It’s time to reframe what it means to be “agile” in auditing. There are concrete steps any internal audit department can take to raise their adaptability, usefulness, and importance in the company. Read on to learn 10 practical and interrelated ways to increase internal audit’s agility and relevance, including why you should consider starting a rotational program, focusing on core competencies, refusing to declare anything “un-auditable,” and more!
What Is the Main Function of Internal Audit?
How do you describe your job? What is the role of internal audit? What is the main function of internal audit? The answer usually depends on how experienced you are as an internal auditor. Many newer auditors will say they make sure people are doing their jobs the right way. Some will say they write audit reports to let management know if their controls are working. But that is not what we do. The internal audit department functions as an extension of the Audit Committee and the Board of Directors. We provide deep insight into the risk and control environment so they can make better decisions. The role of internal audit is that of an information-gathering team that identifies risk exposures in the organization. We must be agile in our audit planning and execution to provide relevant information to management when they are making organization-impacting decisions.
How to Improve the Internal Audit Function?
When we talk about how to improve the internal audit function as a value-add function rather than just a cost center in the business, we frequently hear “agile” and “relevant” tossed around as vague cure-all concepts. When you hear these words in connection with audit, what comes to mind?
Did you think of the word “relevant” as being “pertinent, applicable, appropriate, suited, fitting, important”? A relevant audit team is one that audits activities that align with business objectives and is an important department within the business. All valuable things!
Today, “agile” is a buzzword that too often just signifies “fast,” and our present use doesn’t encompass what the word truly means or the potential for improving audit. Agile actually means an action that is “nimble, limber, spirited, sharp, active, clever, acute.” Clearly, an internal audit department that encompasses these qualities will be better able to anticipate and respond effectively to changing business risk profiles than one that is simply “fast.”
This begs the question: Can audit be relevant without being agile? Probably not, and an audit department should try to be both. CAEs need to break out of their historical frame of reference to embrace agility in pursuit of relevance. If the internal audit department functions without both agility and relevance, audit may follow a prescribed routine, potentially missing emerging risks and delivering a suboptimal customer experience.
10 Ways to Build a More Agile and Relevant Internal Audit Function
Breaking some of audit’s long-standing habits will require cultivating a tolerance for ambiguity as well as empathy, flexibility, innovation, talent, and engagement. That’s a tall order. To jump-start this departmental shift, here are ten fundamentally interrelated ways to build more agility and more relevance in internal audit.
1. Internal Audit as a Rotation
This may not be your first step, but it is the key to take full advantage of many other steps. Seek out executive approval to institute a rotational program, which is a career development initiative that allows non-auditors to rotate into the internal audit department, then return to their regularly assigned positions. When the internal audit department functions with a rotational program in place, the audit team might include traditional auditors as well as members from finance, IT, operations, or other parts of the organization (#4). Having members from other teams gain experience in audit will promote audit’s value as well as a risk mindset across the organization. Of course, rotation can and should work both ways.
When lifelong auditors rotate to other departments, they gain experience and knowledge about other parts of the business that will make them better auditors when they return. If internal audit is a rotation department, then it must work on relevant matters and develop competencies that others will desire.
2. Diverse Team With Co-Source Resource Plan
A strong internal audit function complements its core team with rotating guest auditors, as well as co-sourcing from subject matter experts. A more diverse group can better respond to audit broader topics and will give your team better insight into the company as a whole. Another positive outcome of a healthy rotational program (#1) is that internal audit will gain a diverse team with a wide range of expertise. And, of course, each time an internal auditor rotates into another department, they’ll gain valuable new perspectives they can bring back to audit.
3. Focus on Competencies, Not Just Skills
Technical audit skills are a given on an internal audit team, but competencies will be the difference when trying to react to changing needs and working on projects not previously attempted. A clear way to increase internal audit’s relevance is to focus on more widely valuable competencies and soft skills that are important to other parts of the business as well. Internal audit can be a great place to develop a capacity for dealing with ambiguity and learning on the fly, as well as the creativity to meet unexpected challenges. Interacting with process owners and other stakeholders gives auditors an opportunity to hone their relationship management (#7) and project management abilities. Communication is at the heart of internal audit, which thrives on knowing how to give the right information to the right people at the right time to effect positive change. Auditors also must learn leadership qualities, including the acumen to understand a situation and make actionable recommendations that will get implemented successfully. A department that focuses on key competencies rather than just skill sets will become a desirable place to rotate into (#1) and a source of value to the company by responding to what matters most.
4. Internal Audit Supports and Links to an ERM Program
To be able to effectively audit risks across the enterprise, internal audit must know what those risks are. This means that the audit department must support or help to develop an Enterprise Risk Management (ERM) program. Without one, audit runs the risk of having an annual audit plan that only addresses the risks audit knows about, not the CEO’s top risks. A well-functioning ERM program promotes alignment between audit activities and business objectives (#8), and maintaining this alignment is an ongoing process. Crucially, ERM can’t just be integrated across the organization—it must be integral to how the organization designs and implements initiatives, and to how internal audit functions.
5. Nothing Is Un-Auditable
Internal audit can have a tendency to draw a line around what they already know how to audit, and declare that nothing else is auditable. This can lead to an audit department missing the opportunity to perform very relevant audits. Practicing the mindset that nothing is un-auditable can be empowering—but also intimidating, which is why we need competencies (#3) and a diverse team (#2) to deliver! Of course, it’s easy and safe to audit the same known things year over year. But by leaving the comfortably familiar territory and working out how to audit something new, you’ll also be developing valuable competencies that will make your team members valuable (#1)!
6. Look for and Understand Other Assurance Providers
Because risk is so central to the role of internal audit, auditors can sometimes forget that they’re not the only ones who understand risk and provide assurance. But there are other departments besides audit that provide assurance! An audit team that is well-integrated with other departments (#1) will take advantage of this opportunity to work with and understand fellow assurance providers. By leveraging or coordinating with other assurance providers, internal audit can provide more risk coverage.
7. Proactive Relationship Management
Internal audit can’t audit effectively from an ivory tower—you’ve got to talk to people and learn about them if you’re going to help them and the business! Audit has tremendous potential to build collaborative relationships around improving people’s lives. Ask someone who has been in a position for six months what their greatest uncertainty is, and then let them know that as an auditor you are there to help reduce that uncertainty (#9). By relentlessly working to build and maintain relationships with all levels of employees and stakeholders, auditors will have a better awareness of what matters most in their organization (#4) as well as the network to do something about it.
8. Link Individual and Team Goals to the Company’s Strategic Priorities
An auditor’s yearly goal shouldn’t be to perform SOX compliance—your position is not a goal! At the individual and departmental level, audit needs to enlarge its aspirations beyond fulfilling its job description. Figure out how audit’s goals might align with larger company strategy, and set specific goals with performance metrics to track them. If one company objective is operational efficiency, perhaps audit can make it a priority to create a leaner audit program to save costs. Give yourself the challenge to stretch your comfort zone and develop some valuable new competencies (#3).
9. Be a Consulting Firm With a Customer Service Mentality
It’s easy to forget that, ideally, an auditor is a consultant: one who gives professional opinions and advice or serves in an advisory capacity. This customer service mindset positions audit as a trusted advisor who wants to learn about a person or department to help them find ways to improve (#4). A consultant role can also help a CAE run the internal audit department like a business—because it’s part of one, after all—by following utilization models, building a budget and plan for each project, and setting a percentage of hours aside to fulfill management requests. When audit sees itself as a consulting firm, it can save on time and cost while building strong relationships with audit customers (#7).
10. Use Technology to Automate Processes
By leveraging technology to take care of repetitive manual tasks, audit can free up time to perform more value-add activities. Internal audit can also play an important role in helping organizations identify opportunities to embed automation within business processes and functions. Automation can lead to increased efficiencies in monitoring controls, better visibility for all stakeholders, and significant time and cost savings that can be dedicated to projects that drive organizational value—including accomplishing more of the previous nine ways to build agility and relevance (#1-9)!
Final Thoughts on Making Internal Audit Function Agile and Relevant
Compared with doing the same audits year over year, it is undoubtedly more difficult for audit to make itself agile and relevant. This departmental shift requires developing a tolerance for ambiguity. In stark contrast to the buzzword usage of “agile” to mean “fast,” projects may in fact take longer when you find yourself auditing something you’d previously thought was un-auditable. For this reason, it’s crucial to have buy-in from the company and from your audit clients if you’re going to embark on improving your department’s relevance and agility.
But the payoffs can be significant. Focusing on competencies, developing strong relationships, cultivating a consulting service mindset, aligning audit goals with company objectives—each one of these will help make an audit department very relevant and a desirable place to learn about the business. With the right, diverse team, an agile and relevant audit function will position internal audit as a leader within the company.
So, what is the main function of internal audit? We provide timely insights to management, and we can do so with an agile approach to auditing. If you are interested in learning more about how technology enables agile and relevant internal audit functions, you can get a free demo of our Internal Audit Management Software, OpsAudit today.
Tim Berichon is Director of CAE Solutions at The IIA. He previously served as Head of Global Internal Audit (CAE) at Cooper Tire and at Grace Construction Products (GCP), and as Senior Director of Internal Audit at Tyco International. While at Tyco, he also served two years as business unit CFO of Sub-Sahara Africa based in Johannesburg, South Africa. He began his career at PwC.