May is International Internal Audit awareness month
A changing world
ONE does not have to sit in the boardroom or occupy the CEO's chair to recognise the rapid-fire changes going on in today's business arena. News outlets regularly report on corporate scandals and frauds, privacy invasions, compromised ethics, and governance lapses. These events and the resulting laws and regulations, coupled with electronic commerce and other information technology breakthroughs; mergers, acquisitions, and other organisational restructuring; and issues related to the global marketplace all suggest that things are likely to get even more chaotic.
Thought leaders in the business community forecast still more changes and increased organisational risks:
◆ Increasing litigation, legislation, and regulations will carry important compliance implications;
◆ Information security management for critical infrastructure areas such as financial services, transportation, telecommunication, defence, utilities, and fuel will continue to require individual and collective business commitment, planning, and intervention;
◆ Continuing globalisation will increase the complexity of principles, regulations, and the cultures in which organisations operate;
◆ Ever-growing competition will put even more pressure on organizations to increase productivity;
◆ Reengineering, deregulation, and other change-related activities will break down traditional hierarchical structures and change organisational reporting relationships and management responsibilities.
Each of these phenomena suggests new demands, challenges, and opportunities for management and the board. And each one also points to the necessity for competent internal auditing.
Today, more than ever, internal auditing is critical to strong corporate governance, risk management, effective internal control, and efficient operations.
What is internal auditing?
Internal auditing is an independent, objective, assurance and consulting activity that adds value to and improves an organisation's operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
The internal audit activity provides assurance to management and the audit committee that risks to the organisation are understood and managed appropriately, and serves as an in-house consultant on many areas of interest.
Every organisation, regardless of its size, should have some type of internal control system or process in place. The Institute of Internal Auditors (IIA) believes that an organisation is best served by a fully resourced and professionally competent internal audit staff that provides value-added services critical to efficient and effective organisational management.
Internal audit practitioners are charged with assisting the organisation in the effective discharge of responsibilities, promoting the establishment of cost-effective controls, assessing risks, and recommending measures to mitigate those risks.
An integral part of the management team, internal auditors furnish top management with analyses, appraisals, counsel, and information on the activities they review. They also monitor organisational ethics.
Evaluating emerging technologies, analysing opportunities, assessing quality, economy, and efficiency, and providing accurate and timely communication are just some of the activities internal auditors conduct on a daily basis.
The comprehensive scope of their responsibilities provides them with a broad perspective on the organisation. And that, in turn, makes them a valuable resource to executive management and the board of directors in accomplishing overall goals and objectives, as well as strengthening internal control and governance.
This might be a lot to ask from one organisational resource, but for internal auditors — it's all in a day's work.
Internal audit in partnership with management
When internal auditing is accepted and acknowledged by an organisation's leaders as a management activity, internal auditors can fulfil their most fundamental role — supporting management and the board in achieving organisational objectives.
And competent internal audit professionals bring to the table objectivity, integrity, expertise in communication, the ability to identify enterprise wide risks, and the skill to assess the effectiveness of controls put in place by management to mitigate those risks.
As partners to management, internal auditors are positioned to help protect the organisation against both traditional and emerging risks; provide consultation about how opportunities and vulnerabilities can be balanced; and make valuable recommendations for assessing and strengthening corporate governance.
The internal auditors' broad understanding of the organisation and its culture prepares them for effectively monitoring risks associated with new business lines; mergers, acquisitions, joint ventures and other partnerships; new systems deployments; restructuring; management estimates, budgets, and forecasts; environmental issues; and regulatory compliance.
“Because we are in a dynamic environment - we've got new people, new technology, a new marketplace, new competitors, and a new regulation we need to be very vigilant about the fundamentals of this business. And that's a role corporate auditing plays . . . the ability to collect information and impart that knowledge on processes as well as control issues and to do it constantly through all of this change.
It's easy to see how incredibly important that is to the fundamental stability of this business” (BellSouth Corporation Chairman and Chief Executive Officer, Duane Ackerman).
Of increasing concern to management today are the risks associated with information technology and the control and auditability specifications of new systems. Internal auditors' independent review of information systems and other high-tech projects can help ensure a controlled and reliable IT environment.
Their consulting services add value to the decision-making process when management must consider the cost and benefit trade-off of IT control implementation.
Vital to governance
Internal auditors' diverse capabilities bring tremendous value to the board and the audit committee in their corporate governance responsibilities and risk management oversight. Today's audit committees must deal with complex and diverse issues and ever-increasing responsibilities. Audit committees are being asked to monitor such areas as: management's assessment of internal controls over financial reporting; ethical complaint hotlines; enterprise-wide risk management; and governance reviews, to name a few. It is critical, therefore, that internal auditors apply risk-based audit approaches to the organisation's internal control system and provide comprehensive reports to the audit committee.
The risk-based approach toward auditing is mandated by The IIA's International Standards for the Professional Practice of Internal Auditing (Standards) and is the only way to ensure that the priorities of the internal audit activity are consistent with the organisation's goals. Such an approach provides internal auditors with the opportunity to become intimately knowledgeable of the organisation's risk appetite and tolerance allowing them to target high-impact areas, appropriately allocate scarce resources, and be well positioned to advise management on vulnerabilities and corrective actions.
As part of its oversight responsibilities, the audit committee should:
◆ Review and concur the chief audit executive (CAE) appointment, replacement, reassignment, and dismissal.
◆ Review/approve the internal audit charter and ensure its compatibility with that of the audit committee.
◆ Review the audit plan and any significant changes.
◆ Ensure internal auditor neutrality and objectivity.
◆ Review the internal audit department's budget and staffing.
◆ Encourage internal auditor certification and other professional development. ◆ Meet privately with the CAE. ◆ Receive reports from the CAE on audit findings and information on technological advances and trends.
◆ Review internal auditing's compliance with The IIA's Standards.
Key IIA messages on best-practice reporting relationships
◆ To ensure transparency and thwart collusion and conflicts of interests, best practice indicates that the internal audit activity should have a dual reporting relationship. The CAE should report to executive management for establishing direction, support, and administrative interface; and to the organisation's most senior oversight group — typically the audit committee — for validation, reinforcement, and accountability.
◆ The audit committee of the board of directors and the internal auditors are interdependent and should be mutually accessible, with the internal auditors providing objective opinions, information, support, and education to the audit committee; and the audit committee providing validation and oversight to the internal auditors.
◆ The internal auditors keep the audit committee informed and up to date on the state of the organisation in regard to risk, control, governance, and the coordination and effectiveness of monitoring activities.
Internal auditing: Adding value across the board
The internal audit process is clearly among the most critical as competitive pressures demand that today's organisations squeeze the most they can from all their resources. In addition to their responsibility for assessing and recommending internal controls, internal auditors' skills in risk management and their broadbased perspective of the organisation uniquely position them as a valuable resource for strong corporate governance.
As a result, informed senior managers and boards are relying on internal auditors for advice and counsel on everything from analysis of operations and assessment of risk to recommendations for improved corporate governance.
Moreover, internal audit practitioners are increasingly being challenged to apply their expertise in much broader ways than ever before — such as evaluating emerging technologies, detecting and deterring fraud, analysing the effectiveness of policies and procedures, and identifying opportunities to save you and your shareholders money.
When it comes to adding value across the board, there's no better resource than internal auditing.
The Institute of Internal Auditors Zimbabwe, was established in 1988 as an affiliate chapter to the global Institute of Internal Auditors (1941). The Institute of Internal Auditors (IIA) is the internal audit profession's global voice, recognised authority, acknowledged leader, chief advocate, and principal educator worldwide.
The IIA serves members from all around the world in internal auditing, governance, internal control, IT auditing, education, and security.
The world's leader in certification, education, research, and technological guidance for the profession, The Institute sets the International Standards for the Professional Practice of Internal Auditing and provides various levels of accompanying guidance; certifies professionals through the globally recognised Certified Internal Auditor (CIA) and specialty certifications in government, control self-assessment, and financial services; presents leading-edge conferences, seminars for professional development; produces forward-looking educational products; offers quality assurance reviews, benchmarking, and consulting services; and creates growth and networking opportunities for specialty groups.
In support of quality, professionalism, and ethical practices, the Institute provides internal audit practitioners, executive management, boards of directors, and audit committees with guidance for internal auditing and governance best practices.
IIA Zimbabwe is dedicated to providing extensive support and services to its members, so they can continue to add value across the board.