Background
The inadequacy of system to cater to business needs, issues regarding integrity and robustness of data generation (MIS), the absence of management strategy for monitoring risks, lack of control over the operational process, ambiguity over policy and procedures and issues so galore.
The above situations appear familiar? Indeed, these are common challenges that plague many businesses regionally and globally. Conventional belief laid emphasis on achieving business results and cash inflows, relegating the need to address pressing issues. Mounting challenges of varied nature posed by new economic order have made compelling reasons for businesses to introspect, to improve efficiencies, identify and manage risks, control leakages, rationalize costs etc. With matters of risks, control and governance gaining priority, many businesses are viewing internal audit as an important tool to achieve its dynamic objectives.
This article is an effort to shed light on the new approach used in internal audits that has led to increasing acceptance of internal audit activity as an investment that provides a return to an entity and not just reflect as a cost on the income statement.
Internal Audit
Internal Audit as a concept is exhaustive, but broadly refers to an activity carried out by independent professionals to assess whether an entity’s process and controls are adequately designed and are operating effectively, business risks are effectively identified and managed, whether resources are efficiently utilized etc. Based on the observations and findings, solutions and suggestions for improvements are provided in the form of a report to the team entrusted with governance.
The process areas covered under internal audit activity can be extensive but generally includes inter-alia, review of operational and financial functions of an entity (Operations, Procurement, Finance and Accounts, Human Resources, Information Technology etc.). Depending on the size of the entity, complexity of operations and the objectives to be achieved, approach to internal audit could assume the form of review, by covering different functions over a period. Alternatively, it may involve review of the design of all the functions at a time, backed by follow-up reviews. Dividing the scope into various functions, covered over a period, facilitates specialized focus on the department’s efficiency in achieving functional objectives as well as entity’s objectives.
Evolving Internal Audit Approach
There has been a paradigm shift in the expectations of businesses from the internal audit activity. Growing business competition, disruptions caused by advancement in technology and the desire and vision to be the industry leader by clients have brought to the fore, key questions regarding value creation, effectiveness and relevance of internal audit. This entailed an objective response by the internal audit fraternity, transforming the activity from a typical checklist-based conventional approach to a more sophisticated, comprehensive and risk-based audit.
Erstwhile Approach
Traditional internal audit approach involved an overall review of process and controls for compliance to established procedures from financial accounting/ treatment perspective. Also, the earlier approaches had greater focus on transactional accuracy and compliance with approved procedures.
This, to a large degree, ignored any significant impact of risks arising from operational, market and regulatory factors of the business. As a result, the traditional approach educed the internal audit to a mere fault-finding activity drawing lesser participation from the client management.
New Approach to Internal Audit
With the advent of the renowned concept of Enterprise Risk Management (ERM) Framework, a model developed by Committee of Sponsoring Organization of the Treadway Commission (COSO) for evaluating the risk management practice of an entity, coverage under internal audit has evolved into a more holistic and objective-based approach.
One of the components of ERM framework calls for risk assessment at all levels of the business organization setup including Entity Level, Division, Operating Unit and Function. Risk Assessment is a process of identifying and appropriately managing any adverse event (risk) that may impede or pose a challenge to an entity in achieving its goals or objectives (long term or short term).
The relevance and importance of timely risk assessment were greatly felt by corporates across the globe when market leaders faced an overnight catastrophe or near business closure event. Famous examples are Yahoo not assessing risk related to consumer preferences and eventually losing out on user experience and search engine business (market risk), BlackBerry losing out its relevance as they did not focus on bigger touchscreen displays (product technology obsolescence risk). More recent example is when Imagination Technologies Group suffered a major setback when Apple, its single largest customer (customer concentration risk), discontinued using their product. This concept of risk assessment was adopted by internal auditors to develop a risk-based audit approach to help businesses achieve operational, reporting and compliance objectives by becoming agile, transparent and resource efficient.
A risk-based audit approach requires a complete understanding of the entity’s business, industry, market segments, customers, suppliers, operations and expectations of the stakeholders. This understanding is transformed into objective statements at all organizational levels of the entity and risks (events having an adverse impact) impeding achievement of such objectives are identified, assessed for their risk levels and mitigation strategy is implemented.
Outcome/Benefits of Risk Based Audit Approach
Some of the major benefits arising from risk-based internal audit approach are listed below:
Conclusion
The above internal audit approach and outcomes/benefits derived in recent times, has made internal audit activity pivotal to corporates looking to unlock their potential and be prepared to face any adversity.
Further, the advancement in data analytics has led the internal auditors to employ advanced technologies to effectively orrelate the performance of the controls over risk, which an organization might encounter.
Kreston M E Consulting (formerly Morison (UAE) Consulting) has been providing internal audit accounting services Dubai including, systems review, business process review, drafting of policy and procedure manuals etc., for many years creating considerable value to its clients from varied industries.