Friday, 25 May 2018

An Effective Internal Audit

Related image



An Effective Internal Audit -
Everything is volatile, complex, uncertain and ambiguous except constant changing. Business models are changing rapidly along with the introduction of innovative processes and products. Disruptive models and technologies are making traditional business destroyed and therefore companies need to reinvent themselves.  Newer legislation's, governance codes and practices instituted across the globe.  In the center of this environment, we have seen several business failures, in India and outside India, that not just relate to poor strategy or risk taking at unacceptable levels but also those owing to financial fraud and deprived corporate governance practices. In this environment, the role of the Board and its Committees are difficult. The importance of handling investor expectations, developing a sound business strategy with high-class execution fixed with strong systems, processes and good corporate governance practices cannot be over emphasized.

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an Organisation’s operations. It helps an Organisation achieve its objectives by bringing an efficient, self-controlled approach to evaluate and improve the effectiveness of risk management, control, and governance processes. The internal audit activity should evaluate the competence and effectiveness of controls covering the Organisation’s governance, operations, and information systems.  This should include:
  • Trustworthiness of integrity of financial and operational information.
  • Effectiveness and efficiency of operations.
  • Safeguarding of assets.
  • Compliance with laws, regulations, and contracts


Internal Audit is a critical element in the assurance environment of the Organisations and a valuable means and contributor to dealing risks more effectively. It is a key attribute of good governance, which provides the Directors, Audit Committee and various stakeholders with an independent view on whether the Organisation has a suitable risk and control environment. It also acts as a facilitator for a strong risk and compliance culture within an Organisation.

Refining usefulness of Internal Audit

Challenged with new market events (opportunities & threats), ongoing economic challenges, increased burden to improve risk management effectiveness, and unique regulatory requirements, many Organisations are recognising the importance of internal audit and risk management functions to turn these disruptive forces into opportunities. A discussion on the potential levers for enhancing effectiveness of Internal Audit follows:

Risk Based Internal Audit

Over the last few years, the need to cope risks has become recognised as an essential part of good corporate governance practice. This has put Organisations under increasing pressure to identify all the business risks they face and to explain how they manage them. In fact, the activities involved in managing risks have been recognized as playing a central and essential role in maintaining a sound system of internal control.

While the responsibility for identifying and managing risks belongs to management, one of the key roles of internal audit is to provide assurance that those risks have been properly managed. We believe that a professional internal audit activity can best achieve its mission as a foundation of governance by positioning its work in the context of the Organisation’s own risk management framework.

Institute of Internal Audit defines risk based internal auditing (RBIA) as a methodology that links internal auditing to an Organisation’s overall risk management framework. RBIA allows internal audit to provide assurance to the board that risk management processes are managing risks effectively, in relation to the risk appetite.

Advantages

By following risk based internal auditing internal audit should be able to determine that:
  • Management has identified, assessed and responded to risks above and below the risk appetite
  • The responses to risks are effective but not excessive in managing inherent risks within the risk appetite
  • Where residual risks are not in line with the risk appetite, action is being taken to remedy that
  • Risk management processes, including the effectiveness of responses and the completion of actions, are being monitored by management to ensure they continue to      operate effectively
  • Risks, responses and actions are being properly classified and reported.

This enables internal audit to provide the board with assurance that it needs on three areas:
  • Risk management processes, both their design and how well they are working
  • Management of those risks classified as ‘key’, including the effectiveness of the controls and other responses to them
  • Complete, accurate and appropriate reporting and classification of risks

Implementation of RBIA

The implementation and ongoing operation of RBIA has three stages
Stage 1: Assessing risk maturity : Obtaining an overview of the extent to which the board and management determine, assess, manage and monitor risks. This provides an indication of the reliability of the risk register for audit planning purposes.

Stage 2: Periodic audit planning : Planning the assurance and consulting assignments for a specific period, usually annual, by identifying and prioritizing audit areas based on risk analysis.

Stage 3: Executing audit assignments : Carrying out individual risk based assignments to provide assurance on part of the risk management framework, including on the mitigation of individual or groups of risks.

Process Based Internal Audit

The process based approach to internal audit emphases on evaluation of the efficiency of various Organisational processes with the objective of rationalizing and achieving the desired efficiency in various processes. A process-based audit checks the adequacy and effectiveness of the process in meeting its objectives. A process-based audit is an evaluation of the sequential steps and interactions of a process within a system. A process is simply a way of doing something. Process is a series of actions or steps that lead to a desired result: Input – Process – Output. A process based approach to audit examines the resources (equipment, materials and people) used to transform the inputs into outputs, the environment, the methods (procedures and instructions) followed and the measures adopted to determine process performance.

Elements of a Process

  • Expected inputs
  • Expected activities of the process
  • Expected output
  • Expected results
  • Verification of activities
  • Action for correction / improvement
  • Corrective action

Evaluating a Process – Basic Questions

  • What are you trying to do? Why ?
  • How do you make it happen?
  • How do you know you are doing it right?
  • How do you know it’s the best way of doing it ?
  • How do you know it’s the right way of doing it ?
  • Did you receive what you are supposed to receive from the previous process ?
  • Did you do what you are supposed to do at your process ?
  • Did you send what you are supposed to send to the next process?
Just because it’s always been done that way, does not mean it’s being done correctly

Benefits of Process Approach to Internal Audit

  • Focuses on process and results
  • Determines effectiveness of the processes
  • Evaluates the results the process delivers
  • Tests linkages between departments and processes
  • Follows flow of work throughout Organisation
  • Determines if processes are under control and controls are effective

Essentials of an effective process

  • A process must have a well-specified design; otherwise, the people performing it won’t know what to do or when.
  • The people who execute the process, the performers, must have appropriate skills and knowledge; otherwise, they won’t be able to implement the design.
  • There has to be an owner, a senior executive who has the responsibility and authority to ensure that the process delivers results; otherwise, it will not be effective.
  • The company must align its infrastructure, such as information technologies and systems, to support the process; otherwise, they will hamper its performance.
  • Finally, the company must develop and use the right metrics to assess the performance of the process over time; otherwise, it won’t deliver the right results.

These enablers give a process the potential to deliver high performance.

Methodology of Process Based Internal Audit

  • Develop a Process Flow Chart for mapping processes / activities
  • Identify non-value adding activities
  • Look for factual evidence that the process works
  • Plan – Do – Check – Act (PDCA )
  • Check whether the process meets the objectives
  • Evaluate the process – time/cost/quality/efforts/environment
  • Identify areas for improvement
  • Make recommendations for Process improvement

Agile Internal Audit

Agile IA is the mind-set that an Internal Audit function adopts to focus on stakeholder needs, accelerate audit cycles, drive timely insights, reduce wasted effort. Agile prompts internal auditors and stakeholders to determine, upfront, the value to be delivered by an audit or project. As the Internal Audit function considers their specific challenges and contemplates a custom solution, agile audits
  • Are outcome driven / value driven
  • Break some eggs- Challenge that’s the way we have always done it
  • Focus on Impact over thoroughness – 80/20 Rule

Internal Audit Plan and Strategy

Internal audit may have a charter and an annual plan, but many do not have a higher-level, internal audit-specific strategic plan. A detailed strategy enables internal audit to align its objectives to the Organisation. The internal audit strategy should have a long-term (e.g., three to five-year) time horizon and have a road map that is based on the Organisation’s overall strategy, stakeholder expectations, regulatory requirements and the role of the other risk functions. Develop an internal audit-specific strategy that matches the Organisation’s strategic plan time horizon to increase Organisational alignment and improve internal audit’s relevance to other operating functions.

Assessing skills and managing talent

As the role of the internal auditor evolves and stakeholder expectations rise, internal audit increasingly requires competencies that exceed the more traditional technical skills. In addition to internal audit knowledge, stakeholders expect internal auditors to have the ability to team with management and business units on relevant business issues. They also expect internal audit resources to have deep sector knowledge and business acumen. Being able to look at the totality of the business and of the processes — that’s what sets a good internal auditor apart

Leveraging Data Analytics

Use analytics as part of a comprehensive program throughout the audit life cycle rather than on an ad hoc basis. Embedding data analytics into the audit plan can help internal

Audit guide the risk assessment, drive enterprise efficiencies and results that add tangible value to the business, and effectively communicate to the audit committee

Executing a focused, dynamic audit plan

Internal audit must develop an audit plan that focuses on Organisational strategic imperatives and key business risks identified during the risk assessment, including an appropriate blend of:
  • Advisory and assurance reviews
  • Thematic audits
  • Issue-based audits

Update audit plans according to business cycles and triggering events such as a merger or acquisition, new product launch or litigation.

Conducting thematic audits

Thematic and issue based audits are not new to internal audit. But they are making a resurgence as stakeholders increasingly want to know the implications, magnitudes and insights that audit findings convey. Thematic audits are one way of doing this. Themes should be tailored to the sector, Organisational structure, business life cycle and strategy. These audits can include a mix of advisory and assurance reviews.

The future of Internal Audit is now

Today, change is coming faster than ever before – and there is more of it. The sheer velocity of change has upended the business environment and rearranged the landscape. Organisations must identify, assess and address emerging risks without losing sight of their existing business and control environment. They are not only working to get ahead of the curve – often they are struggling to keep up – and not always succeeding. Management, audit committees and boards of directors rely on internal audit to provide assessments and assurance around the effectiveness of controls and company processes, while also providing support in a diverse array of risk and business process improvement areas. In an expanding risk landscape Internal Audit has emerged as a critical lever for change. Now, more than ever, it needs to rise to the challenge and demonstrate its value.
Source from CMA Dr. S K Gupta
Posted by at
Labels: , , , , , , , ,
Location: Vapi, Gujarat, India

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)