We recognise the continuous and deep connection to Country, of Aboriginal and Torres Strait Islander peoples as the first peoples of this nation. In this way we respectfully acknowledge the Traditional Custodians of this land, sea, the waters and sky. We pay tribute to the Elders past and present as we also respect the collective ancestry that has brought us all here today.
AUTHORS: MARK HARRISON, LILI MILLAWITHANACHCHI, HIRUNDA KANAHARAARACHCHI, & KIRSTY MARTIN
In many organisations Internal Audit functions are not respected, and the value of Internal Auditors is not understood or appreciated. Internal Audit can be an incredible asset to any organisation and an effective strategy acts as powerful tool to identify and demonstrate the value we bring. A strategy helps to:
- Foster continuous improvement of the function
- Support strategic alignment between the audit function and the broader organisation
- Enable adaptation to changing risk profiles
- Improve Internal Audit’s reputation and relationships to gain influence across organisations
To support a future-ready Internal Audit function, an effective strategy should cover the following key elements:
Integrate with risk
Supporting effective risk management is a fundamental component of the role of Internal Audit. As such, risk management needs to sit as the core to an Internal Audit Strategy. To be effective in drawing on intel on risk, Internal Audit needs to partner with the Risk Management function to form a mutually beneficial relationship. Both Internal Audit and Risk Management perform unique roles that allow for a broad view across the organisation.
While it can sometimes feel like Internal Audit and Risk functions are competing to be the trusted advisor in an organisation, sharing insights between these functions can add value in tailoring and targeting the activities they each perform.
Namely for Internal Audit, it provides rich intel on where to focus the Internal Audit Strategy. Tactically, sharing of information between the roles can support Internal Audit to identify where it needs to pivot activities to better target changing risk profiles.
Traditional Internal Audit structures and processes slow its ability to adapt to emerging risks.
Becoming more agile means that Internal Auditors have their eyes open to changing risk profiles and pivot quickly to deliver more valuable and timely insights.
This can mean stepping away from a stable annual Internal Audit Program with fixed scopes determined at the start of the year. An agile delivery approach takes the pressure off Internal Audit functions to ‘crystal ball gaze’ to design relevant audit programs 12-18 months in advance. But this also means that linear performance measures of Internal Audit functions like timely delivery against a pre-determined audit program lose relevance. Success of the Internal Audit function needs to be measured with a focus on business outcomes and the alignment of the Internal Audit activity that contributed to it.
Moving to a more agile approach requires change management in setting the expectations of the Audit Committee, organisational leadership, and other stakeholders. Without understanding the true value of agile auditing, these stakeholders will default to traditional approaches. An Internal Audit Strategy that prioritises agile approaches can serve as a mechanism to aide change management by drawing attention to it and supporting conversations on what this will mean for each stakeholder group.
Capitalise on data
Data captured within organisations provides a rich source of information for Internal Auditors. This remains an area of untapped potential for many Internal Audit functions. Data literacy is a core capability of all Internal Auditors – specialist knowledge and expertise can help Internal Auditors to gain a seat at the table for discussions on new system functionality to influence decision making to ensure structured, reliable data is collected. Regardless of the maturity of the organisation and its Internal Audit function, there is value for an Internal Audit Strategy to prioritise the use of data and development of data capability within the function.
Data-heavy internal audits can also allow for innovative presentation – moving away from traditional reporting to dashboards of “real-time” data, allowing readers to interact with data visualisations to drill down into areas of interest.
This allows for more engaging and dynamic reporting, which increases the likelihood of it being read, understood, and actioned. In an increasingly fast-paced and resource constrained environment, an Internal Audit Strategy that fails to prioritise succinct, targeted reporting limits the value it can deliver.
Internal Audit functions need to expand on their skillsets to remain relevant and deliver innovative audits that add value. The Internal Audit profession needs creative auditors who are IT-savvy, flexible and agile, influential and with strong business acumen and communication and networking skills. This can mean taking risks on candidates who have these skills but lack technical audit skills and experience.
Target skills need to be prioritised and built into professional development plans and rewards and recognition mechanisms and supported by investment in training and recruitment.
This starts with demonstrating the value of Internal Audit within organisations to make a case for the investment. Building your future-proof Internal Audit team will not happen overnight but including capability uplift in your Internal Audit Strategy draws attention to the need and supports prioritisation of investment.
As with any change, we need to bring our stakeholders along on the journey. An effective Internal Audit Strategy provides a shared vision of the future and supports ongoing communication to enable progress towards a bolder and more valuable Internal Audit Function.