After the massive disruption to economic activities in 2020 as a result of the pandemic, most companies had to reassess the scale of the threats menacing their business. Internal audits have been challenged to provide in depth assessments and advice to help companies withstand and survive emerging crises. Internal audit’s infrastructure and processes were disrupted as they had to shift to remote work and deal with a rapidly broadening risk environment. A circumstance that favored the adoption of digital technology.
How has technology helped internal audit functions adapt to a rapidly changing environment?
The introduction of digital tools has helped many organizations significantly improve the relevance, depth, and coverage of their internal audit. With advances in technology, a multitude of data analysis software options are now widely available. Internal auditors can now turn to more comprehensive tools instead of resorting to Microsoft Excel. These technologies provide internal auditors with multidimensional perspectives of data and responsive functions that facilitate data translation and proactive recording of evidence.
What are the missions of an Internal Audit?
According to the Institute of Internal Auditors (IIA), an Internal Auditing is:
“An independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. The internal audit activity helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.”
Thus, the objectives of an Internal Audit are to ensure that the organization complies with normative or private references or customer specifications to improve its operation, efficiency, and governance. But this process is also an essential tool for monitoring the progress of quality management systems. In addition to the mission of detecting non-compliance with the reference framework and requirements, this process also highlights what is working well in a company.
In large companies, there are departments dedicated to this function whose only task is centered on internal audits. A tedious mission has given the size of these organizations, often time multinational. They are responsible for carrying out internal audits and follow-up actions for all of the group's sites while ensuring the success of the certification audits.
How to perform an Internal Audit?
In some organizations, internal audit often evokes a sense of frustration and wasted time. Even in some large corporations, most auditees find it disturbing or intimidating to have someone review their activities. Management should nurture and standardize the culture of control and verification within the organization. They should be involved in making employees understand the role of an internal audit, know what to expect during an internal audit, and know potential pitfalls to avoid, to help put employees at ease and make the process much more enjoyable and valuable experience.
“Internal Auditors are the eyes and ears of management, be sure you are not deaf or blind.”
Michael L. Piazza
The audit process is similar in most cases and normally consists of four stages: planning, fieldwork, audit report, and follow-up review.
The scope of the internal audit is chosen based on a risk-based approach, a normative and private reference framework, and internal documents relating to the audited processes. Additionally, audits may also be conducted based on fraud and ethics concerns. During the development of the annual audit plan, the internal audit committee meets with the board of directors to discuss risks and potential obstacles to the achievement of the objectives.
During the planning phase of the audit, the auditee is informed of the audit by an announcement letter or an engagement letter from the person in charge of internal audit. This letter communicates the scope and objectives of the audit, the auditors assigned to the project, and other relevant information.
Before starting the audit, an entrance meeting must be organized. Internal auditors lead the meeting with the pilots of the audited processes to discuss the scope and objectives of the review, go through the audit schedule, the main points that will be addressed, the progress of the audit, etc., and of course introduce one another if people do not know each other. During this meeting, the auditors collect information on the significant processes for the preliminary survey (information on the process in order to obtain an overview of the operations) and plan the remaining audit steps. The auditor must provide the auditee with the audit program. A plan that outlines the time spent on each requirement.
During the fieldwork part, auditors go through each step mentioned in the audit program. The fieldwork involves interviews, reviewing laws, policies, and best practices, verifying sample transactions, analyzing datasets, and conducting surveys. Auditors should ask open-ended questions. It is important to maintain a stable exchange of information that is sometimes difficult to establish: the auditee must be the one who talks the most but, the auditor must be the one who leads the discussion. The auditor may politely interrupt the auditee if he/she deviates from the subject. It is also during this phase that the auditor determines whether the controls identified during the preliminary survey are operating correctly and, in the way described by the auditee.
If there are identified deviations, it is important to be objective and have a scientific approach. Identified deviations are not assumptions, they are facts. A non-conformity cannot come from a “given this situation, I think that…” reasoning, it is always based on evidence.
Auditors meet regularly with the process pilot throughout the fieldwork and discuss the status of the audit, preliminary observations, and potential recommendations. The fieldwork stage concludes with a list of significant findings from which the auditor will prepare a draft audit report.
The auditors conduct a closing meeting with the process pilot at the end of the fieldwork to discuss the audit results, specific findings and recommendations, and other observations. The objective is to close the meeting on a positive note. It is then better to start with the serious non-conformities then the small deviations and finally finish with the positive points of the process. As mentioned previously, the purpose of the audit is to evaluate, and more particularly to strive for an improvement of the organization’s operations through continuous improvement.
Auditors communicate this information to the pilot through an audit observation note, the process pilot has the opportunity to respond to the audit findings before the release of the final report. Once all these steps have been completed, the next step is to write the audit report. It is paramount not to wait a couple of weeks before writing the report, observations must be fresh. If there is a delta between what is written in the report and the closing meeting of the audit, it will not have the desired effect on the auditee.
When writing the report, there are several methods. It is best to organize the report in the form of an action plan. It makes it possible to obtain information quickly and above all to monitor corrective actions after the audit. Internal audit prints out and distributes the final report to the unit's process manager and the management board.
Overall, the success of an internal audit lies in the methodology of the audit, the attitude of the auditor, and the involvement of the auditee.
Within approximately one year of the final report, Internal Audit will conduct a follow-up review to verify the correction of the report's findings. Indeed, all audit recommendations and corrective action plans are followed up to assure that the plans are being implemented. The auditee's response letter with the detailed corrective action list and deadlines is reviewed and tested to ensure that the desired results have been achieved. Corrective action plans that do not seem to be progressing are the subject of an annual report to the head of the audit committee.
Internal Audit and digital tools
The disruption to economic activities caused by the pandemic in 2020 has pushed organizations to make decisive progress towards digitalization, and internal audit functions are one of the major players in this digital shift.
The traditional way of performing audits, also known as the manual approach due to its nature involving multiple Excel spreadsheets, incessant email exchanges, reliance on shared drives, and server-based SharePoint, was the predominant approach in most companies because it is inexpensive and the necessary infrastructure is usually already existing. However, as the name suggests, this approach requires a lot of manual intervention and redundant tasks, and wastes a lot of time, which often generates errors.
The other approach is on-premise audit management solutions, which has the highest cost. This solutions often require ownership costs while the organization must already invest in dedicated hardware and IT resources for support and maintenance, as they are hosted and maintained by the company's own IT department. This solution is limited by organizational constraints such as limited bandwidth, which can lead to lag issues during use.
So far, the best solution for the internal audit function in the digital age is Software as a service (SaaS). SaaS offers additional advantages over other technologies in that they are more convenient than manual solutions and are much easier to implement and administer than on-premises solutions. SaaS solutions are a convenient way to remotely access applications over the Internet as a service. Instead of installing and maintaining software on-premises, it is simply accessed over the Internet using a standard browser, freeing organizations from complex software and hardware management. As new features and enhancements are rolled out, their offerings increase in value over time.
Internal audit leaders realized that going digital was the best answer to address the challenges facing internal audits during the pandemic. Boards of directors have turned to internal audits for relevant insight, assurance, or advice to quickly identify emerging risks. This is a unique opportunity for internal audit to elevate its rank and become a benchmark in risk management and corporate governance assurance.
> Why should you use this Reports and Insights Power BI (Business Intelligence) application in your company?