Bringing internal audit back from the brink…
- Published: Friday, 27 May 2016 08:43
As organizations undergo rapid changes, audit departments are increasingly under pressure. Nick Rafferty explores how organizations can adopt a more efficient and agile approach to managing their ever-growing array of audits.
If a single word could be used to summarise the challenges facing today’s audit departments, it would be ‘change’. Those departments are in a state of constant transformation, being asked to perform more audits than ever before, and to look at areas including IT, operations, quality assurance and third parties. They are also being asked to provide assurance on business operations and risk management, to evaluate compliance, and to advise the organization, all with limited audit resources. Meanwhile, the wider legislative and regulatory landscapes are growing ever more complex, forcing audit teams to add more tasks to their workload.
As a result, audit teams are under greater pressure than ever before: and yet too many of them are still managing their processes in ways that simply don’t make sense, using manual documents, spreadsheets and email chains. This way of working was already cumbersome a few years ago, but as audit’s responsibilities become broader and more complex, it has become unsustainable.
Now, therefore, more than ever, it’s vital that organizations take an agile approach to internal audit management that is fully scalable and flexible, enables accurate and comprehensive recording and reporting and, ultimately, will support the business now and into the future.
An agile approach to audit management must respond to multiple strategic and operational challenges. From a strategic perspective, it must clearly align with the overall business direction and structure, and have senior management buy-in from the start. Too many audit programmes fail because they are treated as ‘add-ons’, rather than an integral part of overall business aims and objectives, or because the audit department is viewed as the ‘police’ of the organization, rather than a critical driver of good practice and growth.
Then, from an operational perspective, the approach to audit management must have a clear focus. There is such a huge volume of information and elements that could be covered, and so it’s extremely easy for audit programmes to lose focus and cover too much, too thinly. Various disparate sources of information, including risk, compliance and policy performance must be united in a clear and consistent way. Furthermore, clear KPIs are essential if the audit department is to demonstrate its business benefits and, as outlined above, move from being seen as the organization’s police to being a trusted, integral arm.
These, then, are the principles of an agile approach. So how are these developed into the components of an agile audit management programme?
Across the audit universe
The scale and content of each of these components will vary between businesses. However, the basic parts are universal. These are:
- The organization’s ‘audit universe’ – a central log of all potential audit areas and relative risk ratings.
- A set of plans, detailing which elements from the audit universe will be included in the scope of the plans for a given period.
- A set of papers, including research work papers that set out what needs testing; planning work papers that communicate with the business about time and resource; and testing work papers that explain how each function is to be tested.
- Reporting back to the business the results of each audit and the follow-up activities that have been recommended.
- Resource planning documents and tools, which outline how long each audit should take, who should be involved and how much it will cost. These tools are also used for cost-benefit analyses.
Crucially, these components should be built into an information and technology audit management architecture, rather than created and managed using disparate, manual processes. Individual spreadsheets and documents are cumbersome, difficult to manage and very inflexible. A single unified architecture ensures that no information is lost, that a consistent reporting style is in place across the entire organization, and that the audit function can grow as the business does. It also helps organizations to access and use cross-department and cross-function information, to make audits easier, streamlined and more focussed.
The most successful audit programmes integrate and leverage all the necessary information from all corners of the business, and are also highly targeted in terms of responding to any issues that are identified during normal business operations. Whether these are realised risks, control failures or other incidents, successful audit programmes respond to them quickly and precisely. Then, closed-loop follow up tracking ensures that any issues are actually followed through to resolution.
Fundamentally, audits are not linear projects, processes with beginnings, middles and ends. Viewing them this way is a hangover from the days of ‘audit seasons’ – specific points throughout the year when audits took place, in order to meet particular standards or certifications. Today, audits need to be treated as part of a continuous improvement programme, where feedback is garnered from the business after each audit exercise to feed into future activity, and findings from each exercise are also turned into concrete business adjustments. Audit response should be cyclical, not linear.
By following this approach, and using the components I outlined earlier, organizations of all shapes and sizes can move to treating audits as an integral part of their day-to-day operations, not an add-on that buckles under the pressure of business growth. This way, the single word that can be used to summarise audit programmes is ‘successful’.
Nick Rafferty is COO of SureCloud