Auditors: the battlefield vultures or under-rated stretcher bearers

Last month, I began a discussion about the evolving role of audit and how significant changes, such as the implementation of the U.S. Sarbanes-Oxley Act, have affected the internal audit profession. I also raised a number of questions about audit roles and responsibilities, such as who should be monitoring internal controls? And if management is responsible for maintaining effective control systems, should they be monitoring these systems or does that task fall to audit?

This month I want to explore more deeply the changing role of internal audit and what that means in developing a new relationship between audit and management.

According to The Institute of Internal Auditors, Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisations operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.

The twofold role of both operational improvement and control assessment is not new to the Institutes definition of the internal audit mandate, but in practice, the post-Sarbanes-Oxley and post-Turnbull era meant that audits focus moved heavily toward financial reporting controls during the past five years. Things are now changing again as internal audit begins to spend more time considering risk management overall, as well as the impact of controls on operational performance. The IIA also made this statement about audits responsibility in Enterprise Risk Management:

Internal auditings core role with regard to ERM is to provide objective assurance to the board on the effectiveness of an organisations ERM activities to help ensure key business risks are being managed appropriately and that the system of internal control is operating effectively.

A recent study by PriceWaterhouseCoopers, entitled Internal Audit 2012, outlined six key expectations that the audit committee, management and external audit have of the internal auditing role. According to the study, internal audit is increasingly expected to:

Provide objective expertise, understanding and assurance on risks and controls

Serve as a trusted advisor

Deliver timely insight to facilitate risk management and business decisions

Provide insight into the adequacy of internal controls

Maintain an ongoing focus on risk, keeping the audit committee and management well informed about changing risk exposures

Leverage technology to improve audit efficiency and effectiveness and strengthen quality

Of course, these expectations of how internal audit should contribute real value are not yet reflected in current practices within every organisation. It is still not that uncommon for some managers to see internal audit as a necessary evil as the people who come in after the battle and bayonet the wounded.

Both internal audit and management need to think and act differently in their relationship in order to achieve the benefits that audit can provide. A common understanding that internal audit has a unique position in an organisation is a good starting point. Audit is often the only area that has detailed visibility into operations and access to information across the entire entity. Auditors are trained to think objectively about operational and financial systems and to assess risk and controls. They also often have technology to support independent analysis that is not available elsewhere within the organisation.

Continuous audit and controls monitoring, for example, enable internal audit to provide a timely flow of information to management at all levels on its assessment of company-wide risks and the reliability of controls. This not only helps to ensure controls are working effectively but also provides insight into specific cases of error and inefficiency, or even fraud, that reduce the level of operational performance. While some organisations have managers who see the benefits of owning and managing the continuous monitoring process, it is often left to internal audit to champion the use of continuous monitoring and to communicate the results as necessary.

Like most business processes, success ultimately depends on maintaining open communication channels and effective working relationships. From my experience, most organisations can still improve the relationship between internal audit and management, particularly in terms of assessing risks and controls and the potential for fraud.

The challenge for internal audit is to demonstrate to management that they can provide tangible value to business performance through their understanding and assessment of controls. At the same time, financial and operational management can do more to look at internal audit in a new light and increase their expectations of the value that audit can deliver.

Throughout this process, internal audit leaders should aim to position themselves as strategic partners and trusted advisors while maintaining critical independence.

What do you think? Id be pleased to hear about your experiences and ideas about the relationship between management, stakeholders and internal audit.

John Verver is vice president, Alliances & Product Strategy for ACL Services. Verver is a recognized expert and thought leader on continuous controls' monitoring and audit analytics. He speaks regularly at global audit and control conferences and is an inaugural member of the Center for Continuous Auditings advisory board. Verver is a Chartered Accountant, Certified Management Consultant and Certified Information System Auditor.

ACL is a global provider of Audit Analytics to financial executives, compliance professionals and auditors. ACL also porvides software solutions. Visit www.acl.com [1].