Editor’s Note: This is part five of a six-part series on the Internal Audit Value Chain, which can act as a blueprint for building a successful internal audit function. Click here for the other articles in the series.
One of the biggest myths about internal auditors is that they are mostly accountants by trade. As most of us know, internal auditors increasingly come from many different backgrounds, including technology, operations, risk management, and other disciplines. And a CPA designation is no longer a requirement to be an internal auditor.
While the emergence of these new well-rounded internal auditors is a welcome development—as internal audit moves to audit non-traditional areas like culture, marketing, human resources, and other areas—it doesn’t mean that financial management is no longer a critical area in need of internal audit oversight. On the contrary, improving financial management and governance is as important as it has ever been. So, while internal auditors are encouraged to develop a wide array of skills to support business units and add value, they aren’t off the hook on building their knowledge of sound financial management principles and practices as well.
Another myth is that while technology and innovation are transforming nearly every facet of the organization, finance and accounting fundamentals and reporting requirements haven’t changed much in recent years. That view is inaccurate too. Financial management is undergoing the same radical transformation as many other corporate functions and maybe even more so. The tools, processes, and expectations have shifted with the emergence of fintech, block-chain, Big Data, and a slew of other innovations.
So, even at a time when internal audit is diversifying outside of its traditional financial reporting and accounting roots, it still needs to excel at providing assurance over this critical and fast-changing area. What’s more, internal audit needs to keep up with the latest innovations while still adhering to core standards—including the Institute of Internal Audit’s (IIA) International Standards for the Professional Practice of Internal Auditing—as well as accounting fundamentals and applicable rules. Meeting these demands is a tall order, indeed.
The Internal Audit Value Chain
It’s been well established that internal audit must seek to add value if it is to prove its worth in the organization. In the first article in this series, “Many Internal Audit Failures Stem from Misalignment with the Company Strategy,” we defined the Internal Audit Value Chain (IAVC) and its key components. The IAVC includes “enterprise-wide initiatives impacting functional areas across every organization, involving a combination of people, processes, technology, and ‘tone at the top’ to drive the accomplishment of goals and improve profitability.” Internal audit’s role in the value chain requires understanding the organization’s: (1) strategic direction, (2) risk management and monitoring, (3) operational efficiencies, (4) quality and compliance, (5) financial management and reporting, and (6) responsiveness to customer and regulatory needs to create value.
This part five installment addresses financial management and governance as a critical means for internal audit to create value by helping business units, management, and other stakeholders sustain or achieve improvements in financial reporting, accounting, financing, investment, and other financial processes. It does this by evaluating the effectiveness of financial management, identifying root causes of financial management problems, ensuring monitoring systems and controls are functioning correctly, and other work outlined below.
Changing Environment
How can internal audit assist management and stakeholders throughout the organization to continuously improve accounting, financial reporting, audit, and governance initiatives?
First, it is essential for internal audit to apply standards using a modernized approach, while adapting to the dynamic business environment. In other words, it needs to embrace change. Second, internal audit should go beyond the limits of financial reporting and accounting policies, procedures, and internal controls to find solutions to assist management. We are not suggesting internal audit should not adhere to standards, regulations, and policies, but challenging the status-quo and creating sustainable value also requires a different way of thinking.
For this to happen, the business-as-usual mindset within the internal audit function needs to change. If management and the CFO are moving the organization in the right direction and at a fast pace, internal audit cannot afford to lag. It also can’t pursue innovation if it doesn’t first have a solid foundation in place and functioning well. For internal audit to improve financial management and governance, the chief audit executive (CAE) needs to develop and implement a framework to continuously evaluate progress on the following goals:
- Alignment of the enterprise-wide mission and objectives with operations and strategy;
- The identification and understanding of the macro and micro risks impacting the organization;
- The identification of opportunities for operational improvements;
- Evaluation of quality initiatives and compliance effectiveness; and
- The assessment of vulnerabilities in critical systems and technologies used within the organization.
An IIA article, “Optimizing Internal Audit,” emphasizes that internal audit should leverage its knowledge of the organization’s strategic alignment, customer needs, mission, risks, compliance requirements, and operations to collaborate with functional managers, including the CFO, to improve financial management and governance.
Internal audit also needs to understand how the CFO role within their organizations is evolving and what additional changes are required. A recent research report from Accenture, titled “From Bottom Line to Front Line,” showed how CFOs have stepped out from the confines of their roles to become innovators and disrupters in their businesses. They are doing this by leveraging new technology and exploiting data and they are creating value in the process. The report concluded finance departments must overcome significant challenges to play a broader role driven by five forces:
- Increased expectations: boards, CEOs, and the overall organization expect and need more from the CFO.
- The pace of change keeps accelerating.
- The pressure to show growth and profits is constant.
- An explosion in the availability of data and data analysis tools requires both increased focus and new capabilities.
- Regulation and consumer expectations have expanded control and compliance requirements.
Eight Steps to Improving Financial Management and Governance
There are eight primary steps internal audit teams can apply throughout an organization in collaboration with other stakeholders to create and sustain value by improving financial management and governance. They include:
1 Validate an Appropriate Tone
To improve financial management and governance, internal audit needs to understand the critical accounting, financial reporting, and audit objectives driving the organization. Internal audit should perform reviews and assessments to evaluate appropriate tone and culture at the departmental levels across key locations and see how outcomes align with the entity-level controls. Culture audits, or building culture assessments into other types of audits, can go a long way to providing management with insights on the tone that is actually being communicated throughout the organization, including tone at the top, middle, and bottom.
The appropriate financial management tone must also fit the sector (public, private, non-profit, or hybrid) that the organization operates in. Finding any modern business or government agency that perfectly fits the traditional definition of the private sector, public sector, or nonprofit organization is challenging. The increasing number of hybrid organizations (a mixture of financial management objectives from public and nonprofit sectors) points to the evolving nature of financial management priorities across traditional sectors.
These changes are being driven by changing customer or taxpayer behaviors and expectations. Some private sector companies, for example, are becoming more conscious of the moral, social, and environmental impacts of the decisions they make, while some public sector organizations and government agencies want to apply financial management best-practices from private sector organizations. Such variables impact the tone and culture, which directly impacts financial management and governance decisions.
Getting tone and culture right, particularly in regard to sound, ethical financial management, have become one of the top priorities of many organizations and internal audit can play a pivotal role in getting there.
2 Assess Internal Controls
Is the reliance on poor financial management internal controls worse than not having any controls? Is the reliance on outdated financial management and governance policies and procedures worse than not having any documented policies and procedures? These are questions internal audit should be asking, relevant to their respective environments, and also communicating the consequences if not resolved.
New technologies and processes introduce risks and affect controls. Internal audit must think through unintended consequences and understand the impact of innovations, so they can ensure that they don’t create unmitigated risks and control weaknesses. Transformation presents unique risks and challenges. That means internal audit should apply the right methodologies for performing risk assessments and testing the design and effectiveness of critical financial management internal controls.
While speed is imperative, transformation and innovation must also be done smartly and with assurances that risks are identified and mitigated by internal controls that are in place and operating effectively.
The presence of “activist investors” and their short-term focus on increasing shareholder value can also create immense risks directly affecting controls, tone, and culture. According to the Global Risk Insights publication, “Activist Investors: More Harm than Good,” these investors usually take their ideas directly to the board and senior management, advocating immediate change. Conflicts occur when management makes wrong decisions to satisfy the requests of influential investors. Internal audit should be on high alert in activist investor situations to spot these disruptions and potential conflicts.
3 Perform Fraud Risk Assessments
Fraud risks and vulnerabilities evolve as functional managers, including CFOs, serve as innovators and disruptors in their businesses. This is further complicated by expectations from stakeholders. Increased expectations accelerate the pace of change, driving the need for business transformation often with unrealistic timelines, increased burden to show growth and profits, and significant reliance on technology and automation. These factors all increase the risk of fraud and internal audit should be on high alert to ensure that these risks are mitigated.
Technology can also be a double-edged sword when it comes to fraud. Advanced analytics tools, for example, provide great assistance in flagging potential fraudulent transactions. But fraudsters can also manipulate them by, for example, finding out the threshold where transactions will be investigated and remaining just under it. Fraudsters can also use technology to commit or hide fraud when they understand it better than the managers who are on the lookout for wrongdoing.
4 Improve Financial Management Processes and Systems
Business disruptions during the past decade demonstrate that there are no boundaries to the speed and extent of change. Businesses must continuously improve financial management processes to deliver on customer expectations and produce profits. Technological innovations and increasing use of mobile applications, for example, have transformed the global banking sector. This has forced traditional banks to modernize business practices to deliver superior customer experiences.
And by many accounts, we are just getting started. According to the Deloitte Crunch Time 2025: Finance report, as finance cycles go real time, periodic reporting will no longer drive operations and decision making, and traditional cycles will become less relevant.
A separate report by Accenture on CFOs identified three pivotal themes in the evolution of the finance function:
- Digitizing finance and harnessing the power of data: CFOs continue to automate routine accounting, control, and compliance tasks.
- Leading digitalization efforts: CFOs play a critical role in the digitalization of their enterprises, with most starting in their own departments.
- Developing future finance talent: CFOs need to shift their hiring and talent development criteria so the next generation of finance leaders can flourish in this expanded role.
In part four of the IAVC – How Internal Audit Can Add Value by Pursuing Efficiencies, we concluded that there is no corporate function more equipped to weed out operational inefficiency than internal audit. Internal auditors have the skills to assess processes expertly, the knowledge of the business to understand how things fit together, the distance to evaluate problems with an open mind, and the discipline to make recommendations in a thoughtful, organized way. Certainly, this applied to financial processes and systems as well.
5 Develop a Framework to Remediate Findings
Internal audit should develop a framework to track the appropriate and timely remediation of audit findings that impact financial management. This should include assistance in implementing suitable financial management controls and training for management, staff, and stakeholders. There should also be a process in place to elevate significant findings that are repeatedly ignored and go unaddressed.
6 Perform Risk and Control Self Assessments (RCSAs)
If functional managers, including CFOs, are to serve as innovators and disruptors, internal audit should assist them in prioritizing risks and controls. This enables executive management to concentrate on the high-risk issues, while their staff assesses moderate and low-level risks. To address moderate and low-level risks, internal audit can collaborate with stakeholders to establish and monitor a process to perform Risk and Control Self Assessments (RCSAs).
According to the Institute of Operational Risk (IOR), the recommended minimum frequency of conducting an RCSA is once a year, although twice a year or even more often may be appropriate depending on the compliance objectives. Timing and regularity should be determined by the purpose of the RCSA and any co-dependencies, such as SOX or other applicable regulatory reporting requirements. According to IOR, there should also be a mechanism in place for targeted ad-hoc assessments, if there is a significant change in the perceived risk profile. A significant change could result, for example, from a change in the internal or external operating environment, or the introduction of new business activities or new products, says IOR.
7 Monitor Regulatory Changes
Internal audit should collaborate with management to monitor and address financial reporting, accounting, and regulatory changes and ensure ongoing compliance. Internal audit should facilitate training to staff and stakeholders on the constant changes to compliance and accounting. This requires cross-functional collaboration between operations, compliance, legal, accounting and financial reporting, tax, internal audit, and other functions.
8Develop and Implement KPIs and Metrics
A natural by-product as internal audit interacts with functional managers is knowledge of appropriate accounting and financial management Key Performance Indicators (KPIs) and metrics including use of proper visualization tools. As part of the RCSAs, internal audit can track how management implements and monitors KPIs and other metrics and recommend changes. Once the system of metrics is agreed upon and developed, there should be a continuous monitoring system to track such metrics. There should also be periodic reviews to assess the KPIs and metrics in place to assure that new metrics or assessment criteria aren’t needed. An analysis should also be completed to ensure that compensation structures built on certain metrics and measures don’t result in unintended consequences.
“Ch-Ch-Ch Changes”
Certainly, this is not an exhaustive list of the steps internal audit can take to add value by helping to improve financial management and governance, but they will go a long way to putting it on track. The common theme here is that—to use a well-worn adage—the only constant is change. Internal audit functions that reorganize to be in a perpetual state of change management will be the ones that succeed in adding value. And if you think we’ve already gone through too much transformation, buckle up, it’s about to go faster. 
Let’s hear from you. Please provide your thoughts or feedback on the comments section below!
Jonathan Ngah, CISA, CIA, CFE, CGFM, is a principal at Synergy Integration Advisors, a consulting firm providing audit, governance, risk, and compliance solutions to federal government agencies, private-sector companies, and not-for-profit organizations.
Jacqueline Butler, CISA, CRISC, is a director at Synergy Integration Advisors.
Very elaborate points and eye opener appreciate even more on the subject audit and risk management, can be reached through email given below.
Very well elaborated and clear to the point for easier understanding