INSIGHT MetricStream How to Implement a Robust Audit Framework Almost every organization, regardless of industry, faces business challenges as a result of economic fluctuations, the pace and volume of regulatory change, and the accelerated growth of risks. An effective audit program helps to ensure that business operations are conducted within the boundaries of both the organization and the regulatory bodies that govern it. Further, a well-designed and well-executed audit function supports an organization’s ability to confront challenges appropriately, and exploit opportunities effectively. And it is here that the internal auditor plays a key role. Today, internal auditors are in a direct position to advise the board and management on opportunities to navigate through risks and challenges to achieve organizational objectives. With this in mind, at every step of the audit process, the underlying question the auditor needs to ask is: What could impact the organization so significantly that the board would have to get involved, and is management addressing those risks appropriately? Building an Effective and Proactive Internal Audit Framework The primary mandate for any organization implementing an effective internal audit framework is to follow the IIA standards and guidelines. The IIA’s international standards for the practice of internal auditing provide the cornerstone for an audit framework. The IIA has substantial resources that consolidate the IIA standards, the International Professional Practices Framework (IPPF) being one among them. There are many other resources that help internal auditors maintain their audit programs in line with best practices while also monitoring adherence to the policies and principles requiring compliance. Planning well for an internal audit program is another important aspect that helps build a successful audit framework. The auditor needs to communicate a clear plan for the audit program, including consideration of the intricacies of each step, to the senior management, while keeping in mind the strategic directive of the company, to ensure that the audit program contributes to overall business success. The planning phase defines the components of the audit program: • The goal of the audit program • The scope of the audit program • The objectives of the audit program • The audit risk-assessment program • The processes to sustain the efficiency of an audit program Goal of the Audit Program “Begin with the end in mind” is a Stephen R. Covey fundamental. Determine the end results to be achieved, and use that information to direct audit efforts, IT efforts, and business efforts. Having a goal contributes to sustainable success. An effective auditor determines goals through a process-driven effort that focuses on results: • Organized, clear and up-to-date documentation of policies, procedures, critical processes, and periodic status reporting • Proactive audit management program • Regular analysis of the entity’s results by the management • Measures to ensure that the actions taken by the management are based on facts and actual results • Well-defined chain of command and roles and responsibilities • Timely investigation of issues • Balanced focus between short and long term objectives and results • Engaged and empowered entity team • Good management practices Scope of the Audit Program The scope forms the crux of audit planning, and defines the extent of the audit program within an entity and the organization. When planning the scope of an audit, auditors need to have a good knowledge of: • The organization’s culture, business, and strategic goals and objectives • The key risks facing the entity and the organization • How the entity has been organized, and where it is going And to understand an entity, auditors must also determine: • The key operational processes of the entity • The various initiatives being implemented by the entity • The key performance indicators and key risk indicators INSIGHT • The information systems that support the entity’s efforts • The processes that have been outsourced to third parties The board and management need to periodically evaluate the operating effectiveness of the organization. These periodic evaluations are a supplement to the day-to-day monitoring of responses and control activities, and provide for more in-depth analysis of the entity’s operating effectiveness, as well as an opportunity to consider new practices and technologies to enhance the entity. Objectives of the Audit The objectives of an audit program vary across entities and organizations. Specifying objectives for each entity allows the audit program to align with business needs, and drive tangible value in results. For instance, the objectives of a GRC audit program might include: • Determine whether the management and the board are effective in promoting an ethical culture. • Determine whether the compliance and/or ethics programs provide reasonable assurance of compliance with organizational policies, applicable laws and regulations, and whether the incentive system is properly formulated. • Determine if the compliance and ethics program’s management framework is documented, in place, and appropriately resourced to meet the organization’s needs. • Determine whether the organization has implemented the compliance and ethics program effectively, and whether the program’s performance reporting system accurately presents the results of the program’s efforts. • Access the costs/benefits of the governance, risk, and compliance program. • Ensure that the program is in keeping with current practices based on the size and complexity of the organization. Likewise, the audit objectives for IT projects may include: • Evaluating the overall project plan and its project management. • Assessing the accuracy and completeness of the systems and data requirements for the IT solutions. • Assessing the accuracy and completeness of the operational responsibilities. • Assessing the risk management process that is applied by the management Audit Risk-assessment Program Risk-based audit planning has been a cornerstone of the professional standards for many years, and increasingly organizations are recognizing the cost-benefit value of such an approach. Auditors have realized, in today’s dynamic risk environment, that what holds the key to an organization’s success is an efficient audit risk assessment activity. The audit risk assessment helps to ensure the audit program and specific tests to be performed are appropriate and tied to areas of identified risk exposure. A risk assessment should also help ensure that risks are understood. Key risk factors to be considered might include: • Scope and complexity of the entity • Scope and complexity of the organization • Regulatory environment • Approach to managing the entity • Level of an executive’s day-to-day involvement in and support for the audit program • Amount and pace of change involved in the entity’s efforts • Maturity of the entity’s policies, procedures, and processes • Strength of the project management process Processes to Sustain the Efficiency of an Audit Program To support the continuous improvement of the internal audit program, a well-defined audit function will include reviews and programs that help monitor the progress and effectiveness of the program. Two of the most widely-known practices are: • The Post-audit Project Review • The Quality Assurance and Improvement Program (QAIP) Post-audit Project Review There are six steps to be considered when completing the postaudit review: 1.Declare the intent of the review 2.Select participants from the internal audit team to be a part of the post-audit review 3.Organize the review 4.Conduct the review - Identify the top five success processes and opportunities for improvement 5.Report findings to the senior management 6.Prepare reports, develop and adopt recommendations, and formally incorporate the recommendations into the quality, improvement, and standard operating practices of the internal audit department INSIGHT Quality Assurance and Improvement Program (QAIP) The QAIP is a means to systematically improve internal audit practices and results. It enables an evaluation of the internal audit activity’s conformance to the “Definition of Internal Auditing,” “International Standards for the Professional Practice of Internal Auditing,” and an evaluation of whether or not internal auditors apply the “Code of Ethics.” The QAIP also assesses the efficiency and effectiveness of the internal audit activity, and identifies opportunities for improvement to add value to the audit activity, and improve organizational operations. Imperatives for Designing a Successful Internal Audit Program Proper attention and support from senior management and the board is evidenced through oversight, due diligence, and engaged involvement in relevant aspects of the audit program. • Ownership taken by the management in establishing and maintaining a system of internal controls to effectively mitigate risks to achieve an organization’s objectives. • Enabling the board to provide governance and oversight through tools, such as those provided by the Open Compliance and Ethics Group (OCEG). This not only provides a generalization of corporate duties, but also raises awareness about the numerous and complex issues involved in corporate governance. • Internal audit providing assurances to management and the board that what should be done is being done, while identifying what significant opportunities for improvement exist. • Ensuring that the personnel responsible for designing and executing evaluation of the audit program possess the appropriate skills and qualification. • Plan audit programs in advance for the coming year, and ensure that they are aligned with strategic business objectives and initiatives. How Technology Can Help in Building a Robust Audit Framework Pressures are mounting on internal auditors to provide risk assurance, and mitigate risks along with managing audit processes. Effective use of technology can help internal auditors implement an integrated and automated audit framework that enhances the efficiency, effectiveness, and quality of operations. Here are some ways in which internal auditors can leverage the use of technology: Plan audit tasks efficiently: Technology helps auditors to plan and execute their audit processes through an integrated and automated audit management system that streamlines the complete internal audit life cycle. This simplified and integrated audit system is based on well-defined objectives and IIA standards, thus enabling a disciplined approach to auditing, while also ensuring compliance. Assess audit risks: Technology enables a centralized information model to closely map risks to auditable entities to ensure a targeted, risk-based internal audit. Every risk is identified and quantified which helps auditors focus on mitigating risks that have greater impact on the organization. Manage audit resources: Technology provides resource management capabilities that help identify and maintain auditor details, and allocate audit assignments to audit executives. The time audit executives spend in auditing processes is tracked, and the competencies of internal auditors are assessed, thus bringing in optimal resource utilization. Manage paper work: Technology minimizes paper work by collating crucial information, and enabling auditors to record findings along with detailed observations and recommendations during the audit execution stage. This eliminates inconsistencies and errors through standardized data collection, and provides visibility to managers through closer tracking of each document. Improve collaboration between auditors and auditees: Through a transparent and integrated system, auditors can discuss issues and risks with their team, review them, and propose an appropriate remediation plan. Every audit process is tracked, which enables auditors to see the progress of the tasks for multiple audits that are assigned to the audit executives. Quality assurance and improvement: Advanced technology brings in a streamlined approach to both internal and external assessments, helps plan assessments, document and identify nonconforming areas, and report risks, thus assuring risk management and monitoring. Regulations, rules, and other important regulatory information from external sources like the IIA are captured and updated in the existing audit program. Monitor and analyze audit reports: Technology enhances an internal audit system through highly structured, powerful, and simplified reporting and analytics for real-time visibility. Critical information is highlighted, and insight into risk-intelligence is provided to measure audit progress, and track audit trends. INSIGHT Conclusion Internal audit’s highest value to the organization may very well be its independent vantage point from which to identify key risks, and gauge how well the management is addressing these risks. Given the landscape of growing regulatory pressure and dynamic compliance expectations, internal auditors need to employ best practices to streamline auditing processes, and deliver insights for sustainable organizational success. Technology needs to be utilized in the right way for an integrated, top-down, and risk-based approach to the audit program which brings down operational costs. Fundamentally, internal auditors need to adopt risk-centric mindsets, and conduct the business of audit in a risk-oriented manner, to remain key players in the overall business of risk assurance and risk management for their organizations. Authors: Keri Dawson - VP Industry Solutions and Advisory Services, MetricStream Dan Swanson - President and CEO, Dan Swanson & Associates About MetricStream MetricStream is a market leader in enterprise-wide Governance, Risk, Compliance (GRC) and Quality Management Solutions for global corporations. MetricStream solutions are used by leading corporations such as UBS, Barclaycard US, P&G, Constellation Energy, Pfizer, Philips, United Technologies Corporation, SanDisk, Cummins, and Autogrill in diverse industries such as Financial Services, Healthcare, Life Sciences, Energy and Utilities, Food, Retail, CPG, Government, Hi-tech and Manufacturing to manage their risk management programs, quality processes, regulatory and industrymandated compliance and corporate governance initiatives, as well as several million compliance professionals worldwide via the www. ComplianceOnline.com portal. MetricStream is headquartered in Palo Alto, California and can be reached at www.metricstream.com. MetricStream www.metricstream.com [email protected] © Copyright 2013. All Rights Reserved.
© Copyright 2019