This is Part V – Financial Management & Governance of a revised six-part series on the internal audit value chain (IAVC).
How can internal audit assist management and stakeholders throughout the organization to continuously improve accounting, financial reporting, audit, and governance initiatives?
Initial publication – May 14, 2019. Updated – May 15, 2020.
ne of the biggest myths about internal auditors is that they are mostly accountants by trade. As most of us know, internal auditors increasingly come from many different backgrounds, including technology, operations, risk management, and other disciplines. And a Certified Public Accountant (CPA) designation is no longer a key requirement to be an internal auditor.
While the emergence of these new well-rounded internal auditors is a welcome development—as internal audit moves to audit non-traditional areas like culture, marketing, human resources, and other business functions—it doesn’t mean that financial management is no longer a critical function in need of internal audit oversight. On the contrary, improving financial management and governance is as important as it has ever been, especially considering the unprecedented challenges from COVID-19. So, while internal auditors are encouraged to develop a wide array of skills to support business units and add value (create, capture and sustain value), they aren’t off the hook on building their knowledge of sound financial management principles and practices as well.
Another myth is that while technology and innovation are transforming nearly every facet of the organization, finance, and accounting fundamentals and reporting requirements haven’t changed much in recent years. That view is inaccurate too. Financial management is undergoing the same radical transformation, like many other corporate functions and maybe even more so. The tools, processes, and expectations have shifted with the emergence of fintech, block-chain, big data, and a slew of other innovations.
So, even at a time when internal audit is diversifying outside of its traditional financial reporting and accounting roots, it still needs to excel at providing assurance, insights, and advice over this critical and fast-changing area. What’s more, internal audit needs to keep up with the latest innovations while still adhering to core standards—including the Institute of Internal Audit’s (IIA) International Standards for the Professional Practice of Internal Auditing—as well as accounting fundamentals and applicable rules. Meeting these demands is a tall order, indeed.
The Internal Audit Value Chain (IAVC)
It’s been well established that internal audit must seek to add value if it is to prove its worth in the organization. In the first article in this series, “Many Internal Audit Failures Stem from Misalignment with the Company Strategy,” I defined the IAVC and its key components. The IAVC includes “the enterprise-wide initiatives impacting business functions, involving a combination of people, processes, technology, and corporate culture to drive the achievement of strategic goals and sustain profitability.” Internal audit’s role in the value chain requires an understanding of the organization’s:
- Strategic direction and alignment
- Risk management and monitoring
- Operational efficiencies to include Continuous Process Improvement (CPI)
- Quality and compliance
- Financial management and governance
- Responsiveness to create, capture, and sustain value while adapting to the changing business environment.
This part five installment addresses financial management and governance as a critical means for internal audit to create value by helping business units, management, and other stakeholders sustain or achieve improvements in financial reporting, accounting, financing, investment, and other related processes. It does this by evaluating the effectiveness of financial management and governance, identifying root causes of problems, ensuring monitoring systems and controls are functioning correctly, and other work outlined below.
How can internal audit assist management and stakeholders throughout the organization to continuously improve accounting, financial reporting, audit, and governance initiatives?
- First, internal audit needs to apply standards using a modernized approach, while adapting to the dynamic business environment, and unprecedented events like COVID-19. In other words, it needs to embrace change and must react quickly to unplanned, catastrophic events, or pandemics.
- Second, internal audit should go beyond the limits of financial reporting and accounting policies, procedures, and controls to find solutions and assist management in creating, capturing, and sustaining value.
We are not suggesting internal audit should not adhere to standards, regulations, and policies. However, challenging the status-quo, helping the organization succeed, and creating sustainable value also requires a different way of thinking, especially during a sustained global crisis or disaster, and changes during and post-COVID-19.
For this to happen, the business-as-usual mindset within the internal audit function needs to change. If management and the CFO are moving the organization in the right direction and at a fast pace, internal audit cannot afford to lag. It also can’t pursue innovation if it doesn’t first have a solid foundation in place and functioning well. For internal audit to improve financial management and governance, the chief audit executive (CAE) needs to develop and implement a framework to evaluate progress on the following goals continuously:
- The alignment of the enterprise mission and objectives with business unit operations and strategy,
- The identification and understanding of the macro and micro risks impacting the organization (includes emerging risks and the pace of evolving risks),
- The identification of opportunities for Operational efficiencies to include Continuous Process Improvement (CPI),
- The evaluation of quality initiatives and compliance effectiveness,
- The assessment of vulnerabilities in critical systems and technologies used, and
- The organization’s ability to react (responsiveness) to the changing business environments.
Note: Identifying, prioritizing, and mitigating risks (including emerging risks and threats, and the pace of rapidly evolving risks) belongs to the risk owner—management. In the process of adding value by helping management solve problems, they recognize as vital; internal audit can provide support without compromising its independence.
An IIA article, “Optimizing Internal Audit,” emphasizes that internal audit should leverage its knowledge of the organization’s strategic alignment, customer needs, mission, risks, compliance requirements, and operations to collaborate with functional managers, including the CFO, to improve financial management and governance. Internal audit also needs to understand how the CFO role within their organizations is evolving and what additional changes are required. Some essential questions to consider include:
- What changes did your CFO function make during catastrophic events, or pandemics?
- What changes do you anticipate during and post-COVID-19?
- What additional risks emerged during and after the pandemic as your organization struggled to adjust and react?
- Is your current business model strong enough to survive the impact of an unforeseen event or crisis?
A research report from Accenture, titled “From Bottom Line to Front Line,” showed how CFOs have stepped out from the confines of their roles to become innovators and disrupters in their businesses. They are doing this by leveraging new technology and exploiting data and creating value in the process. The report concluded finance departments must overcome significant challenges to play a broader role driven by five forces:
- Increased expectations: boards, CEOs, and the overall organization expect and need more from the CFO.
- The pace of change keeps accelerating.
- The pressure to show growth and profits is constant.
- An explosion in the availability of data and data analysis tools requires both increased focus and new capabilities.
- Regulation and consumer expectations have expanded control and compliance requirements.
How would these five factors listed in the Accenture report impact additional changes within your CFO function post-COVID-19? What role can internal audit play to provide value as your CFO role continues to evolve?
Eight Steps to Improving Financial Management and Governance
There are eight primary steps internal audit teams can apply throughout an organization in collaboration with stakeholders, to help management and the CFO create, capture, and sustain value by improving financial management and governance. They include:
1) VALIDATE EXISTENCE OF AN APPROPRIATE TONE: To improve financial management and governance, internal audit needs to understand the critical accounting, financial reporting, and audit objectives driving the organization. Internal audit should perform reviews and assessments to evaluate appropriate tone and culture at the departmental and business unit levels across key locations. Such reviews provide visibility on how business unit practices align with the entity-level objectives. Culture reviews, or building culture assessments into other types of audits, can go a long way to provide management with insights on the tone communicated throughout the organization, including tone at the top, middle, and bottom. Findings from such reviews could provide early warnings on inappropriate decisions made across business functions such as (a) excessive risks taking, and (b) rationalizing violations to corporate policies and procedures and fraud.
The appropriate financial management tone must also fit the sector (public, private, nonprofit, or hybrid) that the organization operates in. Finding any modern business or government institution that perfectly fits the traditional definition of the private sector, public sector, or nonprofit organization is challenging. The increasing number of hybrid organizations (a mixture of financial management objectives from public and not-for-profit sectors) points to the evolving nature of financial management priorities across traditional sectors.
Rapid changes are driven by evolving customer or taxpayer behaviors and expectations. Some private sector companies, for example, are becoming more conscious of the moral, social, and environmental impacts of the decisions they make. In contrast, some public sector organizations and government institutions want to apply financial management best-practices from private sector organizations to cope with the increased pressures of “doing more with less.” Such variables impact the organization’s tone and culture, the pace and scale of transformation, which directly impacts financial management and governance decisions.
Getting tone and culture right, particularly regarding sound, ethical financial management, have become one of the top priorities of many organizations and internal audit can play a pivotal role in getting there.
The COVID-19 pandemic disrupted every aspect of business functions, and financial management was no exception. Business transactions that were typically initiated, authorized, processed, recorded, and reported in line with internal control parameters in office settings changed. Employees had to work from home during the early stages of the pandemic between February and March 2020 quickly. With limited planning, business transactions had to be initiated, approved, processed, recorded, and reported remotely—such rapid changes in how employees work presents significant risks for organizations with an appropriate tone and culture.
2) ASSESS INTERNAL CONTROLS: COVID-19 has changed how internal controls are performed and supported. Employees and contractor teams had to work remotely, and auditors and regulators now had to plan and execute audits and examinations remotely. Changes such as the use of new technologies, and processes introduce risks and affect controls. Internal audit must think through unintended consequences and understand the impact of rapid changes and innovations, so they can ensure that there are no unmitigated risks and control weaknesses. Transformation presents unique risks and challenges. While speed is imperative, transformation and innovation must also be done smartly and with assurances that risks are identified and mitigated promptly. That means internal audit should apply the right methodologies for performing risk assessments and testing the design and operating effectiveness of critical financial management internal controls.
3) PERFORM FRAUD RISK ASSESSMENTS: Fraud risks and vulnerabilities evolve as functional managers, including CFOs, serve as innovators and disruptors in their businesses. Expectations from stakeholders further complicate this. Increased expectations accelerate the pace of change, driving the need for more business transformation, often with unrealistic timelines. The unintended effects could include increased burden to show growth and profits, and significant reliance on technology and automation. These factors all increase the risk of fraud, and internal audit should be on high alert to ensure that emerging risks are mitigated.
Technology can also be a double-edged sword when it comes to fraud. Advanced analytics tools, for example, provide great assistance in flagging potentially fraudulent transactions. But fraudsters can also manipulate them by, for example, finding out the threshold where transactions will be investigated and remaining just under it. Fraudsters can also use technology to commit or hide fraud when they understand it better than the managers and auditors who are on the lookout for wrongdoing. As many users access corporate systems and data remotely, with staff and contractor teams working from home due to COVID-19, internal audit teams must identify new vulnerabilities, and be on high alert for increased fraudulent activities.
4) IMPROVE FINANCIAL MANAGEMENT PROCESSES AND SYSTEMS: Business disruptions during COVID-19 and over the past decade demonstrate that there are no boundaries to the speed and extent of change. Businesses must continuously improve financial management processes to deliver on customer expectations, generate profits, and improve financial performance. Technological innovations and increasing use of mobile applications, for example, have transformed the global banking sector. This has forced traditional banks to modernize business practices to deliver superior customer experiences.
And by many accounts, we are just getting started. According to the Deloitte Crunch Time 2025: Finance report, as finance cycles go real-time, periodic reporting will no longer drive operations and decision making, and traditional cycles will become less relevant. A separate report by Accenture on CFOs identified three central themes in the evolution of the finance function:
- Digitizing finance and harnessing the power of data: CFOs continue to automate routine accounting, control, and compliance tasks.
- Leading digitization efforts: CFOs play a critical role in the digitization of their enterprises, with most starting in their own departments.
- Developing future finance talent: CFOs need to shift their hiring and talent development criteria so the next generation of finance leaders can flourish in this expanded role.
In part four of the IAVC – How Internal Audit Can Add Value by Pursuing Efficiencies, we concluded that there is no corporate function more equipped to weed out operational inefficiency than internal audit. Internal auditors have the skills to assess processes expertly, the knowledge of the business to understand how things fit together, the distance to evaluate problems with an open mind, and the discipline to make recommendations in a thoughtful, organized way. Certainly, this thought process can be applied to support Continuous Process Improvement (CPI) projects, improve financial management processes and systems as well.
5) VALIDATE REMEDIATION OF FINDINGS: Internal audit should develop a framework to track the appropriate and timely remediation of audit findings and recommendations from CPI projects that impact financial management. This should include assistance in implementing proper financial management controls and training for management, staff, and stakeholders. There should also be a process in place to elevate significant findings that are repeatedly ignored and go unaddressed to executive management, the board of directors, and various committees.
6) PERFORM RISK AND CONTROL SELF ASSESSMENTS (RCSAs): If functional managers, including CFOs, are to serve as innovators and disruptors, internal audit should assist them in prioritizing risks (include emerging and the pace of evolving risks) and validate internal controls exits to mitigate risks. This enables executive management to concentrate on the high-risk issues, while their staff assesses moderate and low-level risks. To address moderate and low-level risks, internal audit can collaborate with stakeholders to establish and monitor a process to perform Risk and Control Self Assessments (RCSAs).
According to the Institute of Operational Risk (IOR), the recommended minimum frequency of conducting an RCSA is once a year, although twice a year or even more often may be appropriate depending on the compliance objectives. Timing and regularity should be determined by the purpose of the RCSA and any co-dependencies, such as SOX or other applicable regulatory reporting requirements. According to IOR, there should also be a mechanism in place for targeted ad-hoc assessments, if there is a significant change in the perceived risk profile. A significant change could result, for example, from a change in the internal or external operating environment, or the introduction of new business activities or new products, says IOR.
The use of RCSA’s, in theory, seems a practical approach. However, the output from using RCSA’s and the skills of the risks’ owners and limited oversight responsibilities might highlight the inefficiencies in identifying and mitigating emerging and rapidly evolving risks. The short-term challenges responding to COVID-19 and the long-term effects (post-COVID-19) provides an opportunity for internal audit to evaluate and enhance the self-assessment processes, including use of RCSAs.
7) MONITOR REGULATORY CHANGES: Internal audit should collaborate with management (without compromising its independence) to monitor and address financial reporting, accounting, and regulatory changes and ensure ongoing compliance. When possible, internal audit should facilitate training to staff and stakeholders on the constant changes to compliance and accounting standards. This requires cross-functional collaboration between operations, compliance, legal, risk management, accounting, and financial reporting, tax, internal audit, and other functions.
8) DEVELOP AND IMPLEMENT KEY PERFORMANCE INDICATORS (KPIs) AND METRICS: A natural by-product as internal audit interacts with functional managers is knowledge of appropriate accounting and financial management KPIs and metrics including the use of proper visualization and analytical tools. As part of the RCSAs, internal audit can track how management implements and monitors KPIs, Key Risk Indicators (KRIs), and other metrics and recommend changes. Once the system of metrics is agreed upon and developed, there should be a continuous monitoring system to track such metrics.
Certainly, this is not an exhaustive list of the steps internal audit can take to add value by helping to improve financial management and governance. However, they will go a long way to putting it on track. The common theme here is that—to use a well-worn adage—the only constant is change. Internal audit functions that reorganize to be in a perpetual state of change management will be the ones that succeed in adding value, and help management capture and sustain value. And if you think we’ve already gone through too much transformation, buckle up, it’s about to go faster.
Jonathan Ngah, CISA, CIA, CFE, CGFM, is a principal at Synergy Integration Advisors, a professional services firm providing internal audit outsourcing and internal audit co-sourcing services to government institutions, private-sector, and not-for-profit organizations in the US and the Asia Pacific (APAC) regions.
Jacqueline Butler, CISA, CRISC, is a director at Synergy Integration Advisors.