The role of the audit is taking on greater significance to guide the enterprise beyond traditional attitudes about financial controls; toward assuring that the organization is managing risk appropriately and meeting obligations across a range of high-risk business processes, operations, and regulatory requirements. Today’s audit department must have a full understanding of the risks the organization faces and how they relate to each other across processes and activities. The auditor must be able to rely on well constructed and performed evaluations of risk management, control, and governance processes to provide assurance that controls are designed appropriately and operating as designed. The Chief Audit Executive is challenged to provide help to lead the organization to higher levels of performance while assuring the Board and stakeholders that the organization can both anticipate adverse events and take full advantage of opportunities that will help it meet its objectives.
Over the past two decades audit has changed. Audit still has a strong focus over financial risks and controls over financial reporting. However, the role of information technology audits has seen steady growth for the past fifteen years. Today, audit is being challenged to cover enterprise risk management, a broad array of operational audits, increasing regulatory compliance audits, and expanding demand for 3rd party (e.g., vendor, supplier, agent) audits across a dynamic and distributed business. Therefore audit itself needs to have a strategy that encompasses both the dynamic need for audits as well as the planned and cyclical. There is growing interest in dynamic audits – but the best approach is a hybrid in which there are regularly scheduled and planned audits yet there are resources available for the dynamic needs of business for audits when risk and situations require them. This grows particularly challenging as business is constantly changing and distributed across a mesh of business relationships. Providing assurance to stakeholders in the modern organizations has become a real challenge to audit and has increased audits role and visibility while stretching its resources. To effectively manage audit requires new paradigms in managing audit, audit processes, analytics, and the role of technology to make audit successful.
The issues facing audit are more challenging than ever before. The audit department is being asked to do more audits across more areas of business operations with limited resources. It has become an ongoing challenge to document and maintain auditor skill sets, develop and deliver audit work papers, and provide assurance across business operations and relationships. The business has grown in diversity, complexity, and processes that challenge audit to build an audit program that is sustainable, efficient, effective, and agile to the needs of a distributed and complex business environment. The need for resources and tools to drive efficient and effective audits through audit analytics of vast sets of data further adds to the challenges facing audit.
Audit needs to provide assurance and lead the organization to align and provide assurance on the governance, risk management, and compliance (GRC) strategy by understanding, communicating, and providing assurance on the risks the organization faces as well as the importance of including the audit interaction across GRC related activities. Audit needs to be prepared to:
- Articulate to the Audit Committee and the full Board why having a clear and conformed view of risk across the enterprise is critical to providing assurance
- Demonstrate how strong objective, independent assessments and audits can be used to evaluate all aspects of performance from strategic to financial and operational
- Communicate the need for dynamic audits alongside cyclical audits in coordination of a complex web of related risks impacting an expanding array of dynamic business operations and relationships
- Influence other key functional executives to align with audit’s risk and audit strategy and the organization’s achievement of business objectives
- Collaborate with other GRC executives as well as business operations in developing auditable processes that allow for measurable evaluation of effectiveness and efficiency
- Assure the executives, the board, and other stakeholders that controls are in place and operational to prevent adverse effects from identified risks
- Help the stakeholders appreciate how audit aligned risk management can protect and grow value to the organization
- Deliver to the executives and the board clear and reliable information about risks that will drive strategic decisions and future outcomes
- Allocate limited resources to audits and controls evaluations to provide assurance
- Utilize technology to maximize these limited resources that have ever increasing demands for more audits in expanding risk, regulatory, and business environment that is constantly changing.
- Address need for audits and audit analytics that do not disrupt operations, and have coordinated schedules and content
- Provide for improved efficiencies and reduced risks throughout the extended enterprise
Equipping Audit to be Ready for the Challenge Before It
The demand upon audit to do more with limited resources is a daunting challenge. Internal auditors have the skill set, interest and focus to be able to look at things in a measurable way across the business and its operations. Audit has a broad understanding of many facets of the organization. However, audit has limited budgets and resources available to assess controls across business processes and relationships and therefore needs to be able to efficiently manage assignments and resources to provide the greatest value to the organization. This is particularly challenging in a dynamic business environment. If the audit function is not consistent and measurable, audit will have trouble assessing processes and provide assurance to the Board.
To address this complex web of challenges, audit needs an approach that drives an integrated and coordinated effort of audit management and analytics across the organization and its audit plan. An audit plan that has the flexibility to met the needs of dynamic audits when needed, but allows for the cyclical and routine as well. This includes the ability to:
- Define and manage the “audit aligned risk universe” – consisting of an alignment of audit with enterprise risk in which audit plans are prioritized by risk allowing for dynamic audits as the organization encounters greater risk exposure in areas or reacts to events.
- Plan and manage a flexible five-year audit plan from which annual audit schedules are prepared. Including ability to plan and schedule routine/cyclical audits. Yes, the business needs audit resources for the dynamic audits more than ever – but the need for the cyclical will remain as well as there are some audits that are routine and just have to be done. The audit plan is critical to ensure that cyclical audits get done but is more important to ensure that audit also has resources available for the dynamic audits that come up.
- Prioritize the audit by risk and support a risk-based approach to auditing that is driven by the enterprise risk register with the ability to auto-populate the audit plan with data from corporate and divisional risk registers.
- Estimate total resources (e.g., labor hours, cost and manpower) required to complete an audit based on estimated time required for each audit engagement in the audit plan.
- Define and manage detailed checklists and tasks for each section and sub-section that need to be performed for executing the audit along with evaluation and pass/fail criteria.
- Schedule audits with the ability to monitor audit tasks, send appointments, define and track requirement dates.
- Break audits into parts and assign to different groups/individual auditors with the ability to distribute audit tasks to internal and/or external auditors
- Create, store, and share standard audit workpapers, checklists, and questionnaires with ability to assign a weight factor to the items or sections on the audit checklist.
- Send audit questionnaires and monitor their completion and record information received.
- Provide mobile capabilities to allow auditors to enter findings in remote sites and deliver agility to conduct audits when and where needed..
- Maintain a library of workpaper templates, customize workpapers, and manage changes to the structure of audit workpapers managed to respective templates.
- Track the status of the audit and measure progress against milestones including the capability to assign staff to audit projects and specific tasks and manage/monitor them through completion.
- Monitor and measure audit metrics: who worked on an audit, progress of audits, time spent on an audit, and remaining time needed to complete an audit.
- Map risks, obligations, and audits to policies, internal controls, operational processes/maps, system assessments, system scans, system screen shots, vendor documents or other supporting documents to audit workpapers and questionnaires.
- Provide integrated audit analytics across a wide spectrum of information to provide assurance and insight on processes, operations, and transactions across the business and the state of control of the same.
The bottom line: This is not your father’s audit program. Audit today is different than it was twenty to thirty years a go. Today’s audit department has growing demands to do more audits across operations and relationships while still being constrained by limited resources to fulfill these demands. To effectively conduct audits, efficiently manage limited audit resources, and meet the agility required of a dynamic business environment requires a top-down approach to audit that is driven by risk-based priorities and technology is utilized to manage resources, analyze data, and streamline audit operations.