Who are risk and audit? What value would you put on internal audit? Should internal audit expenses be the ‘third line of defence’ in your financial statements? And importantly, how can your organisation maximise the value of internal audit and ensure alignment with risk?
Internal audit, as an advisory and consulting role, contributes to an organisation’s management of risk in a variety of ways. Importantly, aligning internal audit efforts with risk provides an objective view that:
- the major risks a business faces are managed appropriately, and
- the risk management and internal control framework is operating effectively.
Internal auditors and risk managers share some knowledge, skills and values, so it makes sense that they work together. Both have interest in the risk profile of an organisation. Both have interest in improving the management of risk. Consequently, by focusing internal audit efforts on high-risk areas, internal audit is a valuable tool for those charged with governance and management. Yet, historically, internal audit has often sat with the Finance or Audit Committee rather than the Risk Committee. This is, however, changing. Increasingly, we see internal audit reporting to the Risk Committee and working within all areas (financial and non-financial) of an organisation.
While internal audit can provide a ‘snapshot’ of compliance at a given point in time, it is uniquely placed to span beyond the traditional compliance view and evaluate the performance of projects and programs. Internal audit functions around the world are continuing to expand their impact and influence within organisations through the delivery of independent, objective advisory services as well as assurance around the most important risks to an organisation – aligning the efforts of internal audit and risk.
So, who are risk and audit?
Risk is the canary in the coal mine, and internal audit is the crickets in the silence of the night. They should be the Board’s best friend. Indeed, risk and internal audit are tools which all Boards and management should use to ensure good governance, oversight and decision-making.
Risk protects value. Internal audit provides assurance that the internal control framework is adequate, and systems, processes and policies are effective and efficient. Meanwhile, independence from management ensures internal audit is ‘the crickets’… Free from bias in planning and carrying out it’s work, enjoying unfettered access to the people, resources and information the function requires (the part of the job I enjoy the most). Internal audit is also often described as the ‘eyes and ears’ of the governing body. This is because, through its activities, internal audit builds its knowledge and understanding of the organisation. This contributes to the assurance and advice it delivers as a trusted adviser and strategic partner.
What value would you put on internal audit?
If internal audit made one recommendation to improve a process by, say, 30 minutes per week at an average hourly rate of $35 p/h, would you be happy with an ROI of almost $55K? Now multiple that by five recommendations from one relatively inexpensive internal audit project. I know I’d be happy with that!
While internal audit and risk have their distinct responsibilities, both activities should be aligned to focus on the overall objectives of the organisation. This alignment will deliver the greatest value. Ultimately, internal audit as the ‘third line of defence’, independent of management, is a key asset to help organisations effectively manage risks and achieve their long-term goals, and ought to be invested in.
Internal audit not only delivers value through advising improvement opportunities but may also uncover internal control deficiencies which could cost large sums of money if left undetected in the long run.
Should internal audit expenses be the ‘third line of defence’ in your financial statements?
7 ways to maximise the value of internal audit and ensure alignment with risk
- Ensure internal audit can access a full picture of current performance and the procedures in place to manage and respond to risks identified
- Ensure there is regular interaction between internal audit, management and the Board
- Regularly review (and revise) internal audit’s focus to ensure the work is relevant and aligned with strategic and operational risk
- Ensure risk data across the organisation is consistent and clearly defined
- Leverage internal audit as a continuous improvement tool to advise on ways to improve your organisation
- Turn insights into action by identifying your desired ‘future state’
- Regularly review management efforts in implementing internal audit recommendations
About the author
Claire Smith is a senior executive and accountant with almost 20 years’ experience across the private and public sectors. She is an Associate Member of the Institute of Internal Auditors, an Internal Quality Auditor, and an independent member of the Department of Treasury and Finance Audit & Risk Management Committee. Claire is passionate about business performance and has an extensive background in risk management, strategy and business development, workforce development, and digital transformation.
Contact Claire or any of our Synectic business advisers to discuss how we can support you.