Do you have an internal auditor within your organization? Is that person seen as an enforcer, who does nothing except tell you what you’re doing wrong? Or is that person a member of the overall team, who provides valuable input into projects and helps you recognize risks or potential pitfalls you may otherwise have overlooked?
As we are all settling into the altered reality forced on us by the global pandemic, it is a great time to refresh our expectations of internal audit within our organization and how these individuals can provide the most value during stressful times.
Here are our top five recommendations:
1. Double down on internal audit governance
Like all departments, your internal auditor is probably stretched thinner than they have been in the past. However, your organization also needs them now more than ever. The board of directors and/or audit committee should continue to ensure that the internal auditor in on track for completion of the 2020 internal audit plan. Those charged with governance should also ensure that reports of procedures and results continue to be produced timely and that the relationship between the internal auditor and the management team remains strong. Finally, it you have questions or concerns about the efficiency and effectiveness of your internal audit department, the audit committee could consider a quality assurance and improvement program review. This is essentially an internal audit of the internal audit department and provides best practices for internal audit departments as well as benchmarking against the Institute of Internal Auditors International Professional Practices Framework.
2. Internal audit should have a seat at the table
Obviously, it is important for internal audit to remain independent and objective to the areas of the organization they are auditing. However, that doesn’t mean that internal audit should be left out of strategic conversations or implementation meetings related to new products, services, or initiatives. Internal auditor should be involved as these items get off the ground, to provide a different perspective and provide management additional considerations in regard to the project at hand. Having internal audit involvement at the ground level will ensure this item is appropriately covered as part of the risk assessment, as well as hopefully make some adjustments for procedures and controls during implementation, instead of waiting for the first formal internal audit procedures to be completed.
3. Refresh the risk assessment
Inevitably, in either major or minor ways, your business has been changed by COVID-19. Does the internal audit risk assessment and resulting internal audit plan that was last updated in November 2019 still accurately reflect the risks within your organization? Impacts on existing business processes, including a newly remote workforce or technology constraints, may affect the risks and ultimately the timeliness of audits and testing procedures performed by the internal auditor. Potentially there is even an entirely new system, process, or business unit in place in response to the pandemic that should be included in the risk assessment and internal audit plan.
4. Findings should be accompanied by achievable recommendations
In times like these, everyone has competing priorities. If your internal auditor isn’t providing recommendations on corrective action that seem reasonable and achievable, as management you should feel empowered to ask questions around what other options there are and/or get a better understanding of the criticality of the issue and a reasonable expectation on timing of corrective action.
5. Don’t skimp on remediation testing
Corrective action, especially for high rated findings, should continue to be completed in accordance with original timelines whenever possible. It is also important that internal auditors make time for remediation testing, including testing of the control once the corrective action has occurred, to ensure it is actually operating as designed and to fully close the loop on the previous internal audit finding.
How Wipfli can help
Our team can help ensure a strong internal audit can help you uncover if your employees are taking shortcuts or not following procedures. Learn more on our web page about how we can help with a co-sourced or outsourced internal audit.
Sarah G. Lutzke, CIA
Principal, Risk Advisory Services View Profile