So what are the biggest risks for internal auditors in 2018? Here are eight things for you to consider.
If internal audit continues to audit risks to processes and business units rather than risks to the achievement of enterprise objectives, it will remain a staff function that costs money rather than delivers critical value. If you want audit what matters.
The traditional way of communicating audit results is a formal written report issued weeks if not months after issues are identified. The report says what internal audit wants to say rather than what management and the board need to know. We need to deliver the information leadership needs, when they need it, in an easy-toconsume and actionable form. There should be more talking and less writing.
If you don’t have the ability to modify the audit plan rapidly and frequently, what assurance is there that you are auditing what matters today and tomorrow? Can you provide the information management needs in time to affect their decisions?
Some internal audit departments shy away from sources of risk because they claim they don’t have the ability to audit them. The response to this is that if they are important to the organization, you have to find a way.
We may start each audit with a focus on enterprise risks that matter. But the work often extends to include risks of concern to local management — or the internal audit staff. Extending the audit work has a cost: the opportunity to perform another audit, one that is focused on another enterprise risk.
The core principles for internal auditing talk about being forward-looking for a reason. Richard Chambers, president of the Institute of Internal Auditors (IIA) talks about foresight versus hindsight, and I talk about auditing forward. The challenges for the organization in the current and future periods should be where we spend our time, assess related controls, and share our insights. Telling people what they did wrong in the past only has value it if is relevant to how they will do things in the future.
Hiring, retaining and getting the most out of personnel is not only an issue for the organization as a whole, it is always an issue for internal audit. If CAEs fail to pay attention, fail to be effective leaders and managers of their own team, the quality of work will suffer — and the value of internal audit will decline along with it.
If management does not believe we are helping them succeed, why should they support us? One area to focus on is the percentage of internal audit ‘findings’ and recommendations that are embraced and implemented by management. Some internal auditors blame management when their recommendations are not acted on promptly, when perhaps they should be questioning whether their recommendations were the right ones. Auditors need to actively listen to ensure they understand management’s perspective and whether suggested corrective actions make business sense. They also need to ensure that they have communicated their concerns effectively. Putting issues in writing is not the same as being persuasive.
Pengarang : Norman Marks, CPA, CRMA is an evangelist for “better run business,” focusing on corporate governance, risk management, internal audit, enterprise performance, and the value of information. He is also a mentor to individuals and organizations around the world and the author of World-Class Risk Management.
Tarikh Input: 28/02/2018 | Kemaskini: 22/01/2019 | faiz_suparman
Blok F, Bangunan Sekolah Perniagaan dan Ekonomi(SPE),
Jalan Persiaran Tulang Daing,
Universiti Putra Malaysia,