With incrementing regulatory requirements and corporate governance rules, expectations from internal audit function are more than just an assurance provider. According to IIA, the Internal audit is an assurance cum consulting activity, with the privilege of reporting directly to ‘Board Audit Committee’. However, reporting directly to ‘Audit Committee’ does not undermine the importance of expectations from other stakeholders. Even an ideally independent IA department, (IA department with zero dominance from management) needs to prove and quantify the ‘Business Value Addition’ it has provided over time to deserve an influential position in an organization.
A recent report (2017) by PwC concluded that only 44% (54% 2016) of the internal stakeholders considers that internal audit adds significant value to their organization. (Lowest figure in the last 5 years). The report goes on to discuss the reasons for increased dissatisfaction and remedial actions required for meeting stakeholders’ expectations.
A rapid shift in the technology along with increased uncertainty in the business environment requires the auditors to be more tech-savvy, agile and dynamic with their approach to auditing. This means the need to move from a ‘checklist-based audit’ to a more effective ‘Risk Based Internal Audit’ is not a choice anymore, it is a need. The risk-based internal audit is not a new concept, however, its effective application is still limited. To support this hypothesis, lets’ have a look at the popularity of some common ‘Internal Audit’ terms according to ‘Google Trends. (Google trends shows how often a particular search term is entered relative to the total search volume across various regions of the world).
Popularity for the term ‘Risk Management’ term has declined by more than 50% from 2004 to present.
In contrast, the popularity of terms such as ‘Checklist for internal audit’, Internal Audit checklist, Audit checklist template, and internal audit template has increased from 2004 to present as shown in the graph below.
More interestingly, these terms are mostly searched from India and Pakistan. In fact 90% these terms are searched from India and Pakistan collectively.
Obviously, the above analysis is not conclusive in any way. But, it provides an insight of the trend which is followed by the majority of internal audit professionals and probably answers the reason for the increased dissatisfaction of stakeholders from ‘Internal Audit’ department.
By definition, internal audit department is not responsible for developing an ERM (Enterprise Risk Management) system. It is the responsibility of the management to identify and minimize risks to its operations, property, shareholders, and employees while the internal audit is responsible for providing assurance on the ‘Risk Management’ mechanism and its effective implementation. However, in order to provide ‘Business Value Addition’, audit planning process must incorporate the thorough risk assessment exercise. ‘Internal Audit’ professional must have a skillset to use the tools and techniques of ‘Risk Management’ in order to conduct an effective audit. A rusty internal audit function depending on old checklist-based approach will provide no value addition to an organization.
There is a need that professionals evaluate their audit approach and take necessary actions to make it more aligned with business needs and challenges without compromising their independence.
Willing to hear the opinion from my colleagues and seniors on how this can be achieved.