  3. Operational efficiencies to include Continuous Process Improvement (CPI)
  4. Quality and compliance
  5. Financial management and governance
  6. Responsiveness to create, capture, and sustain value while adapting to the changing business environment.

It’s essential to keep in mind that these priorities are not static and vary as enterprise objectives and needs evolve.  This installment, part three, addresses, as you have now guessed, operational efficiencies as a critical means for internal audit to create and sustain value by helping management implement efficient processes. They do this by

  • standardizing certain tasks,
  • reducing complexity,
  • eliminating none-value add steps, and avoiding unnecessary duplication of efforts,
  • defining business requirements, managing CPI projects, and
  • selecting and implementing the right technologies.
Technology Implications

Indeed, technology is a frequently used tool to drive operational efficiencies. Process automation software, Robotic Process Automation (RPA) initiatives, and other applications, for example, are often used by big and small businesses globally. These products facilitate business communications, management of projects, and various initiatives effectively and efficiently. Yet automation is not always a silver bullet for increasing efficiency.

I often consider this quote by Bill Gates when discussing operational efficiencies with clients: The first rule of any technology used in a business is that automation applied to an efficient operation will magnify the efficiency.” The best part of the quote follows: “The second is that automation applied to an inefficient operation will magnify the inefficiency.”

Internal audit plays a critical role across all line-of-business (LOB) functions to help management magnify the impact of efficient operations—those that support the company meet customer’s needs, reduce costs, and increase profitability—and minimize the effects of inefficient operations—those that are poorly designed, needlessly increase complexity, hinder decision making, and obscure performance. Such inefficient operations can be compounded by inappropriate use of technology, resulting in significant cost and the inability to respond to a pandemic like COVID-19. Technological inefficiencies can result in fraud, waste, and abuse.

If internal audit is creating value by auditing what matters, then the right technology or technologies must be adopted—driven by the nature of problems we are assisting management in solving.  Technologies are not selected and approved strictly from an internal audit perspective, such as the tools to plan, execute, and report on various audits and reviews. Such a selection approach means so little to the functional managers we support.  The right technology should focus on the following:

  • What type of information does internal audit need from the business to review and add value?
  • What is the best technology to obtain, evaluate, and analyze this information?
  • What output could internal audit provide from using this technology?
  • How will the output help management to create value, capture value, and sustain value?
  • What trends does internal audit see from analyzing data and highlight issues to facilitate meaningful conversations with management?
  • How could the output from internal audit help management and internal audit gain insights to effectively resolve critical problems and perform deep dives to review what matters to management?
  • What should internal audit and management do differently DURING and post-COVID-19?
Eight Steps to Drive Operational Efficiencies


In the article, “Optimizing Internal Audit” from the IIA’s Internal Auditor publication, I highlighted that internal auditors, armed with knowledge about the organization’s strategic direction and overall risks, can apply basic operational audit principles to drive results. Recommendations for cost-effective and sustainable solutions that reflect the context of the industry and issues unique to the organization (customer needs and mission-critical activities) should be foremost areas to drive operational efficiencies. Internal auditors should perform reviews to determine the required training and skills across functional areas and assess the use of optimal processes and technologies to achieve and sustain operational efficiencies.

There are eight primary steps internal audit teams can apply throughout an organization in collaboration with stakeholders to help management create, capture, and sustain value through operational efficiencies. They include:

1) PRIORITIZE CUSTOMER NEEDS AND EXPECTATIONS:  Finding and retaining customers is the lifeblood of any organization.  Internal audit reviews to evaluate the effectiveness and efficiency of operations and programs should begin with how the organization meets and exceeds customers’ needs and expectations effectively and efficiently.   Some factors to consider include but not limited to, the following:

  • What known and emerging risks could significantly impact the organization’s ability to meet and exceed customers’ expectations?
  • What trends or data, and tools can internal audit use to evaluate the pace of emerging and evolving risks and how that impacts the organization from meeting changing customer expectations?
  • How could the organization provide quality products or services during a disaster when operations are impacted at one location or multiple locations?

Other essential factors in evaluating the effectiveness and efficiency of operations include, but is not limited to, the following activities:

  • product and service quality and reliability, including quality controls,
  • product and service mix and pricing, and
  • responsiveness to customer complaints, product recalls, and service interruptions,

These are examples of mission-critical activities with significant risks and costs to the organization if not managed properly and should be at the top of the list of internal audit operational review priorities.

2) EVALUATE AND IMPROVE HUMAN CAPITAL REQUIREMENTS: If keeping customers happy is the top priority, then finding and retaining qualified employees is critical to achieving that goal. How an organization recruits, selects and retains employees is central to the success of its operations and its ability to create value, capture, and sustain value with limited resources.  An understanding of the enterprise-wide hiring and retention processes in the context of organizational goals and strategies is vital for internal auditors to evaluate operational effectiveness. This includes assessments to determine if current tasks can be performed better, faster, and cheaper without compromising customer and public expectations, cost, quality, and regulatory requirements.

Such reviews provide internal audit with visibility to staff and management skills (including strengths, weaknesses, and gaps) throughout the organization.

Internal audit independence should never be compromised by performing core management activities. Internal audit can, however, leverage enterprise knowledge to provide management with recommendations to improve resource strategy by evaluating critical skill requirements of the organization such as (a) how it finds qualified employees and managers to fill needs, and (b) how to get the highest-quality work by providing the right incentives, work environment, and tools to meet the organization’s objectives.

Investment in a skilled workforce that can function within the dynamic nature of the organization’s business environment and maintain lean operations is critical.  Factors to consider include but not limited to, the following:

  • Does the existing policies and procedures provide clarity and guidance on how staff and contractors can work-onsite and offsite?
  • Have these policies and procedures been updated to guide remote work teams during COVID-19?
  • What challenges emerge when staff trained to work on-site to process transactions, and retain evidence, who must now access critical data remotely, to handle the same transactions offsite and maintain evidence digitally?
  • How could such a sudden transition impact current and future audits, reviews, and examinations?

3) CONTINUOUSLY IDENTIFY AND MITIGATE EVOLVING RISKS: Three core risks can impact operations:

  • Risks to customers – internal and external factors that could prevent the organization from meeting customers’ needs and expectations.
  • Risks to employees and stakeholders – internal and external factors that could radically change how cross-functional teams collaborate to deliver products and services within cost and quality parameters.
  • Risks to organizational continuity – internal and external factors impacting operations across multiple locations, and the organizations ability to quickly adapt and respond to those challenges.

Note:  Identifying, prioritizing, and mitigating risks (including emerging risks and threats, and the pace of rapidly evolving risks) belongs to the risk owner—management.  In the process of adding value by helping management solve problems, they recognize as vital; internal audit can provide support without compromising its independence.    

It is important to note emerging risks associated with these three categories, and how current risks evolve, and the pace at which these risks evolve.  Internal audit must also understand the potential conflicts that can arise across business functions and operations when mitigating risks. Internal audit must understand the evolving regulatory landscape that could impact operations and provide guidance for management to implement adequate steps to prevent the following:

  • Regulatory violations that could result in fines,
  • Enforcement disruptions,
  • Unplanned disruptions from natural disasters and pandemics like COVID-19,
  • Reputational damage, and
  • Class action lawsuits.

4) PROVIDE A PLATFORM TO EXECUTE CONSISTENTLY AND DELIVER SUSTAINED PROFITABILITY: Designing and implementing efficient processes, systems, and tools is a challenge for many organizations. Training employees and documenting policies and procedures to guide consistent execution is another challenge. Internal audit can help functional managers re-engineer critical business processes to eliminate fraud, waste, and abuse and deliver improved financial performance. Examples of such initiatives include those that focus on:

  • Continuous Process Improvement (CPI),
  • improving inventory management,
  • reducing cycle times,
  • increasing speed and accuracy of transaction processing, and
  • minimizing human intervention by automating efficient operations.

They also include asset management reviews, information technology assessments, and reviews to reduce product defects and improve quality controls. Such activities have the benefits of enhancing the organization’s ability to respond to an unprecedented pandemic like COVID-19, minimize customer complaints, improve productivity, reduce cost, and increase profitability.

5) ACHIEVE AND SUSTAIN MARKET DOMINANCE: How well an organization executes its strategy impacts how quickly it can achieve and sustain market dominance. To create value, internal audit must identify and resolve strategic misalignment problems timely (IAVC Part I – Strategic Alignment). That is the first step for internal audit to create value, and continue to help management capture and sustain value by assisting with the following: respond to customer needs and expectations, productively engage employees, manage risks, address shareholder requests, and improve profitability. For government institutions, internal audit should play a role to assist management with the stewardship and accountability of taxpayer resources.  Internal audit can help the organization maintain market dominance by fostering an environment of continuous innovation.

I must stress internal audit independence should never be compromised by performing management tasks. Internal audit can, however, assist management in achieving market dominance through operational efficiencies without compromising its independence.

6) CHALLENGE THE STATUS QUO AND CONTINUOUSLY INNOVATE: Achieving operational efficiencies throughout an organization is not a static goal. Many organizations have achieved operational efficiencies that resulted in market dominance and significant profits over the short term but eventually failed over time. Some profitable organizations might not recover from the COVID-19 disruptions.  That is because they became unsuccessful at innovating or adapting to the changing environment after an initial success. Internal audit frequently interacts with stakeholders throughout the organization. It has the expertise to help management challenge the status quo through Continuous Process Improvement (CPI), and adapt by fostering innovation and achieving sustainable growth critical to the long-term survival of the organization.

According to the PwC 2018 State of the Internal Audit Profession Study: Moving at the Speed of Innovation, internal auditors can serve in this valuable capacity only if they themselves are innovating. Internal audit must acquire new skills to perform operational effectiveness reviews and test controls mitigating risks related to new technology implementation and technology-driven processes.

Without innovation, internal audit might fail at creating value for the organization, and unable to help management capture and sustain value through operational efficiencies.

7) CREATE A CULTURE OF EFFICIENCY AND CONTINUOUS IMPROVEMENT: Culture cuts across every aspect of the organization. Internal audit plays a critical role to identify and help stakeholders implement aspects of corporate culture that are conducive to continuous monitoring, provide guidance to develop a culture of problem solvers, and achieve operational efficiencies. A corporate culture that encourages shared successes provides the right incentives as teams continuously adapt to customer needs and expectations. It speeds the process to evaluate evolving risks and changing regulatory environments—critical steps towards achieving and sustaining operational efficiencies.

8) MONITOR PROGRESS:  Using the right Key Performance Indicators (KPIs) and Metrics and close attention to the Key Risk Indicators (KRIs) are vital tools for management and internal audit to evaluate progress.   Data collected and analyzed over time, provide early alerts to areas impacting strategic goals. Internal audit can use this data (KPIs, Metrics, and KRIs) to perform deep dives (plan and execute audits and reviews that matter) to understand the root causes of operational inefficiencies, and provide recommendations for management to monitor performance and make timely adjustments.

The New Normal

While these eight steps are not the totality of internal audit’s role in helping the organization achieve and sustain operational efficiencies, they provide a reliable roadmap for internal audit to collaborate with management—without compromising its independence—and create value, capture and sustain value for the organization along the way.

The reality of coping with the “new normal–doing more with less” existed pre-COVID-19 and will remain the same post-COVID-19.  That means internal audit must do more to help management without compromising its independence address the fundamental features of the organization, such as customer service, human capital, strategy alignment, risk management, and periodically review the effectiveness of Continuous Process Improvement (CPI) initiatives.  These are value-added steps rather than just focusing on the traditional, financial-based internal audit tasks. Executives and managers should empower business unit leaders and internal audit teams to continuously challenge the status quo, starting with mission-critical activities to drive and sustain operational efficiencies.

Jonathan Ngah, CISA, CIA, CFE, CGFM, is a principal at Synergy Integration Advisors, a professional services firm providing internal audit outsourcing and internal audit co-sourcing services to government institutions, private-sector, and not-for-profit organizations in the US and the Asia Pacific (APAC) regions.

How Internal Audit Can Add Value by Boosting Quality and Compliance

This is Part IV – Quality and Compliance of a revised six-part series on the internal audit value chain (IAVC).

The emphasis on product and service quality is even more critical as organizations across the globe scrambled to respond to the unprecedented disruptions from COVID-19.  “Quality is Everyone’s Responsibility.”

Initial publication – January 15, 2019. Updated – May 15, 2020.

Q

uality is such an essential aspect of achieving success in business that several companies include it in their company slogans. We all remember Ford’s motto, “Quality is job one,” or the window company that implores us to, “Come home to quality; come home to Andersen.” Some companies go a step further and emphasize quality by putting it right in the name of the company, such as Quality Inn, Quality Branded (the company that owns the steakhouse chain Smith and Wollensky), and Quality Technology Services. Here’s a fun fact: the “q” in the cotton swab brand Q-tip actually stands for quality.

The emphasis on product and service quality is even more critical as organizations across the globe scrambled to respond to the unprecedented disruptions from COVID-19. Can an organization successfully react to unplanned events if products and service quality are not baked into the company’s culture? The answer is No.  To deliver on the quality expectations, all internal compliance requirements must be met.  This is one area internal audit can help management to create value, capture, and sustain value.

However, you don’t need to be an MBA to understand that quality is a critical aspect of any organization that provides a product or service. Lack of consistency in delivering quality products and services will result in consumers moving to competitors. This quote from Ronald Reagan, who was writing on the virtues of free-market capitalism, captures the ideal concept of how internal audit should view quality: “Consumers, by seeking quality and value, set the standards of acceptability for products and services by voting with their marketplace dollars.”

Quality and compliance are critical for an organization to execute its mission and win over customers. Quality and compliance are even more critical as an organization adapts and responds to the changing business environment.  Since internal audit strives to audit what matters, then quality should be vital to internal audit as well. Indeed, keeping a close eye on quality—and its near cousin compliance—is an essential component of the Internal Audit Value Chain (IAVC).

The Internal Audit Value Chain (IAVC)

It’s been well established that internal audit must seek to add value if it is to prove its worth in the organization.  In the first article in this series, “Many Internal Audit Failures Stem from Misalignment with the Company Strategy,” I defined the IAVC and its key components. The IAVC includes “the enterprise-wide initiatives impacting business functions, involving a combination of people, processes, technology, and corporate culture to drive the achievement of strategic goals and sustain profitability.” Internal audit’s role in the value chain requires an understanding of the organization’s:

  1. Strategic direction and alignment
  2. Risk management and monitoring
  3. Operational efficiencies to include Continuous Process Improvement (CPI)
  4. Quality and compliance
  5. Financial management and governance
  6. Responsiveness to create, capture, and sustain value while adapting to the changing business environment.

This part four-installment addresses, as you have now guessed, quality and compliance as a critical means for internal audit to create value, capture, and sustain value by helping business units, management, and other stakeholders achieve improvements in these vital areas.

It does this by evaluating the effectiveness of quality programs and frameworks, identifying root causes of quality and compliance problems, ensuring monitoring systems and controls are functioning correctly, and other work outlined below.

“Quality is Everyone’s Responsibility”

As W. Edwards Deming once famously noted, “Quality is everyone’s responsibility.” That means it must be an essential focus from the rank and file up to the CEO, and certainly for internal audit. More specifically, responsibility for quality and compliance throughout an organization,

a) begins with front-line business managers (1st Line),
b) supported by risk and controls management and compliance managers (2nd Line), and
c) assured by functions with greater independence, such as internal audit reporting to the audit committee or other governing body (3rd Line).

Internal audit has some unique responsibilities when it comes to quality and compliance. Internal audit must communicate and enforce a consistent view of quality and compliance to all stakeholders while incorporating considerations unique to each business unit or function.

At many organizations, internal audit is viewed as the major enforcer of quality and compliance. If internal audit is a crucial enforcer, then we need to begin by answering the following questions:

  • Does internal audit (or equivalent function) within your organization have a consistent view of quality and compliance as it interacts with others (1st and 2nd Line Managers)?
  • Is this view on quality and compliance in-line with those of business managers, executive leadership, and other stakeholders?
  • If not, why not, and what can be done to align the internal audit and stakeholders’ perspectives on quality and compliance?

For this section of the IAVC, quality is defined as:  The measures of how effective the underlying operations execute processes and governance to provide products or services in-line with customers’ expectations and in compliance with internal standards and regulatory requirements.”

The Compliance Connection

Quality and compliance are two sides of the same coin. An organization cannot provide quality products or services without consistently adhering to its own internal compliance requirements. Compliance is the set of standards used by each business function or the organization as a whole to provide a gauge on quality, such as acceptable failure rates, on-time delivery rates, or acceptable variation or defect levels.

An Institute of Internal Auditors (IIA) Australia chapter whitepaper by Bruce Turner, “Auditing your entity’s Compliance Framework,” defined compliance “as an entity’s framework designed to ensure that it achieves compliance with both externally and internally imposed requirements, and includes governance structures, programs, processes, systems, controls, and procedures.”  The emphasis of this IAVC publication is on internal and not external or regulatory compliance, meaning the oversight of compliance with internally set standards, particularly as they relate to achieving established measures of quality.  Both types of compliance are essential and can impact the quality of products and services differently.

Internal audit performs an important value-add role in helping management identify and manage aspects of quality and compliance across all line-of-business (LOB) functions regardless of their respective unique operations—without losing focus of the enterprise-wide quality and compliance objectives critical to the organization’s mission and customers. Internal audit must emphasize that quality is everyone’s responsibility and develop processes to review effectiveness among the LOB functions and how they align with enterprise goals.

In the article, “Optimizing Internal Audit” from the IIA’s Internal Auditor publication, I argued that internal auditors should include a review of policies and procedures to validate that critical enterprise quality and compliance objectives are addressed continuously, and adequately, and that existing internal controls are operating efficiently as part of the ongoing reviews and assessments. For specific industries—such as food processing, medical devices, and many others—the nature of products manufactured and distributed, or services provided may require extra scrutiny related to quality and compliance expectations.

How many times did you read about faulty ventilators or other ineffective Personal Protective Equipment (PPEs) as organizations and government institutions struggled globally to cope with COVID-19? We can anticipate an increased level of regulatory oversight post-COVID-19 for some products and services to prevent a similar reoccurrence.

Other industries, such as financial services, for example, may require added internal control and compliance requirements. Factors such as policies, procedures, product specifications, service level agreements, as well as external requirements, such as regulatory standards, impact the level of effort needed to address compliance.

Eight Steps to Boost Quality and Compliance (Q&C)

There are eight primary steps internal audit teams can apply throughout an organization in collaboration with stakeholders, to help management create value, capture, and sustain value by improving quality and compliance. They include:

1) FRAMEWORK TO EVALUATE Q&C EFFECTIVENESS: The emphasis here is on using an appropriate framework by an internal audit or equivalent function to validate that business units are meeting their respective quality and compliance expectations efficiently and effectively.

  • What tools and methods are used by your internal audit team to evaluate the effectiveness of each LOB operations underlying quality and compliance processes to deliver products or provide services?
  • What standards are used to determine how each LOB operation at your organization adheres to internal quality expectations?

It is important to ensure any framework adopted—whether it is Lean, Six Sigma, Total Quality Management (TQM), or others—must address issues unique to each LOB operations and how each function contributes to the enterprise-wide quality and compliance success. Addressing LOB quality and compliance efforts in silos without alignment to enterprise objectives is not an efficient approach.

2) IDENTIFY ROOT CAUSES OF Q&C PROBLEMS: What skills must internal audit develop to not only understand the operational aspects of each LOB function but also to understand and challenge the quality and internal compliance issues specific to that operation?

A generic internal audit approach to quality and compliance reviews without hands-on experience and expertise to apply topics unique to that operation will frustrate business unit managers. Such an approach will often result in an inability for internal audit to add-value by identifying and communicating the root-cause of issues from Step #1. Instead, internal audit could spend more time addressing symptoms.

3) PROVIDE COST-EFFICIENT RECOMMENDATIONS TIMELY: Internal audit must demonstrate a level of expertise needed to gain trust, challenge the status quo, and provide practical, cost-effective recommendations that can be implemented by each LOB function to address quality and compliance issues promptly. This is an essential step for internal audit to add value by boosting quality and compliance.

Obviously, quality doesn’t exist in a vacuum, and quality improvement decisions must be made about pre-determined price points, time-to-market targets, and other factors to achieve enterprise objectives. This is important for internal audit to gain trust from LOB managers and other stakeholders, and help management to create value, capture, and sustain value.

Technology, of course, also plays a significant role in the assessment and achievement of quality and compliance objectives.  Internal audit must keep up on the systems and software that can influence quality. As organizations move towards improving efficiencies through technology and automation, the quality and compliance requirements become increasingly important.  Configuration and programming errors, or the inability to adopt new technology, can present significant risks and potential financial loss. Internal audit can and should play a role in the assessment and implementation of new technology that can impact quality and compliance.

4) COLLABORATE WITH LOB TO REMEDIATE FINDINGS TIMELY: Once trust is earned, and stakeholders see value in work performed to improve enterprise quality and compliance initiatives, collaboration to remediate findings and implement sustainable recommendations is the logical next step. Internal audit must collaborate with LOB leaders without compromising independence.

  • What guidance can internal audit provide to remediate findings and implement recommendations on quality and compliance violations and minimize the costs from regulatory fines and reputational damage?
  • Is maintaining the status quo more important than pushing the limits of internal audit independence expectations and taking preventive steps to minimize the risk of exposing the organization to additional cost and reputational damage?

Efforts from internal audit to support remediation of findings from audits and reviews and Continuous Process Improvement (CPI) projects should also include education and training to LOB managers, stakeholders, and executives on standards, laws, and regulations. Training should be tracked, attested to, documented, and refreshed periodically.

5) DEVELOP Q&C KEY PERFORMANCE INDICATORS (KPIs): The next step in improving quality and compliance effectiveness is to measure and track performance.

While the quote, “If you can’t measure it, you can’t manage it,” is often wrongly attributed to quality guru Deming—many claim it was actually management sage Peter Drucker—Deming was a strong advocate for the use of quality metrics whenever possible.

Internal audit can collaborate with LOB stakeholders to identify quality and compliance issues unique to each operation and create KPI’s and metrics that align each function to the enterprise objectives to avoid performing tasks in silos.

6) PROVIDE CONTINUOUS Q&C MONITORING AND REVIEWS: Regulators became aware of the quality and compliance violations at Wells Fargo in 2016. We do not know if Wells Fargo had a framework used by its internal audit to validate that business functions met their respective quality and compliance expectations efficiently and effectively.  If there was a framework in place, did the Wells Fargo internal audit department perform continuous quality and compliance monitoring and auditing before 2016?

The quality and compliance requirements for many organizations are not static. The dynamic nature of quality and compliance operations means a static once-a-year internal audit effectiveness review will not achieve intended effects. Performing continuous quality and compliance monitoring and auditing could identify issues missed during previous reviews and provide the organization enough time to implement corrective actions and, if needed, self-report to minimize the impact of any potential regulatory fines and reputational damage.

7) RE-EVALUATE THE Q&C ASSESSMENT FRAMEWORK: Given the dynamic nature of the quality and compliance requirements, any framework used from step #1, must be evaluated and adjustments made as needed. If the likelihood of significant quality and compliance violations remains low, and there are no substantial changes to the enterprise’s strategic objectives, quality expectations, and internal and external compliance requirements, then there is no need to make significant changes to the framework.

A good reason to make changes to the internal audit framework is if existing quality and compliance violations are not remediated quickly, or new significant issues are identified. We could anticipate Wells Fargo made substantial changes in how their internal audit function performed quality and compliance effectiveness reviews after the negative publicity that began in 2016. Such changes were significantly late as the bank suffered substantial losses from regulatory fines and reputational damage.

8) VALIDATE EXISTENCE OF AN APPROPRIATE Q&C TONE: What lessons can internal audit learn from the example of Wells Fargo’s quality and compliance violations resulting from bank employees opening unauthorized customer accounts and charging excessive fees to increase sales through cross-selling?

  • When did management first realize such quality and compliance violations occurred?
  • When did internal audit first identify quality and compliance violations?
  • What did the LOB Managers and internal audit do to address the violations?
  • When did senior executives and appropriate board and committees first become aware of such violations?
  • Why was nothing done to resolve the issues immediately?

Internal audit must perform reviews to validate the existence of an appropriate quality and compliance tone and reporting structure to executives and board committees. Is quality and compliance baked into the culture of the organization? Without this, any organization remains vulnerable to quality and compliance lapses that could lead to excessive regulatory fines and reputational damage.

Developing a Quality Habit

As the whitepaper Auditing Your Entity’s Compliance Framework concluded, compliance remains a primary concern for the boards, executives, and senior management of most entities with reputation risk pushed to new levels because of the complexity and pace of legislative and regulatory change, coupled with an increase in regulatory scrutiny and enforcement. According to this whitepaper, a compliance framework is an important element in the governance of entities for:

  • Preventing, identifying, and responding to breaches of laws, regulations, codes, or standards,
  • demonstrating a robust compliance regime to regulators,
  • promoting a culture of compliance, and
  • assisting the entity to be a good corporate citizen.

While these eight steps are not the totality of internal audit’s role in helping the organization improve it’s quality and compliance initiatives efficiently and effectively, they provide a reliable roadmap for internal audit to collaborate with management—without compromising its independence—and create value for the organization along the way.

The reality of coping with the “new normal” of continuing to do more with less since the 2008 global recession means internal audit must do more to address the fundamental aspects critical to the long-term survival of the organization and to keep customers happy.  Quality is chief among them.

To do this, the organization must provide consumers with the quality and value they seek, including the standards acceptable for products and services so that they can continue voting in the organization’s favor with their marketplace dollars. Executives and managers should empower business unit leaders and internal audit teams to continuously challenge the status quo, starting with mission-critical activities to drive and sustain quality and compliance expectations.

As the philosopher Aristotle once said (or something like it): “quality is not an act, it is a habit.”

Jonathan Ngah, CISA, CIA, CFE, CGFM, is a principal at Synergy Integration Advisors, a professional services firm providing internal audit outsourcing and internal audit co-sourcing services to government institutions, private-sector, and not-for-profit organizations in the US and the Asia Pacific (APAC) regions.

How Internal Audit Can Add Value by Improving Financial Management and Governance

This is Part V – Financial Management & Governance of a revised six-part series on the internal audit value chain (IAVC).

How can internal audit assist management and stakeholders throughout the organization to continuously improve accounting, financial reporting, audit, and governance initiatives?

Initial publication – May 14, 2019. Updated – May 15, 2020.

O

ne of the biggest myths about internal auditors is that they are mostly accountants by trade. As most of us know, internal auditors increasingly come from many different backgrounds, including technology, operations, risk management, and other disciplines. And a Certified Public Accountant (CPA) designation is no longer a key requirement to be an internal auditor.

While the emergence of these new well-rounded internal auditors is a welcome development—as internal audit moves to audit non-traditional areas like culture, marketing, human resources, and other business functions—it doesn’t mean that financial management is no longer a critical function in need of internal audit oversight. On the contrary, improving financial management and governance is as important as it has ever been, especially considering the unprecedented challenges from COVID-19. So, while internal auditors are encouraged to develop a wide array of skills to support business units and add value (create, capture and sustain value), they aren’t off the hook on building their knowledge of sound financial management principles and practices as well.

Another myth is that while technology and innovation are transforming nearly every facet of the organization, finance, and accounting fundamentals and reporting requirements haven’t changed much in recent years. That view is inaccurate too. Financial management is undergoing the same radical transformation, like many other corporate functions and maybe even more so. The tools, processes, and expectations have shifted with the emergence of fintech, block-chain, big data, and a slew of other innovations.

So, even at a time when internal audit is diversifying outside of its traditional financial reporting and accounting roots, it still needs to excel at providing assurance, insights, and advice over this critical and fast-changing area. What’s more, internal audit needs to keep up with the latest innovations while still adhering to core standards—including the Institute of Internal Audit’s (IIA) International Standards for the Professional Practice of Internal Auditing—as well as accounting fundamentals and applicable rules. Meeting these demands is a tall order, indeed.

The Internal Audit Value Chain (IAVC)

It’s been well established that internal audit must seek to add value if it is to prove its worth in the organization.  In the first article in this series, “Many Internal Audit Failures Stem from Misalignment with the Company Strategy,” I defined the IAVC and its key components. The IAVC includes “the enterprise-wide initiatives impacting business functions, involving a combination of people, processes, technology, and corporate culture to drive the achievement of strategic goals and sustain profitability.” Internal audit’s role in the value chain requires an understanding of the organization’s:

  1. Strategic direction and alignment
  2. Risk management and monitoring
  3. Operational efficiencies to include Continuous Process Improvement (CPI)
  4. Quality and compliance
  5. Financial management and governance
  6. Responsiveness to create, capture, and sustain value while adapting to the changing business environment.

This part five installment addresses financial management and governance as a critical means for internal audit to create value by helping business units, management, and other stakeholders sustain or achieve improvements in financial reporting, accounting, financing, investment, and other related processes. It does this by evaluating the effectiveness of financial management and governance, identifying root causes of problems, ensuring monitoring systems and controls are functioning correctly, and other work outlined below.

Changing Environment

How can internal audit assist management and stakeholders throughout the organization to continuously improve accounting, financial reporting, audit, and governance initiatives?

  • First, internal audit needs to apply standards using a modernized approach, while adapting to the dynamic business environment, and unprecedented events like COVID-19. In other words, it needs to embrace change and must react quickly to unplanned, catastrophic events, or pandemics.
  • Second, internal audit should go beyond the limits of financial reporting and accounting policies, procedures, and controls to find solutions and assist management in creating, capturing, and sustaining value.

We are not suggesting internal audit should not adhere to standards, regulations, and policies.  However, challenging the status-quo, helping the organization succeed, and creating sustainable value also requires a different way of thinking, especially during a sustained global crisis or disaster, and changes during and post-COVID-19.

For this to happen, the business-as-usual mindset within the internal audit function needs to change. If management and the CFO are moving the organization in the right direction and at a fast pace, internal audit cannot afford to lag. It also can’t pursue innovation if it doesn’t first have a solid foundation in place and functioning well. For internal audit to improve financial management and governance, the chief audit executive (CAE) needs to develop and implement a framework to evaluate progress on the following goals continuously:

  1. The alignment of the enterprise mission and objectives with business unit operations and strategy,
  2. The identification and understanding of the macro and micro risks impacting the organization (includes emerging risks and the pace of evolving risks),
  3. The identification of opportunities for Operational efficiencies to include Continuous Process Improvement (CPI),
  4. The evaluation of quality initiatives and compliance effectiveness,
  5. The assessment of vulnerabilities in critical systems and technologies used, and
  6. The organization’s ability to react (responsiveness) to the changing business environments.

Note:  Identifying, prioritizing, and mitigating risks (including emerging risks and threats, and the pace of rapidly evolving risks) belongs to the risk owner—management.  In the process of adding value by helping management solve problems, they recognize as vital; internal audit can provide support without compromising its independence.    

An IIA article, “Optimizing Internal Audit,” emphasizes that internal audit should leverage its knowledge of the organization’s strategic alignment, customer needs, mission, risks, compliance requirements, and operations to collaborate with functional managers, including the CFO, to improve financial management and governance.  Internal audit also needs to understand how the CFO role within their organizations is evolving and what additional changes are required.  Some essential questions to consider include:

  • What changes did your CFO function make during catastrophic events, or pandemics?
  • What changes do you anticipate during and post-COVID-19?
  • What additional risks emerged during and after the pandemic as your organization struggled to adjust and react?
  • Is your current business model strong enough to survive the impact of an unforeseen event or crisis?

A research report from Accenture, titled “From Bottom Line to Front Line,” showed how CFOs have stepped out from the confines of their roles to become innovators and disrupters in their businesses. They are doing this by leveraging new technology and exploiting data and creating value in the process. The report concluded finance departments must overcome significant challenges to play a broader role driven by five forces:

  • Increased expectations: boards, CEOs, and the overall organization expect and need more from the CFO.
  • The pace of change keeps accelerating.
  • The pressure to show growth and profits is constant.
  • An explosion in the availability of data and data analysis tools requires both increased focus and new capabilities.
  • Regulation and consumer expectations have expanded control and compliance requirements.

How would these five factors listed in the Accenture report impact additional changes within your CFO function post-COVID-19?  What role can internal audit play to provide value as your CFO role continues to evolve?

Eight Steps to Improving Financial Management and Governance


There are eight primary steps internal audit teams can apply throughout an organization in collaboration with stakeholders, to help management and the CFO create, capture, and sustain value by improving financial management and governance. They include:

1) VALIDATE EXISTENCE OF AN APPROPRIATE TONE:  To improve financial management and governance, internal audit needs to understand the critical accounting, financial reporting, and audit objectives driving the organization. Internal audit should perform reviews and assessments to evaluate appropriate tone and culture at the departmental and business unit levels across key locations.  Such reviews provide visibility on how business unit practices align with the entity-level objectives. Culture reviews, or building culture assessments into other types of audits, can go a long way to provide management with insights on the tone communicated throughout the organization, including tone at the top, middle, and bottom. Findings from such reviews could provide early warnings on inappropriate decisions made across business functions such as (a) excessive risks taking, and (b) rationalizing violations to corporate policies and procedures and fraud.

The appropriate financial management tone must also fit the sector (public, private, nonprofit, or hybrid) that the organization operates in.  Finding any modern business or government institution that perfectly fits the traditional definition of the private sector, public sector, or nonprofit organization is challenging.  The increasing number of hybrid organizations (a mixture of financial management objectives from public and not-for-profit sectors) points to the evolving nature of financial management priorities across traditional sectors.

Rapid changes are driven by evolving customer or taxpayer behaviors and expectations. Some private sector companies, for example, are becoming more conscious of the moral, social, and environmental impacts of the decisions they make. In contrast, some public sector organizations and government institutions want to apply financial management best-practices from private sector organizations to cope with the increased pressures of “doing more with less.” Such variables impact the organization’s tone and culture, the pace and scale of transformation, which directly impacts financial management and governance decisions.

Getting tone and culture right, particularly regarding sound, ethical financial management, have become one of the top priorities of many organizations and internal audit can play a pivotal role in getting there.

The COVID-19 pandemic disrupted every aspect of business functions, and financial management was no exception.  Business transactions that were typically initiated, authorized, processed, recorded, and reported in line with internal control parameters in office settings changed. Employees had to work from home during the early stages of the pandemic between February and March 2020 quickly. With limited planning, business transactions had to be initiated, approved, processed, recorded, and reported remotely—such rapid changes in how employees work presents significant risks for organizations with an appropriate tone and culture. 

2) ASSESS INTERNAL CONTROLS:  COVID-19 has changed how internal controls are performed and supported. Employees and contractor teams had to work remotely, and auditors and regulators now had to plan and execute audits and examinations remotely. Changes such as the use of new technologies, and processes introduce risks and affect controls.  Internal audit must think through unintended consequences and understand the impact of rapid changes and innovations, so they can ensure that there are no unmitigated risks and control weaknesses. Transformation presents unique risks and challenges.  While speed is imperative, transformation and innovation must also be done smartly and with assurances that risks are identified and mitigated promptly.  That means internal audit should apply the right methodologies for performing risk assessments and testing the design and operating effectiveness of critical financial management internal controls.

3) PERFORM FRAUD RISK ASSESSMENTS:  Fraud risks and vulnerabilities evolve as functional managers, including CFOs, serve as innovators and disruptors in their businesses. Expectations from stakeholders further complicate this. Increased expectations accelerate the pace of change, driving the need for more business transformation, often with unrealistic timelines.  The unintended effects could include increased burden to show growth and profits, and significant reliance on technology and automation. These factors all increase the risk of fraud, and internal audit should be on high alert to ensure that emerging risks are mitigated.

Technology can also be a double-edged sword when it comes to fraud.  Advanced analytics tools, for example, provide great assistance in flagging potentially fraudulent transactions. But fraudsters can also manipulate them by, for example, finding out the threshold where transactions will be investigated and remaining just under it. Fraudsters can also use technology to commit or hide fraud when they understand it better than the managers and auditors who are on the lookout for wrongdoing.  As many users access corporate systems and data remotely, with staff and contractor teams working from home due to COVID-19, internal audit teams must identify new vulnerabilities, and be on high alert for increased fraudulent activities.

4) IMPROVE FINANCIAL MANAGEMENT PROCESSES AND SYSTEMS:  Business disruptions during COVID-19 and over the past decade demonstrate that there are no boundaries to the speed and extent of change. Businesses must continuously improve financial management processes to deliver on customer expectations, generate profits, and improve financial performance. Technological innovations and increasing use of mobile applications, for example, have transformed the global banking sector.  This has forced traditional banks to modernize business practices to deliver superior customer experiences.

And by many accounts, we are just getting started. According to the Deloitte Crunch Time 2025: Finance report, as finance cycles go real-time, periodic reporting will no longer drive operations and decision making, and traditional cycles will become less relevant.  A separate report by Accenture on CFOs identified three central themes in the evolution of the finance function:

  • Digitizing finance and harnessing the power of data: CFOs continue to automate routine accounting, control, and compliance tasks.
  • Leading digitization efforts: CFOs play a critical role in the digitization of their enterprises, with most starting in their own departments.
  • Developing future finance talent: CFOs need to shift their hiring and talent development criteria so the next generation of finance leaders can flourish in this expanded role.

In part four of the IAVC – How Internal Audit Can Add Value by Pursuing Efficiencies, we concluded that there is no corporate function more equipped to weed out operational inefficiency than internal audit. Internal auditors have the skills to assess processes expertly, the knowledge of the business to understand how things fit together, the distance to evaluate problems with an open mind, and the discipline to make recommendations in a thoughtful, organized way. Certainly, this thought process can be applied to support Continuous Process Improvement (CPI) projects, improve financial management processes and systems as well.

5) VALIDATE REMEDIATION OF FINDINGS:  Internal audit should develop a framework to track the appropriate and timely remediation of audit findings and recommendations from CPI projects that impact financial management. This should include assistance in implementing proper financial management controls and training for management, staff, and stakeholders. There should also be a process in place to elevate significant findings that are repeatedly ignored and go unaddressed to executive management, the board of directors, and various committees.

6) PERFORM RISK AND CONTROL SELF ASSESSMENTS (RCSAs):  If functional managers, including CFOs, are to serve as innovators and disruptors, internal audit should assist them in prioritizing risks (include emerging and the pace of evolving risks) and validate internal controls exits to mitigate risks. This enables executive management to concentrate on the high-risk issues, while their staff assesses moderate and low-level risks. To address moderate and low-level risks, internal audit can collaborate with stakeholders to establish and monitor a process to perform Risk and Control Self Assessments (RCSAs).

According to the Institute of Operational Risk (IOR), the recommended minimum frequency of conducting an RCSA is once a year, although twice a year or even more often may be appropriate depending on the compliance objectives. Timing and regularity should be determined by the purpose of the RCSA and any co-dependencies, such as SOX or other applicable regulatory reporting requirements. According to IOR, there should also be a mechanism in place for targeted ad-hoc assessments, if there is a significant change in the perceived risk profile. A significant change could result, for example, from a change in the internal or external operating environment, or the introduction of new business activities or new products, says IOR.

The use of RCSA’s, in theory, seems a practical approach. However, the output from using RCSA’s and the skills of the risks’ owners and limited oversight responsibilities might highlight the inefficiencies in identifying and mitigating emerging and rapidly evolving risks.  The short-term challenges responding to COVID-19 and the long-term effects (post-COVID-19) provides an opportunity for internal audit to evaluate and enhance the self-assessment processes, including use of RCSAs.

7) MONITOR REGULATORY CHANGES: Internal audit should collaborate with management (without compromising its independence) to monitor and address financial reporting, accounting, and regulatory changes and ensure ongoing compliance. When possible, internal audit should facilitate training to staff and stakeholders on the constant changes to compliance and accounting standards. This requires cross-functional collaboration between operations, compliance, legal, risk management, accounting, and financial reporting, tax, internal audit, and other functions.

8) DEVELOP AND IMPLEMENT KEY PERFORMANCE INDICATORS (KPIs) AND METRICS:  A natural by-product as internal audit interacts with functional managers is knowledge of appropriate accounting and financial management KPIs and metrics including the use of proper visualization and analytical tools. As part of the RCSAs, internal audit can track how management implements and monitors KPIs, Key Risk Indicators (KRIs), and other metrics and recommend changes. Once the system of metrics is agreed upon and developed, there should be a continuous monitoring system to track such metrics.

“Ch-Ch-Ch Changes”

Certainly, this is not an exhaustive list of the steps internal audit can take to add value by helping to improve financial management and governance. However, they will go a long way to putting it on track. The common theme here is that—to use a well-worn adage—the only constant is change. Internal audit functions that reorganize to be in a perpetual state of change management will be the ones that succeed in adding value, and help management capture and sustain value. And if you think we’ve already gone through too much transformation, buckle up, it’s about to go faster.

Jonathan Ngah, CISA, CIA, CFE, CGFM, is a principal at Synergy Integration Advisors, a professional services firm providing internal audit outsourcing and internal audit co-sourcing services to government institutions, private-sector, and not-for-profit organizations in the US and the Asia Pacific (APAC) regions. 

Jacqueline Butler, CISA, CRISC, is a director at Synergy Integration Advisors.