Value based internal auditing - Nilai Dasar Internal Audit
3 likes1,165 views
Value-based internal auditing focuses on providing forward-looking insights and actively seeking innovation to improve the organization. It emphasizes strategic positioning of internal audit, developing stakeholder relationships, maintaining a multi-disciplinary team, taking a risk-based approach, and continuously improving internal audit practices. Key elements include acting as an agent of change, using technology like audit management software, and reporting performance metrics in a balanced scorecard.
Value based internal auditing - Nilai Dasar Internal Audit
- 1. Factsheet: Value-Based Internal Audit The evolution of internal auditing over the last half-century is illustrated in the diagram below, with further details contained in the IIA–Australia Factsheet ‘Evolution of Internal Audit’. The services focus is explained in the IIA–Australia White Paper ‘Internal Audit Service Catalogue’. Value-based auditing is where the internal audit profession is heading. Not many internal audit functions are there yet, but it is an emerging trend. Key elements of value-based auditing are shown in the diagram below, then expanded upon in the following commentary. For more information, please call +61 2 9267 9155 or visit www.iia.org.au Connect Support Advance © 2020 - The Institute of Internal Auditors - Australia Value-Based Internal Auditing – A methodology where internal auditors perform forward-looking internal audit services to offer insights and actively seek innovation to improve an organisation, seeking to do this from the audit client perspective. Value-Based Internal Audit Strategic Foundations › Internal audit positioning › Internal audit strategic vision › Internal audit governance › Learning and development › Commitment to the IPPF Stakeholder Relations › Partnership model › Advisory services › Service catalogue › Constant stakeholder feedback Resourcing › Multi-disciplinary team › Guest auditors › Rotation program › Co-sourcing › Career and succession planning › Performance management Approach › Key agent of change › Continuous risk assessment › Assurance strategy › Integrated auditing › Operational auditing › Agile audit approach › Insightful reporting › Audit recommendation monitoring › Internal audit work plan Technology › Automated audit management software › Audit committee secure portal › Technology assurance strategy › New technologies Continuous Improvement › Quality assurance and improvement program › Performance measures and balanced scorecard reporting › Internal audit annual report
- 2. Strategic Foundations Internal Audit Positioning › Internal audit must be independent of line management. International good practice is for the chief audit executive to report functionally for operations to the audit committee through the chair and administratively to the chief executive officer. Reporting to a line management position such as chief financial officer or chief operating officer is poor practice and often inhibits a frank, fearless and objective internal audit service. On occasion this is by design to ensure a toothless internal audit function. Internal Audit Strategic Vision › Internal audit must have a documented strategic vision aligned to the organisation’s vision and key risks across all activities both financial and operational. Internal audit’s vision should be agreed with the audit committee and chief executive officer and included in its charter. The internal audit strategic vision needs to align with the organisation’s strategic vision. Internal Audit Governance › Internal audit needs to govern itself in the way it expects the organisation and business areas it audits to govern themselves. The chief audit executive should be guided by a risk assessment of the internal audit function to determine the extent of internal audit governance. It could be argued that because of who they are internal audit needs to govern itself to a higher standard. Learning and Development › There needs to be commitment to continuous learning and development for the chief audit executive and all internal audit staff. Internal audit should also contribute to professional development of the organisation and its people through collaborative and targeted seminars, training and lessons learned workshops. Internal audit should have a close association with relevant peak professional bodies such as the IIA and ISACA. The chief audit executive should develop and implement a professional development plan covering all internal audit staff. Progress reporting should be provided to the audit committee. Commitment to the IPPF › The International Professional Practices Framework (IPPF) comprises international best practice doctrine for internal auditing. Internal audit work should be performed in accordance with the IPPF, except for information systems auditors who should comply with the professional auditing standards pronounced by ISACA in its Information Technology Assurance Framework (ITAF). External auditing standards do not apply to internal auditing. Stakeholder Relations Partnership Model › Internal audit should have a documented and well thought out stakeholder relationship strategy that seeks to develop a partnership with management to foster collaboration and build a better and stronger organisation. If internal audit fails to plan its stakeholder relationships, it is planning to fail. Advisory Services › Internal audit work should not be limited to assurance. Internal audit can make a significant contribution to the organisation through provision of advisory services. These will often be ad hoc audit committee and management requests in response to emerging risks and issues. The internal audit plan should include a percentage of unallocated time for this purpose. Agile auditing concepts might be relevant for some of these engagements. Service Catalogue › Internal audit should offer a range of assurance and advisory services built around the organisation risk profile, rather than traditional one-dimensional internal audit engagements. The work of internal audit and its service offerings should align with the strategies, objectives and risks of the organisation. Constant Stakeholder Feedback › The only way to know whether your internal audit function is successful is to get constant stakeholder feedback and act on it. This does not mean giving up internal audit independence – it means acknowledging where internal audit services can be improved and delivering a more effective and valued internal audit service year on year. Stakeholder feedback should relate to key performance indicators and should be consolidated and reported to the audit committee, ideally in a balanced scorecard report. Approach Key Agent of Change › Internal audit should be a key agent of change offering proactive assurance and advisory services and value- adding insights. It should be forward-looking and actively work to improve the organisation. It should actively seek innovation. Audit committees and management expect internal auditors to demonstrate business acumen. Continuous Risk Assessment › To keep up-to-date with risks facing the organisation, internal audit should adopt a continuous risk assessment approach that constantly scans for changes in the risk profile. Annual risk assessments should be a thing of the past. Assurance Strategy › Internal audit planning should be built around a whole-of-organisation 3 lines of defence assurance assessment and result in two key documents (a) an assurance plan to guide 1st line and 2nd line improvement actions that can be visible to the audit committee (b) an internal audit plan focused on a range of internal audit services and flexibility to quickly respond to emerging risks and issues. Traditional internal audit plans do not tell the whole assurance story. Integrated Auditing › Integrated auditing applies a co-ordinated combined approach to assurance on whether key risks are being managed appropriately within an organisation across all the lines of defence. Integrated auditing is a method to tell the whole assurance story. For more information, please call +61 2 9267 9155 or visit www.iia.org.au Connect Support Advance © 2020 - The Institute of Internal Auditors - Australia
- 3. For more information, please call +61 2 9267 9155 or visit www.iia.org.au Connect Support Advance © 2020 - The Institute of Internal Auditors - Australia Operational Auditing › Operational auditing seeks to take a holistic and value-adding approach to internal audit engagements by covering a wider scope including efficiency, effectiveness, economy and ethics of the area being audited. While compliance auditing may be appropriate for specific internal audit tasks, it will not deliver the value-add these days sought by management that an operational auditing approach can deliver. Agile Audit Approach › Internal audit should be sufficiently flexible so it can quickly respond in an agile fashion to what really matters to the organisation. This includes short and sharp internal audit services rather than slow-paced traditional internal audit engagements. Audit committees and management want internal audit to respond quickly to risks and issues. Insightful Reporting › Internal audit reports should tell a story and be built around the audit client. They should be brief, insightful and say everything that needs to be said in a one- page or two-page executive summary dashboard. Reports should include an overall report rating, balanced reporting, positive commentary and a view on efficiency, effectiveness, economy and ethics of the area audited. There should also be an annual report telling the internal audit story for the year. The recommendations of internal auditors are expected to be insightful, proactive, future-focused and promote organisation improvement. Audit Recommendation Monitoring › Internal auditors have a key role to play in monitoring and follow-up of audit recommendations and action plans established by management to do so. Internal audit should support management in resolving audit recommendations that have stalled or had lengthy delays. They should tailor reports for their stakeholders on open and overdue recommendations to highlight areas that require focus. This would provide meaningful analysis, trends, and commentary on ‘at risk’ recommendations to the audit committee each quarter. Worthwhile audit recommendations that are implemented by management help to demonstrate the internal audit value proposition. Internal Audit Work Plan › Internal audit should not just have an internal audit plan showing what will be audited. There should also be an internal audit work plan based on the vision of internal audit showing what they will be doing in the coming year to build a better internal audit capability that will benefit the organisation. This should include an improvement roadmap. An internal audit work plan shows how internal audit services will be improved year on year. Resources Multi-disciplinary Teams › Internal audit teams should comprise a blend of multi- disciplinary skills and experience which are fit-for- purpose for the organisation for example healthcare professionals for health organisations, engineers for the mining industry, etc. The days of internal auditors coming primarily from a finance background and needing to have CA or CPA qualifications should be long gone as financial skills alone do not recognise the breadth of internal audit responsibilities in the modern day. Guest Auditors › Internal audit should consider use of in-house subject matter specialists from other business units as short- term guest auditors, together with a structured training program to teach internal audit techniques. This can assist in delivering more value-add from internal audit work, subject to independence issues being addressed. Use of specialists has potential to provide a more credible and effective audit reporting outcome for audits of technical areas. Rotation Program › Some organisations have rotation programs where selected middle level management spend a longer period of time working in internal audit. An advantage of this approach is development of ambassadors for governance, risk management and control within the organisation. If done well, it can be viewed as a management development opportunity for up-and-coming managers. Co-sourcing › Co-sourcing is a proven way to get specialist resources for internal audit work that may not be available in- house. It is especially useful for technical areas such as ICT, treasury, actuarial studies and other speciality areas where an in-house internal auditor would find it difficult to maintain up-to-date knowledge. Technical specialists from outside the organisation can bring valuable knowledge and skills that should be shared in- house through on-the-job training, seminars, training, etc. Career and Succession Planning › Value-adding internal audit constantly reappraises the skills and experience required to match the organisation risk profile and internal audit requirements. This is reflected in internal audit career and succession planning to ensure the organisation has access to the right skills at the right time. The chief audit executive should establish and periodically update a capability assessment of the internal audit staff. This should flow into a professional development plan. Performance Management › The chief audit executive should establish and maintain a consistent performance management system where the goals of individual internal auditors are aligned to the strategies and objectives of the organisation and the internal audit function. Individual key performance indicators should be consistent with those reported to the audit committee in the balanced scorecard report.
- 4. For more information, please call +61 2 9267 9155 or visit www.iia.org.au Connect Support Advance © 2020 - The Institute of Internal Auditors - Australia Technology Automated Audit Management Software › Where there is critical mass internal audit activity and a reasonable budget, internal audit should consider automated audit management software. It is important it be used universally across the internal audit team. Automated audit work paper systems may be administratively burdensome for smaller internal audit functions and may not in those cases be a cost-effective tool. Audit Committee Secure Portal › Technology should be harnessed to make the life of audit committee members easier. This can be through use of iPads and an audit committee secure portal to distribute information. Audit committee members are often ‘time poor’ and can benefit from innovative solutions. Technology Assurance Strategy › Organisations have significant reliance on the ICT environment, however few organisations have a formal ICT assurance strategy to holistically analyse ICT risks and how to best assure them. An ICT assurance strategy includes an ICT audit universe which can be assessed against the ICT 3 lines of defence and includes a universe of ICT projects. Internal audit can then be better informed about ICT risks and feed this information into its internal audit planning process. It can also consider the best ICT assurance approaches. This may be a 1st line or 2nd line assurance activity. It does not have to be a 3rd line internal audit activity in every case. A technology assurance strategy will also cover such things as cyber-crime, data mining, data analytics, continuous control monitoring and continuous auditing. New Technologies › Internal audit needs to be continually aware of new technologies and how best to audit them. This might include technologies such as machine learning, artificial intelligence, advanced analytics and robotic process automation. The chief audit executive should remain alert to (a) where new technologies may be used in the organisation (b) building capability to audit new technologies (c) potential within internal audit to use new technologies to boost productivity and outcomes. Continuous Improvement Quality Assurance and Improvement Program › A fit-for-purpose quality assurance and improvement program should bring together all internal audit quality elements – ongoing internal assessments, periodic internal assessments and external assessments. The chief audit executive should deliver to the audit committee an annual quality assertion on conformance with the internal audit standards. Performance Measures and Balanced Scorecard Reporting › Good practice is for internal audit to have key performance indicators (KPIs) in place to demonstrate its level of performance, with KPI results incorporated into a balanced scorecard report. Results should be included in an internal audit annual report submitted to the audit committee. Balanced scorecard reporting (or similar) should be standard reporting from internal audit to their audit committee. Internal Audit Annual Report › An annual report is a brief document that highlights the internal audit contribution over the previous year and features the capability of personnel. It also provides trends, analysis and commentary on themes. It reports where systemic issues were identified and highlighted. It should also highlight the internal audit work plan and improvement roadmap for the coming year. An internal audit annual report helps to enhance internal audit credibility by drawing the ‘whole story’ together. Helpful References ‘Internal Audit in Australia – second edition’, IIA–Australia Factsheet ‘Evolution of Internal Audit’, IIA–Australia White Paper ‘Internal Audit Service Catalogue’, IIA–Australia ‘Team Leader’s Guide to Internal Audit Leadership’, Internal Audit Foundation ‘International Professional Practices Framework’, IIA–Global