First off, let’s be clear on the role of an internal audit.
Internal audits are performed to provide assurance for an organisation. This could be delivered by an in-house audit team or contracted external auditors working with a company’s senior management team, to ensure risk management, governance and internal control processes are operating effectively.
An effective internal audit function forms part of a crucial compliance process to ensure an organisation is operating safely and effectively and they cover the entire business: from choosing a new technology, integrating a new service to implementing a new set of company values to strengthen organisational culture.
At its core, the purpose of internal audits is to give the organisation confidence that the controls they have in place are effective and the business is proactively and appropriately managing risk.
So, who is involved in the internal audit process?
Those who can action change and those who are responsible for making those changes take place should be chiefly involved in the internal audit process.
The audit should be conducted in a way that ensures all key players within the organisation not only fully understand the objectives of the audit but also that they buy-in to its importance. A one team, one continuous process of compliance approach is pivotal.
This inclusive approach ensures the output is relatable, and the benefits are clearly seen across the organisation. The wider team's involvement in the process allows them to see how the audit recommendations assist the organisation in achieving its objectives, allowing the team to take ownership of the ongoing monitoring of identified risk areas.
How does this affect risk management?
Risk is the threat that an event, action or non-action will adversely affect an organisation’s ability to achieve its business objectives and execute its strategies successfully.
For all organisations, there are risks that exist and these risks must be proactively identified and addressed to prevent or minimise loss.
Risk is measured in terms of consequences and likelihood and a robust risk management process helps organisations to control potential risks. Risk management helps an organisation to:
- Identify risks to help the company achieve its performance and profitability targets
- Prevent loss of resources
- Ensure reliable financial reporting
- Ensure compliance with laws and regulations
- Avoid damage to reputation and other consequences
To implement a risk-based internal audit approach it’s important to review whether senior management and the business share the same view of risk. As well as highlighting where differences occur to ensure that the right risks and controls are targeted in the audit plan, it’s vital to identify and prioritise risks to be reviewed in each business area.
Four tips for implementing a risk-based internal audit approach
- Develop an audit programme that stretches the team and promotes a high degree of productivity and limited downtime. For example, an auditor can work simultaneously on the reporting phase of one audit and the planning phase of the next
- Establish a “tracking” system to notify internal audit whether recommendations for further action are being implemented on time and correctly
- Ensure that internal audit follows up on reports to check that senior managers are implementing internal audit’s recommendations properly
- Risk-based internal audit is not just for large internal audit departments – the smaller the internal audit team, the more important it is for it to follow a risk-based approach. A risk-based internal audit approach can ensure that resources are prioritised on reviewing the controls for the most significant risks to the organisation’s objectives.
Ultimately, the success of a risk-based internal audit approach lies with identifying the correct risks to review from the start.
For further information on internal audit best practice or if you are looking for help to pass forthcoming audits, please get in touch with the team at Ann McRobb Associates today.