To Move Ahead, Internal Audit Should Get Back to Basics

GUEST BLOG POST
With the increased focus on adding value and using more technology in internal audits, the lines have been blurred somewhat on the role internal audit should play in the organization. Internal audit functions are undertaking a wide variety of tasks and spreading themselves thin as they try to serve many, sometimes competing, interests. The to-do list is getting longer, but the resources to complete it aren’t increasing.

Given this challenge, now might be a good time for internal auditors to get back to basics. They must assess their primary roles and build future progress on a strengthened foundation.

As a starting point, we can all agree that the primary responsibility of internal audit is to provide assurance on the effectiveness of the internal control system to the board of directors, audit committee, and executive management. It must also evaluate and suggest improvements to the risk management and governance systems in the organization. Furthermore, internal audit should provide advisory services that are targeted to enhance value creating activities.

This assurance responsibility is considered the core reason for establishing most internal audit departments worldwide, and internal auditors are usually well-equipped to provide such service to the organization’s governing bodies. Traditionally, internal audit’s value is derived mainly from the assurance services, given the inability or unwillingness of some internal audit functions to add value through advisory and consulting services.

Critical Questions for Internal Audit
Internal auditors should ask themselves critical questions to assess what kind of assurance they are providing and whether it is something that internal audit’s stakeholders value:

• What are the assurance needs of the board of directors and it’s audit committee?
• What are the conclusions or summaries they want to hear about the internal control environment?
• Are they satisfied with the level of assurance provided to them through the internal audit reports?
• Do internal auditors consider the bigger picture and address what matters the most to the governing body?
• Does the internal audit department have a clear strategy and vision that address the stakeholder needs with a clear roadmap to achieving it?
• Do internal auditors communicate a clear and comprehensive story about the internal control environment in the organization?

There is a big gap between what internal auditors believe they are achieving and what they are actually achieving or how the governing body perceives that work. According to a PWC internal audit survey from 2019, only 16 percent of internal audit functions operated as “trusted advisors” to their key stakeholders. Most internal audit departments have limited capacity in terms of resources and audit universe coverage. Simultaneously, the board and audit committee members need independent and objective assurance over the organization’s internal control, risk management and governance systems. Many internal audit functions worldwide fail to satisfy this need due to the following reasons:

• Internal audit coverage is limited to too few areas that do not provide satisfactory conclusions on the overall audit universe and the internal control system’s effectiveness.
• The provided assurance is not linked to the organizations’ strategic objectives and, therefore, does not address the governing body’s primary concern, which is achieving those objectives.
• Internal auditors provide assurance on the exceptions (negative observations) only and do not usually communicate the positive aspects of the internal control and governance environment.
• Many internal audit reports do not provide positive assurance and lack an overall opinion on the controls’ design and operating effectiveness in the areas under review, which creates ambiguity on whether the audit objectives were achieved and on the results achieved by auditing that area.

What Are the Consequences?
The points mentioned above can result in declining confidence in internal audit’s work, and ultimately, boards and audit committees will develop negative perceptions about internal audit’s role over time. According to the results of a Deloitte survey of audit committee chairs and members conducted last year, more than one-third of respondents said internal audit is not as impactful as it could be. Accordingly, internal audit should not be satisfied with its current role and should not expect to have any crucial influence in the organization or present itself as a strategic partner to the board and senior management unless it can change this perception.

Over time, such practices have adversely impacted the profession, especially in organizations where the internal audit advisory and consultancy mentality is not practiced. The severity of the adverse impact is less in regulated industries where establishing internal audit functions is required by law. Generally, the role and importance of internal audit diminished in other industries due to how internal auditors fulfill their responsibilities, which often seems to lack strategic planning and proper understanding of stakeholders’ needs.

So, What Should Be Done?
So how can internal audit bridge this divide? The starting point would be to understand stakeholders’ expectations and produce a detailed internal audit strategy that connects the way the function operates with those expectations. The chief audit executive should be strategic in his or her thinking and prioritize activities to achieve more comprehensive assurance. Secondly, a proper linkage between the internal audit plan and organizational objectives should be in place to increase the assurance activities’ importance and show the audit work’s relevance. Such linkage requires the CAE to be at a high level of business acumen and communication to identify the critical risk areas and link assurance activities to the organization’s objectives.

The audit committee has a central role in communicating its expectations to the CAE and reviewing and approving the internal audit strategy. The assurance requirements should be clearly communicated through an open discussion between the board and audit committee and the CAE, with input from other stakeholders. Moreover, internal auditors should implement some techniques that widen their assurance capabilities and provide necessary conclusions to key decision-makers. Although resource availability is one of the main concerns, the CAE must be smart in selecting what can be done to achieve the assurance objectives. At the same time, internal auditors should coordinate efforts with internal and external assurance providers to deliver impactful results and satisfy the assurance role requirements comprehensively with the support of technology.

As internal auditors still come largely from financial backgrounds, they tend to focus more on the financial-related areas where they are more comfortable providing assurance. Many auditors avoid audits covering operational areas, which are usually the core risk areas of any organization. Thus, the importance of a robust combined assurance methodology that can solve vital issues and avoid spending huge budgets that are not accessible to many internal audit departments. The combined assurance is not a new concept; however, it is rarely implemented correctly, and organizations forfeit great benefits by not implementing it. Internal audit departments can use different variations of the combined assurance model based on the industry and maturity of the organization, including:

• Joint audits
• Coordinated activities
• Integrated reporting
• Assurance map

Finally, providing comprehensive assurance requires telling a complete story to the stakeholders and not only one side. It is not acceptable or reasonable to communicate the exceptions or the negative side and ignore the internal control environment’s healthy or positive aspects. The same should happen in internal audit reports, where internal auditors need to tell a full story that describes the internal control environment, highlights the positive side in the implemented controls, and highlights the gaps or improvement areas in the internal control system. Internal auditors tend to highlight the negative side only and usually avoid any comments on the internal controls system using unacceptable justifications, such as we are not qualified to evaluate the positive side. In my opinion, the person who is tasked to highlight the negative side should be qualified by default to highlight the positive side as well.

To look deeper into these ideas, I recently conducted an informal poll on social media regarding internal auditors’ perceptions of the assurance requirements. More than 250 participants answered the following question:

“In your opinion, what should the internal audit report include to provide the required assurance to the board and audit committee?”

The results confirmed the outcomes of other studies and were in line with expectations. More than a quarter (28 percent) of the participants do not provide any risk rating or positive assurance in the internal audit reports they issue. More than a third (36 percent) of participants say they include a risk rating for the report, and only 36 percent provide a positive assurance or an overall opinion on the design and operating effectiveness of the internal control system under review.

Limiting IIA Standards
During a recent conversation with an audit client (as part of my Knowledge Sharing sessions of online interviews with those in the internal audit profession), the individual raised a valid point that could discourage management efforts to build a robust internal control system and impair the image of the internal audit function: The point is related to the rating that some internal auditors use in the reports, which provide a misleading or negative message even if the control environment is robust. The example he gave is related to a rating system that gives a “satisfactory” rating as the internal audit report’s highest rating even if the internal controls are exceptionally well designed and implemented.

I wondered why internal auditors are not more generous in their assessments and why they tend not to highlight the internal control system’s positive aspects. I only realized the answer when I read one of the standards in the Institute of Internal Auditors’ Professional Practice Standards, IIA Standard 2400, which states: “Internal auditors are encouraged to acknowledge satisfactory performance in engagement communications [emphasis added].”

Unfortunately, the standards used the word “satisfactory” to refer to the best practices in internal controls and made it optional for internal auditors to highlight the positive aspects in communicating internal audit results. However, the Standard stated clearly that: “The final communication of engagement results must (where appropriate) contain the internal auditor’s overall opinion and/or conclusion that take into account the strategies, objectives, and risks of the organization; and the expectations of senior management, the board, and other stakeholders.”

Ears Wide Open
Many internal audit reports fail to provide useful conclusions in assessing the controls and lack an overall opinion on the controls’ design and operating effectiveness in the areas under review. Such omissions create ambiguity on the objectives achieved by auditing that area. Even in internal audit reports that provide positive assurance, structural issues still exist in how the assurance message is communicated to audit clients and stakeholders.

Internal auditors should listen more often to their clients and understand their concerns. There is no harm in giving credit to the best performers and the process owners who consistently implement strong internal control measures and comply with them. Furthermore, internal audit reports should always focus on the key organizational objectives and provide explicit positive assurance on the internal control system’s effectiveness under review. Such assurance can be provided by having an individual risk rating of each observation or improvement area and having a “micro” report rating based on defined reasonable criteria that can categorize the report into different levels such as (effective, effective with opportunity for improvement, needs improvement, ineffective).

At that point only, we can start talking about the role of the internal audit function in providing a “macro opinion” on the overall adequacy of governance, risk management, and control within the organization on an annual basis which is being increasingly required by the board, management, and other stakeholders. Internal auditors can then demand a broader role based on the success of their core assurance services.

In other words, improving the basics will enable the internal audit function to move forward and take on added, value enhancing responsibilities.  

Ehab Saif, CMA, CIA, CFE, is a specialist in internal audit, risk management, and governance, based in Abu Dhabi, United Arab Emirates.