The PwC 2018 State of the Internal Audit Profession Study revealed what most auditors already know: management and boards are demanding more value from internal audit. Lately, audit leaders have written and spoken of the need for auditors to be trusted advisors and to partner with business management. This is a very desirable thing and, of course, some audit teams have already achieved it. The practical question for those audit teams that are not there yet is: What can they be doing differently to help make it happen?
The following are five ways audit teams can communicate and deliver greater value, while ensuring their activities are strategically aligned with the priorities of business leaders.
1. Think like a business leader
The starting point is for auditors to put themselves in the mind of someone who’s responsible for achieving specific organizational objectives. Of course, auditors also need to think differently from business leaders—independently and objectively—if they’re going to fulfill their assurance and consulting roles successfully. But if auditors find it hard to relate to the goals and priorities of business managers, then communication barriers will impede their ability to really deliver value and be seen as business partners.
2. Leverage automation to move beyond traditional audit areas
Many auditors are still reluctant to get involved in the areas that are the highest priorities for business leaders, such as competitive positioning, marketing, selling, designing and building products, and servicing customers—all of which are key components of corporate strategy. In part this is because traditionally, auditors have been more comfortable and confident in dealing with finance and IT risks and controls.
Many auditors are also keen to move beyond areas such as purchase-to-pay, order-to-cash, payroll, and inventory. But the issue is that these areas are key financial and operational areas and can’t simply be ignored from a risk and control perspective. At the same time they are unlikely to be areas of critical risk that really matter to achieving overall strategic objectives. A fraud or loss of a few million dollars in any one of these areas is of relevance, but nowhere near the magnitude of the risks related to new product failures, business acquisitions, and environmental damage, for example.
One solution is to largely automate the audits of most core financial processes through data-driven risk assessment and transaction and control monitoring. This approach dramatically reduces audit resource requirements and frees up auditors to focus on more strategic risk areas.
3. Embrace and promote collaborative technology
Technology and data have done a lot to transform business practices in the front lines. Especially in areas like customer service, product management, marketing, and sales. Yet use of technology and data in risk management, compliance, and audit is often lagging. Audit leaders can promote and encourage the use of leading technology to ensures auditors are performing at a high level. And through that, business and control owners will realize the value that risk and compliance technology can deliver.
For example, current technology can enable all Three Lines of Defense to better collaborate and share thinking around the nature of risks, as well as the inter-relationships among control and compliance activities, at a level that is just not practical to achieve with spreadsheets and manual processes. In some cases it makes sense for control owners to take over responsibility for performing automated transaction and control monitoring, in order to better manage performance of their business areas.
4. Be quick and agile
Business owners value things that are relevant today and will impact performance tomorrow. The traditional cyclical approach to audit planning is a thing of the past for many audit teams, although not all. Just because it has been three years since a particular business process was audited does not mean it needs auditing again now. Nor is there much point in spending months auditing and reporting on what took place a year ago.
Technology can play a critical role in enabling rapid responses to risk and control issues. Automated ongoing transaction monitoring and risk assessment, technology-driven exception and response management, and automated risk/control surveys all enable auditors to provide insights to business managers on what is happening now and what is likely to happen tomorrow. This delivers far more value than the traditional retrospective audit report.
5. Provide insights that no one else can deliver
Auditors are in a unique position to look at an organization’s activities and data in ways that have never been done before. Who else in an organization, for example, actually analyzes detailed transactional data from multiple separate systems and then matches and combines data in ways that provide insights into various aspects of business performance?
Through audit-specific data analytic technology, auditors can dig deeply into data and uncover the root causes of issues that impact operational performance, as well as control effectiveness and compliance. The result can be a highly quantified analysis that brings unique insights to business managers. Common responses from business managers to this sort of report from an auditor is “Where did you get that report? I could really use that—but I was told that it would be too difficult to produce. Can I get that regularly?”. This is often the moment when auditors demonstrate their ability to really deliver things that matter.
Not your traditional auditor
Many auditors already demonstrate that they are not the auditor of yesterday and strive to build relationships and deliver value to management in ways that really matter to the organization. The opportunity for many is now to take things to a new level by embracing technology in new ways. The combination of a full range of technology and audit’s ability to provide insights is a powerful one in terms of transforming the ways in which the audit profession is perceived.
Don’t Navigate Risky Waters Without Internal Auditors
This eBook gives guidance on leveraging data analytics for risk management, including risk-based audit planning, example analytics for identifying risk, and real customer stories.