First Reflections on Internal Audit: Surprises and Challenges After Three Months
A professional transitioning from Compliance to Internal Audit shares initial observations on the function's current state. The author highlights the need for more vibrant community engagement, a shift from exhaustive to relevant auditing, and a focus on forward-looking, value-driven reporting. The article also touches on the importance of client-centric processes and balancing assurance with advisory roles.
Three Months in Internal Audit: Initial Reflections
Having recently transitioned from a Compliance leadership role to Internal Audit, I've gathered some early observations about the function. These reflections aim to spark discussion and highlight areas for growth within the internal audit community.
1) Where is the Conversation?
- I was surprised by the limited number of relevant posts and low engagement on insightful content within the Internal Audit community on platforms like LinkedIn, especially compared to my experience in Compliance.
- This raises questions about whether we are adequately sharing knowledge, benchmarking practices, and learning from innovators in the field.
- Given Internal Audit's central role in governance, the conversation should be much more dynamic and vibrant.
2) Relevance Over Exhaustiveness
- Internal Audit is at a critical juncture, requiring an evolution in how audits are scoped and conducted to prioritize actual risk areas.
- Exhaustiveness can hinder relevance. Every audit should begin by asking:
- What are we truly trying to achieve?
- What key questions must be answered?
- What will genuinely add value to management?
- Focusing on these questions before commencing work ensures attention is directed where it matters most, leading to greater impact than attempting to cover every detail.
3) The “So What?” Test in Reporting
- Internal audit reports are often too technical, lengthy, and lack focus on critical information for non-specialist audiences.
- Before finalizing any issue or report, auditors should ask:
- So what? What is the real consequence?
- What does this mean for management or the Audit Committee?
- Are issues rated appropriately, considering their materiality within the broader company context, not just the narrow audit scope?
- Do proposed management actions genuinely improve the control environment and address root causes?
- Am I providing unnecessary details? Less is often more, and superfluous information can obscure the understanding of internal controls.
- Clarity and impact are paramount over sheer volume in reporting.
4) Looking Forward, Not Only Backward
- While assessing control effectiveness is crucial, it's equally important to evaluate whether management is:
- Anticipating future risks.
- Learning from past incidents through robust root cause analysis and embedding those learnings into processes.
- Strategically adapting processes to evolving business realities, such as volume changes, market shifts, and competitive environments.
- Effective internal audit fosters a proactive risk culture, moving beyond mere historical compliance confirmation.
5) Processes Must Serve Clients
- Processes that exist solely for their own sake offer little value. Organizations ultimately serve clients.
- Audit work should assess if business owners effectively translate client needs into operational processes and continuously adapt them.
- This involves examining client surveys, claims, complaints, and forums to understand if client expectations (both external and internal) are being met.
6) The Assurance vs. Advisory Balance
- Many surveys, including those from the IIA, emphasize the need for a better balance between assurance work and advisory engagements.
- Achieving this balance requires careful design to safeguard the independence of the third line of defense, a topic that warrants further exploration.
These are initial thoughts from my first few months in Internal Audit, working with a dedicated team. This list is not exhaustive, and I welcome further discussion on the evolving landscape of Internal Audit.
Read more