Metric How to Implement a Robust Audit Framework

INSIGHT
MetricStream
How to Implement a Robust Audit Framework
Almost every organization, regardless of industry, faces business
challenges as a result of economic fluctuations, the pace and
volume of regulatory change, and the accelerated growth of risks.
An effective audit program helps to ensure that business operations
are conducted within the boundaries of both the organization and
the regulatory bodies that govern it. Further, a well-designed and
well-executed audit function supports an organization’s ability
to confront challenges appropriately, and exploit opportunities
effectively. And it is here that the internal auditor plays a key role.
Today, internal auditors are in a direct position to advise the board
and management on opportunities to navigate through risks and
challenges to achieve organizational objectives. With this in
mind, at every step of the audit process, the underlying question
the auditor needs to ask is: What could impact the organization
so significantly that the board would have to get involved, and is
management addressing those risks appropriately?
Building an Effective and Proactive Internal Audit
Framework
The primary mandate for any organization implementing an
effective internal audit framework is to follow the IIA standards
and guidelines. The IIA’s international standards for the practice of
internal auditing provide the cornerstone for an audit framework.
The IIA has substantial resources that consolidate the IIA standards,
the International Professional Practices Framework (IPPF) being
one among them. There are many other resources that help internal
auditors maintain their audit programs in line with best practices
while also monitoring adherence to the policies and principles
requiring compliance.
Planning well for an internal audit program is another important
aspect that helps build a successful audit framework. The
auditor needs to communicate a clear plan for the audit program,
including consideration of the intricacies of each step, to the senior
management, while keeping in mind the strategic directive of the
company, to ensure that the audit program contributes to overall
business success. The planning phase defines the components of
the audit program:
• The goal of the audit program
• The scope of the audit program
• The objectives of the audit program
• The audit risk-assessment program
• The processes to sustain the efficiency of an audit program
Goal of the Audit Program
“Begin with the end in mind” is a Stephen R. Covey fundamental.
Determine the end results to be achieved, and use that information
to direct audit efforts, IT efforts, and business efforts. Having a goal
contributes to sustainable success. An effective auditor determines
goals through a process-driven effort that focuses on results:
• Organized, clear and up-to-date documentation of policies,
procedures, critical processes, and periodic status reporting
• Proactive audit management program
• Regular analysis of the entity’s results by the management
• Measures to ensure that the actions taken by the management
are based on facts and actual results
• Well-defined chain of command and roles and responsibilities
• Timely investigation of issues
• Balanced focus between short and long term objectives and
results
• Engaged and empowered entity team
• Good management practices
Scope of the Audit Program
The scope forms the crux of audit planning, and defines the extent
of the audit program within an entity and the organization. When
planning the scope of an audit, auditors need to have a good
knowledge of:
• The organization’s culture, business, and strategic goals and
objectives
• The key risks facing the entity and the organization
• How the entity has been organized, and where it is going
And to understand an entity, auditors must also determine:
• The key operational processes of the entity
• The various initiatives being implemented by the entity
• The key performance indicators and key risk indicators
INSIGHT
• The information systems that support the entity’s efforts
• The processes that have been outsourced to third parties
The board and management need to periodically evaluate the
operating effectiveness of the organization. These periodic
evaluations are a supplement to the day-to-day monitoring of
responses and control activities, and provide for more in-depth
analysis of the entity’s operating effectiveness, as well as an
opportunity to consider new practices and technologies to enhance
the entity.
Objectives of the Audit
The objectives of an audit program vary across entities and
organizations. Specifying objectives for each entity allows the audit
program to align with business needs, and drive tangible value in
results. For instance, the objectives of a GRC audit program might
include:
• Determine whether the management and the board are effective
in promoting an ethical culture.
• Determine whether the compliance and/or ethics programs
provide reasonable assurance of compliance with organizational
policies, applicable laws and regulations, and whether the
incentive system is properly formulated.
• Determine if the compliance and ethics program’s management
framework is documented, in place, and appropriately resourced
to meet the organization’s needs.
• Determine whether the organization has implemented the
compliance and ethics program effectively, and whether the
program’s performance reporting system accurately presents
the results of the program’s efforts.
• Access the costs/benefits of the governance, risk, and
compliance program.
• Ensure that the program is in keeping with current practices
based on the size and complexity of the organization.
Likewise, the audit objectives for IT projects may include:
• Evaluating the overall project plan and its project management.
• Assessing the accuracy and completeness of the systems and
data requirements for the IT solutions.
• Assessing the accuracy and completeness of the operational
responsibilities.
• Assessing the risk management process that is applied by the
management
Audit Risk-assessment Program
Risk-based audit planning has been a cornerstone of the professional
standards for many years, and increasingly organizations are
recognizing the cost-benefit value of such an approach. Auditors
have realized, in today’s dynamic risk environment, that what
holds the key to an organization’s success is an efficient audit risk
assessment activity.
The audit risk assessment helps to ensure the audit program and
specific tests to be performed are appropriate and tied to areas of
identified risk exposure. A risk assessment should also help ensure
that risks are understood. Key risk factors to be considered might
include:
• Scope and complexity of the entity
• Scope and complexity of the organization
• Regulatory environment
• Approach to managing the entity
• Level of an executive’s day-to-day involvement in and support
for the audit program
• Amount and pace of change involved in the entity’s efforts
• Maturity of the entity’s policies, procedures, and processes
• Strength of the project management process
Processes to Sustain the Efficiency of an Audit Program
To support the continuous improvement of the internal audit
program, a well-defined audit function will include reviews and
programs that help monitor the progress and effectiveness of the
program. Two of the most widely-known practices are:
• The Post-audit Project Review
• The Quality Assurance and Improvement Program (QAIP)
Post-audit Project Review
There are six steps to be considered when completing the postaudit review:
1.Declare the intent of the review
2.Select participants from the internal audit team to be a part of
the post-audit review
3.Organize the review
4.Conduct the review - Identify the top five success processes
and opportunities for improvement
5.Report findings to the senior management
6.Prepare reports, develop and adopt recommendations, and
formally incorporate the recommendations into the quality,
improvement, and standard operating practices of the internal
audit department
INSIGHT
Quality Assurance and Improvement Program (QAIP)
The QAIP is a means to systematically improve internal audit
practices and results. It enables an evaluation of the internal audit
activity’s conformance to the “Definition of Internal Auditing,”
“International Standards for the Professional Practice of Internal
Auditing,” and an evaluation of whether or not internal auditors
apply the “Code of Ethics.” The QAIP also assesses the efficiency
and effectiveness of the internal audit activity, and identifies
opportunities for improvement to add value to the audit activity,
and improve organizational operations.
Imperatives for Designing a Successful Internal
Audit Program
Proper attention and support from senior management and the
board is evidenced through oversight, due diligence, and engaged
involvement in relevant aspects of the audit program.
• Ownership taken by the management in establishing and
maintaining a system of internal controls to effectively mitigate
risks to achieve an organization’s objectives.
• Enabling the board to provide governance and oversight through
tools, such as those provided by the Open Compliance and
Ethics Group (OCEG). This not only provides a generalization of
corporate duties, but also raises awareness about the numerous
and complex issues involved in corporate governance.
• Internal audit providing assurances to management and the
board that what should be done is being done, while identifying
what significant opportunities for improvement exist.
• Ensuring that the personnel responsible for designing and
executing evaluation of the audit program possess the
appropriate skills and qualification.
• Plan audit programs in advance for the coming year, and ensure
that they are aligned with strategic business objectives and
initiatives.
How Technology Can Help in Building a Robust
Audit Framework
Pressures are mounting on internal auditors to provide risk
assurance, and mitigate risks along with managing audit processes.
Effective use of technology can help internal auditors implement
an integrated and automated audit framework that enhances
the efficiency, effectiveness, and quality of operations. Here are
some ways in which internal auditors can leverage the use of
technology:
Plan audit tasks efficiently: Technology helps auditors to plan and
execute their audit processes through an integrated and automated
audit management system that streamlines the complete internal
audit life cycle. This simplified and integrated audit system is
based on well-defined objectives and IIA standards, thus enabling a
disciplined approach to auditing, while also ensuring compliance.
Assess audit risks: Technology enables a centralized information
model to closely map risks to auditable entities to ensure a targeted,
risk-based internal audit. Every risk is identified and quantified
which helps auditors focus on mitigating risks that have greater
impact on the organization.
Manage audit resources: Technology provides resource
management capabilities that help identify and maintain auditor
details, and allocate audit assignments to audit executives. The
time audit executives spend in auditing processes is tracked, and
the competencies of internal auditors are assessed, thus bringing
in optimal resource utilization.
Manage paper work: Technology minimizes paper work by collating
crucial information, and enabling auditors to record findings along
with detailed observations and recommendations during the audit
execution stage. This eliminates inconsistencies and errors through
standardized data collection, and provides visibility to managers
through closer tracking of each document.
Improve collaboration between auditors and auditees: Through
a transparent and integrated system, auditors can discuss issues
and risks with their team, review them, and propose an appropriate
remediation plan. Every audit process is tracked, which enables
auditors to see the progress of the tasks for multiple audits that are
assigned to the audit executives.
Quality assurance and improvement: Advanced technology
brings in a streamlined approach to both internal and external
assessments, helps plan assessments, document and identify nonconforming areas, and report risks, thus assuring risk management
and monitoring. Regulations, rules, and other important regulatory
information from external sources like the IIA are captured and
updated in the existing audit program.
Monitor and analyze audit reports: Technology enhances an
internal audit system through highly structured, powerful, and
simplified reporting and analytics for real-time visibility. Critical
information is highlighted, and insight into risk-intelligence is
provided to measure audit progress, and track audit trends.
INSIGHT
Conclusion
Internal audit’s highest value to the organization may very well
be its independent vantage point from which to identify key risks,
and gauge how well the management is addressing these risks.
Given the landscape of growing regulatory pressure and dynamic
compliance expectations, internal auditors need to employ best
practices to streamline auditing processes, and deliver insights for
sustainable organizational success.
Technology needs to be utilized in the right way for an integrated,
top-down, and risk-based approach to the audit program which
brings down operational costs. Fundamentally, internal auditors
need to adopt risk-centric mindsets, and conduct the business
of audit in a risk-oriented manner, to remain key players in the
overall business of risk assurance and risk management for their
organizations.
Authors:
Keri Dawson - VP Industry Solutions and Advisory Services,
MetricStream
Dan Swanson - President and CEO, Dan Swanson & Associates
About MetricStream
MetricStream is a market leader in enterprise-wide Governance,
Risk, Compliance (GRC) and Quality Management Solutions for
global corporations. MetricStream solutions are used by leading
corporations such as UBS, Barclaycard US, P&G, Constellation
Energy, Pfizer, Philips, United Technologies Corporation, SanDisk,
Cummins, and Autogrill in diverse industries such as Financial
Services, Healthcare, Life Sciences, Energy and Utilities, Food, Retail,
CPG, Government, Hi-tech and Manufacturing to manage their risk
management programs, quality processes, regulatory and industrymandated compliance and corporate governance initiatives, as well
as several million compliance professionals worldwide via the www.
ComplianceOnline.com portal. MetricStream is headquartered in
Palo Alto, California and can be reached at
www.metricstream.com.
MetricStream
www.metricstream.com
[email protected]
© Copyright 2013. All Rights Reserved.