Organizations do not achieve their objectives by merely adhering to adequate systems of internal control. To succeed, for-profit organizations are expected to innovate to remain viable in today’s competitive environment, and even non-profit entities are realizing that they must also search for new products and services and re-examine their operating practices to reduce cycle-time, lower costs and increase quality. The methodologies of the past may have made the organization successful, but there is no guarantee that those same procedures will lead to success in the future.
This is a reality for those on the operational side of things, but internal auditors must realize that they are not immune to these changing dynamics and the same expectations are levied on them too. As the governance, risk and compliance landscape continues to evolve, internal auditors must search for new ways to evaluate what is in their audit plans and become creative in support of management’s pursuit of business objectives.
There are many trends driving innovation in internal audit. For example, the requirement to prevent and detect fraud, the need for faster and more agile auditing, adding value with fewer resources, transitioning to risk-based auditing, using data analytics to examine more substantial numbers of records, better root-cause analysis, practical problem solving, formulating pragmatic recommendations, and helping management improve efficiency and effectiveness.
Following are some examples of ways that innovation can help internal auditors.
1. Expand the rating of risk impact beyond monetary measures. The impacts can also include bodily injury, reputational damage, negative publicity, brand erosion, lost opportunities, employee demotivation, lower productivity, lawsuits, and excessive turnover.
2. Add velocity and persistence to risk assessments. Velocity pertains to the speed at which the risk may affect the organization. While some risks are slower to occur (e.g., demographic changes) others occur more quickly (e.g., technological change and cybersecurity attacks). Persistence relates to the length of time over which the risk’s impacts may linger if the risk were to occur after the cause of it stops. Some risks’ impacts are short-lived, like a trucking company accidentally spilling milk, while others may last a long time, such as the same company spilling gasoline or pesticides.
3. Expand the risk rating used beyond letters (e.g., High, Medium and Low) and consider using a numerical scale more conducive to mathematical calculations.
4. Expand the assessment of risks to incorporate statistical inputs, historical error, accidents, insurance claims, incident rates, correlations, simulation, and probabilistic elements.
5. Conduct broader brainstorming sessions to seek input from younger and not only more experienced personnel, from operationally involved but also individuals removed from day-to-day participation in the process, and those who think differently and creatively about unusual, emerging and diverging scenarios.
6. Develop a partnership with management to use Key Risk Indicators (KRIs), so the organization moves toward pre-emptive risk management, and continuous monitoring and auditing.
1. Offer a broader selection of consulting and advisory services to the organization
2. Recalibrate the allocation of time between compliance, financial, IT, operational, cybersecurity and advisory services based on the organization’s evolving risk maturity
3. Audit non-traditional, yet essential, subjects, such as:
a. Corporate culture and ethics: Examining the organization’s tone, culture, and adherence with desirable values.
b. Knowledge management: This is indispensable as aging Baby Boomers exit organizations, they could take their institutional knowledge with them. Also, future organizational success will depend greatly on acquiring, managing, deploying and institutionalizing knowledge.
c. Physical security: Verifying that safety measures are in place to protect and effectively respond to safety threats to employees, customers, and others at worksites and while traveling on business.
d. Training and development: To verify an adequate return on investment (ROI) and return on assets (ROA), that knowledge is acquired and operational performance improved, that high-potential talent is identified and groomed to assume managerial and leadership positions.
e. Social media: To determine if the organization is maximizing its use of social media technologies and techniques to hire, onboard, connect, deploy and motivate staff; communicate timely, accurately, and appropriately with customers, and strengthen its public relations infrastructure.
f. Project management: To make sure funds are allocated based on reasonable criteria, that projects are planned and conducted effectively, and that lessons are learned and used for future enhancements, so projects deliver the agreed-upon scope, on schedule, and within budget.
g. Change readiness and execution: To determine if the organization is willing, capable and follows-through effectively when changes are required.
1. Identify the business objectives every audit attempt to help management achieve. If business objectives are not defined, work with management to do so.
2. Brainstorm risks on the program, process or unit being audited rather than only making cosmetic changes to past audit programs.
3. Evaluate business dynamics more thoroughly, so only key risks and controls are tested.
4. Examine more rigorously the timing, type, format, and extent of data and documents requested
5. Brainstorm fraud scenarios with every audit.
6. Make your department’s mission, and vision statements the driving force behind every engagement.
1. There are different types of sampling methodologies, so question the method used. If internal auditors are not careful, they could be engaging in controls-based testing rather than risk-based auditing.
2. Go beyond sampling and test the entire population whenever possible and feasible.
3. Develop testing procedures based on the answer to the question: How do we know if this risk is happening?
4. Include fraud detection procedures with every audit based on the answer to the question: How can we find out if fraud scheme X is occurring?
5. Use subject matter experts (SMEs) whenever possible to help test unusual dynamics.
6. Require root cause analysis and promote the use of tools, such as Ishikawa Diagrams, Affinity Diagrams, 5 Whys, Is-Is Not Comparative Analysis, Pareto Charts, Scatter Diagrams, vigorous brainstorming, Process Flow Analysis, SIPOC Maps, Run Charts, Control Charts, and Histograms.
1. Use various templates to be used based on the type and urgency of the communication.
2. Update the layout of internal audit and audit committee reports.
3. Increase the use of charts, graphs and other visual elements in audit reports.
4. Streamline the reporting cycle to publish communications faster.
5. Write every audit report from the perspective of a change agent.
1. Instill and reward individual skills and competencies applicable to modern internal auditing, such as critical thinking, business acumen, data analytics, flexibility, communication, and innovation.
2. Make sure performance evaluations balance technical and soft skills that measure individual and team results.
3. Develop Key Performance Indicators (KPIs) that focus on outcomes, not only output.
4. Balance quantitative and qualitative performance metrics from within the internal audit department, but also from clients.
5. Introduce and sustain a post-audit client survey and a 360-degree review program.
1. Enhance the department’s onboarding process and hire non-auditors.
2. Deploy and sustain a robust coaching and mentoring program.
3. Use internships, co-sourcing, SMEs, inbound and outbound rotation programs.
Innovation is the generation, and translation of ideas into goods or services that create value. These ideas are often used to satisfy the needs and expectations of customers. There are many ways that internal auditors can become innovative in their work. Each department has its own needs and resource availability, expectations from the board and management, and operates within its organizational culture.
With changes occurring so rapidly around us, internal auditors must not only understand innovation, they must embrace, adapt, and thrive in it. By making innovation a standard operating practice, internal auditors will also find new, better and creative ways to increase productivity, add value to their clients, support the existence of satisfactory systems of internal control, and act with speed and confidence.