Mobile Edition
Print
Get the Mag
Weekly UpdatesIN THE PAST, INTERNAL AUDITORS DID not need to consider the importance of adding value when performing their work assignments. Instead, engagements typically consisted of verifying compliance with policies and procedures, without providing recommendations for improvement or performing other consultative activities. The auditor's role was often more akin to that of a police officer than a business partner.
Today's auditors, however, must be much more attuned to opportunities for enhancement, as adding value is widely considered an integral part of the audit process. Indeed, the very definition of internal auditing states that it is "an independent, objective assurance and consulting activity designed to add value and improve an organization's operations." But what does adding value entail, and how do auditors provide it? While the answer may vary depending on individual circumstances, internal auditors make value-added contributions throughout the entire audit process and in almost every aspect of their work.
GOVERNANCE
Auditors add value by simply doing their jobs for the audit committee or other reporting body. The audit function serves as a governance control, and it performs a crucial role by strengthening the organization's overall systems of control and conducting assurance reviews of the critical controls intended to address entity-level, industry, and business-line risks. These reviews provide management, the board of directors, external auditors, and, most importantly, the audit committee with assurance that key controls within the organization are designed appropriately, operating effectively and efficiently, and functioning to protect stakeholders. This type of assurance may be impossible for auditors to quantify monetarily, but it definitely constitutes value-added service.
THE ANNUAL AUDIT PLAN
Most internal audit departments use a risk-based annual audit plan. Management needs to address the highest risks within an organization, and the annual audit plan must reflect and address those risks. A plan developed by incorporating the organization's highest risk departments, business units, processes, and respective controls makes effective use of internal auditing's limited resources and thereby adds value through efficiency.
THE AUDIT WORK PROGRAM
A well-developed internal audit plan or program should address the major risks both at the level of the organization and within individual departments, units, or processes. This approach should encourage the internal audit department to focus its efforts and activities where they are likely to have the most significant impact on value added. The corporate disasters at Lehman Brothers, Wachovia, Enron, and other companies did not occur because the petty cash drawer was reconciled incorrectly; these companies failed because significant risks were either not appropriately controlled or were beyond management's ability to control. A poorly defined audit work program can lead to ineffective or even worthless testing, and such testing in turn can lead to meaningless audit reports.
Ten years ago information security and technology risks were not the same as today, just as these risks have changed, so too should audit practices. If auditors use the same work programs year after year without speaking to management, they might overlook changes to the business landscape and test outdated practices or controls. Such testing represents an inefficient use of audit resources, and it wastes stakeholders' time when the ill-conceived results are presented in an audit report. A carefully crafted audit program should address an area's critical risks and allow audit practitioners to make the best use of their resources. Audit programs add value to the organization only when based on current conditions and accurate assessments.
AUDIT EXECUTION
During an engagement, internal auditors may observe numerous opportunities for process improvement or other enhancements that ultimately either increase the organization's profitability or help fulfill its mission. While this activity constitutes adding value, auditors need to be wary of going too far. If they believe every engagement should include a recommendation to improve the organization, audit practitioners risk using organizational resources ineffectively. An audit department that spends too much time looking for improvements or added controls may actually be harming the organization by wasting resources that could be applied to more critical areas. For example, an auditor who spends 50 hours on five low-risk audits to find an improvement or deficiency may better serve the organization by using those same 50 hours to re-audit a high risk activity, pursue continuing education, or meet with management to discuss new or changing risks to the organization. In evaluating risk versus reward, auditors must determine if the effort and resources expended to find an improvement are worth the potential benefits.
REPORTING
Management, boards of directors, audit committees, and external auditors rely on internal auditors' opinions on controls over the processes and risks within the organization, and they likely view these opinions as value-added information. However, executive managers, boards, and audit committees may feel that only high and medium risks should be brought to their attention, whereas middle managers may want to know about opportunities for efficiencies or greater effectiveness. Including all findings and recommendations on an audit report to show how internal auditing is adding value could lead to unintended consequences. Managers, for example, may focus on items of low risk, thereby diminishing time spent on high-risk controls. They may also miss the point of the audit--that is, identifying high and medium risks--and consequently become frustrated with the auditor. This could eventually damage internal auditing's reputation within the organization and cause management to question whether auditors really understand the audited area, processes, or risks. Management may also be less inclined to inform internal auditing of issues or concerns in future audits, believing that the auditors will report every issue raised, regardless of the risk each presents to the organization. Ultimately, this behavior can weaken the organization's control structure by diminishing the flow of critical information.
To add value effectively through reporting, internal auditors need to consider where they want their audience to focus. Accordingly, they should take into account the needs, wants, and resources of various stakeholders. The audit report should be easy for readers to navigate, and if appropriate, it should stratify findings and recommendations into categories of importance.
CONSULTING
Internal auditors are risk assessment and internal control specialists. Their expertise in these areas enables them to help management analyze risks to the organization and design controls to mitigate those risks. By performing audits, researching issues, and benchmarking with peers on best practices, auditors can become a truly valuable resource for internal control design. These activities also constitute adding value.
EFFECTIVE, EFFICIENT, AND VALUED
As part of their value proposition, internal auditors need to consider how their procedures impact the organization as a whole. Of course, opportunities for improvement exist in virtually every system or process, but auditors need to recognize where adding value ends and increased costs take over.
Understanding how internal auditing's processes fit into the organization also adds value, though it may be difficult to quantify in terms of dollar savings, revenue earnings, or reduced risks. To a degree, internal auditors add value simply by performing their functions effectively and efficiently. But careful attention to the organization's risk profiles and the information requirements of various players in the organizational governance framework represents an ongoing challenge to audit practitioners, and it is key to ensuring the value they add is maximized.
ERIC LUNDIN, CIA, CSFA, CPA, CFIRS, is vice president and general auditor at Home Federal Bank in Sioux Falls, S.D.
To comment on this article, e-mail the author at eric.lundin@theiia.org.
EDITED BY DAVID O'REGAN
FEED