Five Key Imperatives for Internal Audit in 2011
During his keynote speech at the 2011 Houston IIA Conference Richard Chambers, President and CEO, The Institute of Internal Auditors, noted that although the majority of audit committees and executives indicate their internal auditors are performing a good or outstanding job at meeting their needs and expectations; 74% of internal audit stakeholders believe IA needs improvement; 96% believe that improvement must occur within the next 24 months[1]. To achieve improvement, Mr. Chambers recommended the following five key imperatives for change:
1. Assess and align with key stakeholders expectations
Key Stakeholders (i.e., board, executives, third parties) want transparency. Their expectations are constantly changing and evolving.
RBIA internal audit teams have embraced this practice for years. Regular meetings between the Business Function Audit Executives and the company executives and audit committee keep them aligned and focused on what matters most in achieving the business objectives.
2. "Step up to the plate" in risk management
Traditional internal audit groups focus on a lot of different risks versus focusing on "real risks". A composite of various studies by PricewaterhouseCoopers shows risk broken down as follows:
- Strategic & Business 60%
- Operational 20%
- Financial 15%
- Compliance 5%
(Source: PricewaterhouseCoopers. Composite of various studies of US and UK market before the financial crisis)
Unfortunately, traditional internal auditors tend to spend 80% of their time on the last three areas listed.
RBIA internal auditors focus on the risks that matter most, those that can impact the organization's business success objectives.
3. Enhance Internal Auditing's knowledge of the business
RBIA internal auditors continually seek to acquire and cultivate their knowledgeby spending 60% of their training on developing their expertise in subject matter that is relevant to the business and 40% on audit/risk/control related topics. By doing so, we eliminate comments from organization executives and managers that internal auditors "don't understand the business". If internal auditor focuses just on financials and compliance then they really don't need to know the business very well...please revisit imperative 2.
4. Streamline internal audit processes and operations
RBIA internal audit teams understand that their auditors are a limited resource and must be used effectivley and efficiently. We allocate our limited resources based on requests from the the "top of the house" (audit committee and exectuives); re-enginering, process improvement, and systems development requests; covering the fundamental audits we are expected to perform; and continuous auditing / monitoring. And most importantly, RBIA auditors will stop the audit or project they are working on whenever they recognize that any additional work will not add value .
RBIA auditors also recognize if we can't deliver timely reports, stakeholders will go elsewhere to get the information they need. We address this with our team success objectives of value, cost and time.
5. Coordinate and align with other risk, control and compliance functions
Internal audit must co-exist with other areas of assurance within the organization (e.g., compliance, risk management, corporate investigations, internal controls, environmental or other audit functions). We must ensure there are no gaps or redundancy between groups.
In RBIA, we embrace these other assurance groups. We will utilize their expertise to supplement an audit team if it will add value to the area we are auditing.
RBIA audit teams should find comfort in knowing that although this framework was developed over twenty years ago, it remains very relevant even in today's business climate.