Corporate scandals, compliance violations, and large scale fraud have plagued many iconic brands in the last decade. These incidents have been instrumental in creating new challenges and issues for Internal Audit (IA). What needs to be done? This is the question facing many internal audit professionals, as they try to navigate these ever evolving challenges. Long viewed as an extension of the regulatory compliance function, internal audit is now rapidly acquiring importance as a strategic partner, and therefore requires a redefined role and perspective.

In a volatile business environment and an ever-changing risk landscape, internal auditors have to be like FBI profilers to effectively execute their responsibilities. They need to focus on being value-oriented, risk aware, and successfully articulate their strategic contributions to senior leadership. The Institute of Internal Auditors (IIA) supports this view by emphasizing an expansive role for internal audit, encompassing all the core aspects of compliance, ethics, and governance1.

INTERNAL AUDIT’S ROADMAP TO A MORE STRATEGIC ROLEToday, internal auditors have the opportunity to move from away from a traditional role to a more transformational role where they can contribute to an organization’s performance and growth. But to do that, they need to focus on certain key areas:

Have a Strong Grasp of Corporate Risk StrategiesInternal auditors need to have a comprehensive understanding of corporate risk strategies and their overall impact on the organization. This will enable them to conduct effective risk assessments, ensure process effectiveness, and sharpen the Enterprise Risk Management (ERM) program. However, understanding risk management requires obtaining the

MetricStream Is your internal audit fit for the future?

participation and cooperation of the management team, as well as individual process owners of different functions across the organization.

Through a holistic approach, internal auditors must provide meaningful inputs on risk to leadership and the board. Often, auditors lose sight of the bigger picture while dealing with the daily details of executing the audit plan and gathering and documenting information. They must be able to avoid this hurdle, by focusing on substance rather than form.

Thoroughly Understand Complex Financial DisclosuresInternal auditors need to display a keen interest and expertise in financial statements and disclosures. A thorough reading of these disclosures will help internal auditors understand the audit scope, and identify if the risks outlined in the audit plan or the enterprise risk assessment are tied to the risks that senior leadership is focused on and disclosed in financial statements.

At the same time, internal auditors have to move beyond Sarbanes-Oxley (SOX), by concentrating not just on simple compliance but on improving governance and controls. They must also be strong partners in investigating and integrating ERM into the everyday process, and operations of the company.

Manage the Onslaught of LegislationSOX, the Dodd-Frank Act, and the Foreign Corrupt Practices Act (FCPA) are just a few key regulations that internal auditors have had to monitor compliance with in the last decade. It is imperative for auditors to maintain an appropriate inventory of legislative requirements pertaining to their organization and industry. This way, they can ensure consistent compliance with all regulations, and safeguard organizational profits, bottom lines, reputation, and brand value.

Internal auditors have a pivotal role to play in sensitizing management to emerging compliance risks and issues, as well as the controls needed to mitigate them. However, collecting and quantifying accurate data on these risks and issues, and promptly relaying them to management can be challenging. There must be proper tools to enable a risk-based approach wherein internal auditors can quickly determine and prioritize which compliance risks, controls, and violations need to be elevated to be addressed by management.

INSIGHT

Transform the function into a strategic part of your organization through a systematic make-over

IA’s Role at a Glance

A future-oriented internal audit function needs to be equipped with

the following capabilities:

� Have a strong grasp of corporate risk strategies

� Be able to determine risk tolerance

� Thoroughly understand complex financial disclosures

� Manage the onslaught of legislation

� Keep a tab on fraud

� Be a part of corporate governance

A good internal audit function thus takes a pro-active stand to smoothly navigate and mitigate the risks in the organization, and ensure complete compliance with industry standards and regulations.

Determine Risk Tolerance for Internal AuditHistorically, certain industries, such as healthcare, energy and utilizes, biotech and life sciences, are extremely compliance-oriented, and intolerant of violations. With the increasing level of regulatory pressure, most industries have and are rapidly increasing the focus on risk and compliance. Depending on one’s industry or organizational philosophy, management must establish the right corporate risk tolerance. Similarly, the internal audit function must set in place an appropriate risk tolerance framework.

Determining risk tolerance is a key component of having a good risk-based auditing function. It helps the organization overcome the “so what!” syndrome, and put more focus and importance on intelligently managing risks. The internal audit function must support this endeavor by effectively assessing and quantifying risk in meaningful terms.

Keep a Tab on FraudFraud is one of the topmost problems plaguing the business community. In many cases, perpetrators of fraud are well-respected, long-time insiders in an organization, who know the processes and control systems, as well as the control gaps in the systems.

To prevent fraud, internal auditors must understand the nuances of fraud. They must continuously monitor and track the audit trail to identify suspicious elements, and quickly report red flags to the management. In addition, a forward looking perspective is becoming more important with an eye to prevent the fraud before it occurs.

Internal auditors can also help in facilitating fraud awareness in the organization, and actively participating in the investigation of any fraud case through robust and streamlined survey management processes, interviews, and tracking and documentation processes. Auditors also need to have a way of maintaining a chain of evidence, managing record keeping, and enabling real-time reporting.

Be a Part of Corporate GovernanceCorporate governance is traditionally seen as the responsibility of the legal counsel or corporate compliance officer. Hence, it’s harder for the internal audit function to prove its value in this area. However, as per IIA standards, internal auditors must

participate in the organization’s governance structure. They should establish a way to engage with the board and the various executive committees, examine legal and regulatory issues, assist in business practice evaluation, and enhance risk management efficiency by effectively prioritizing and interpreting risks. Auditors must also emphasize the importance of doing away with cumbersome risk management silos.

Another important component of corporate governance is the review and monitoring of communication processes. The audit group must have the acumen to critically evaluate the governance charters in an organization, and determine if they meet the expectations of the Securities Exchange Commission (SEC) and listing company requirements.

TOWARDS AN EFFICIENT IA APPROACHA robust, relevant, and efficient approach to auditing can help the internal audit group drive value for the organization, and play a key role in strategic initiatives. Such an approach should comprise efficient internal audit tools, and a strong and disciplined audit methodology that integrates audit planning and scheduling.

It is also important to implement systematic and workflow-driven audit processes that can enable an organization to derive more value from internal auditing. Audit errors and inconsistencies can be eliminated by establishing standardized data collection methods. Proper tracking of audit recommendations and implementation are also an imperative part of the process.

INSIGHT

Key Skills for Internal Auditors

If internal auditors aspire to gain a seat at the executive table alongside the management team, they need to have a few vital

skills:

� Strong leadership knowledge and capabilities

� A good knowledge of the organization

� Thorough grasp of IIA standards

� Effective communication with the board

� Risk management expertise

� Mastery over IA procedures

� Ability to evaluate and help prevent fraud

� Knowledge of the latest information technology &

infrastructure

� A pro-active approach rather than a reactive approach to

internal auditing

INSIGHT

Other salient features of a progressive internal audit approach include:

• Conformity in audit plans and check lists• Continuous auditing with a disciplined framework• Strong risk-assessment methodologies• Access to critical financial data and metrics• Understanding of data relationships• Sufficient time for analysis of data• Appropriate information technology resources

ACCELERATE IA PROCESSES WITH ADVANCED TECHNOLOGYA technologically capable audit infrastructure can enable internal auditors to streamline and automate audit processes, while also improving visibility into enterprise-wide audits at any given time.

Advanced audit management systems provide the scalability and flexibility to integrate different types of audits such as financial audits, compliance audits, vendor audits, and operational audits within a single framework.

One of the basic building blocks of a strong internal audit system is a centralized information model, which can be used to effectively manage the entire audit universe, and unify cross-departmental audit data. It can also be used to closely map risks to auditable entities, and thereby enable a risk-based approach to auditing.

The audit group should leverage technology to streamline end-to-end audit processes such as audit planning and scheduling, resource pooling, re-scoping, parallel audit task management, issue delegation, and corrective actions tracking. This systematic approach helps minimizes redundancies, and optimize audit cost-efficiency.

Powerful reporting tools, dashboards, and analytics help simplify and accelerate reporting, and provide valuable risk and internal audit insights from across the enterprise. Additional advanced

capabilities such as built-in remediation work-flows, time-tracking, automatic alerts, and offline audit functionalities further strengthen audit processes.

A robust audit framework aligns appropriately with industry standards and best practices. It also enhances collaboration with other assurance functions and senior management. In essence, it not only increases internal audit efficiency and productivity, but also generates value at every stage of the audit process.

IN A NUTSHELL If the internal audit group wants to become a key strategic partner, it needs to move beyond a traditional compliance-oriented approach, and adopt a more forward-looking attitude. The group should take on an expansive role by transcending compliance, risk, and audit silos, and aligning internal audits with organizational risks and goals. In addition, the communication channels between the management and the internal auditing team need to be open all the time.

Internal audit can translate its objectives into meaningful actions by carefully and continuously reassessing audit skills, technology, procedures, and methodologies, and aligning them to IIA standards and business needs. Equally important, the group should eliminate redundant systems, and invest in advanced technology resources to be result and value-oriented, and to achieve speed and accuracy.

Valuable Resources:1 http://www.theiia.org/guidance/standards-and-guidance/ippf/standards/

full-standards/?search=risk

https://www.pwc.pl/en/rynki-kapitalowe/complex_financial_histories.pdf

www.theiia.org/download.cfm?file=85580

http://taft.law.uc.edu/CCL/SOact/soact.pdf

http://www.justice.gov/criminal/fraud/fcpa/

http://www.sec.gov/rules.shtmlBenefits of Technology

� Less complexity in managing risks and audit inventories

� Appropriate business focus on the right set of risks

� Increased collaboration among various stakeholders

� Access to real-time business intelligence

� Continuous monitoring of risks

� Prompt issue investigation and remediation

� Flexibility to easily scale up to support future business needs

MetricStream

© C o p y r i g h t 2 0 1 3 . A l l R i g h t s R e s e r v e d .

www.metricstream.com info@metricstream.com

AUTHORS:

Lynn Fountain CPA, CGMA - Former VP Audit and Risk, Aquila Inc.

Timothy Schmutzler - Regional VP of GRC Solutions, MetricStream