Helen Li FCPA, President of The Institute of Internal Auditors Hong Kong and Group Chief Auditor at The Bank of East Asia Ltd., on how the independent internal audit function can provide quality challenges and more value
To enhance the internal audit (IA) function is to make use of what IA is well-positioned to do – knowing how to identify blind spots from inside the organization, while also having the perspective of someone who is outside of it. The IA function can also find missing links, and connect the dots to present the bigger picture to stakeholders. Below are some thoughts for IA practitioners and key stakeholders’ consideration:
Have the right focus
While internal auditors have the authority to audit anything in an organization, it is critically important for IA to not audit everything. Due to the limited resources, internal auditors must focus on the areas that truly matter to the board and C-suites, i.e. assessing the robustness of control mechanisms, instead of maximizing verification of individual controls which might not be applicable later on due to changing environments.
With business rules constantly rewritten and product lifecycles getting much shorter, internal auditors are essentially auditing “moving targets” most of the time. This requires them to stay on top of the latest developments and readjust audit focus areas promptly. They should audit what is most important to the organization, not what is convenient nor what they used to audit. However, some IA functions still audit discontinued services and obsolete processes. Cybersecurity has been ranked as the top risk by chief executive officers and chief auditors. A recent KPMG global survey shows that only 33 percent of chief auditors rate their “preparedness” for auditing tech-related risks as “good” or “excellent.”
With accelerating digital transformation across all businesses, internal auditors must embrace technologies and big data. They must first understand how their organization is deploying technologies to assess associated risks and adopt the right audit approach accordingly. Secondly, the IA function needs to harness technologies in the audit process to improve audit efficiency and effectiveness. Through deploying artificial intelligence and cloud computing, the IA function of a food and beverage wholesaler, for example, is able to audit invoices 24/7 covering both financial and fraud risks. Possible fraud alerts identified are fed back into the process with more focused scrutiny for subsequent transactions. Compared with traditional manual sampling, which only covers a tiny fraction of the data population, technology enables internal auditors to widen audit coverage and the depth of reviews. Thirdly, internal auditors must know how to assess “soft” as well as “hard” controls – any issue they identify may have wide or deep implications e.g. a corporate culture that involves hidden rules in the organization, which are harder to audit than written policies or procedures.
Expand the audit spectrum
Your company’s 2022 annual IA plan is probably approved by audit committee by now, but there is always room to expand the nature and scope of the IA work. Be creative to expand the audit spectrum to achieve your objectives. For example:
- Include more variety of IA reviews. In addition to deep-dive, end-to-end process control audits, explore quick reviews to provide more timely, focused and task-based results;
- Try more advisory work such as benchmarking analyses and research studies; and
- Help to raise control awareness through sharing common audit issues and the transfer of governance knowledge, tools or skill sets to other functions – let others know that IA is here to help, not to criticize.
Be prepared for change
Despite having a very comprehensive 2022 IA plan and robust IA process, changes always go beyond the plan. Agility and innovation are more important than ever nowadays. COVID has not only forced us to live and work differently, but also made us think outside of the box to explore new ways of doing things, bringing in unbounded possibilities and opportunities. Remote auditing is one of them. Though we struggled with virtual audits at the beginning of the pandemic, remote auditing is now business as usual, and there is increasing sophistication in work-from-home audit processes.
The quality of IA depends on the quality of auditors. Continuously upscaling audit skills is not an option but a must to stay relevant. As boundaries across industries and professions blur, all functions are competing for similar talents, such as those with good business acumen, critical thinking, communication skills, and tech-savviness etc. A war for talent has started and will likely continue in 2022. There should be alternate plans for the IA function to ensure adequate resources, such as an internal rotational programme or guest audits to enable high flyers to work in IA, as well as co-sourcing with professional firms to tap into external resources.
With everything we’ve learned being redefined, IA has gone through dramatic changes in the last decade and continues to evolve as an indispensable part of a governance, risk and controls framework. It is a journey that involves continuous learning and improving. In order to provide quality challenges, the IA profession needs to reflect on its own and others’ successes and failures to continue to explore what’s possible for the betterment of their organizations.