Threats to the Internal Audit Function
An internal audit should add value to a business, but there are some factors that could derail the process
Every internal audit function wants to be seen as a value-adding stakeholder that provides assurance on key controls as a result of significant risks confronting the organisation. In pursuit of this noble positioning, it is worth identifying some of the threats that could derail and impact on the internal audit function.
Determining the magnitude of the audit exercise ensures that serious issues that could occur later are not overlooked. This is one of my anxieties as an auditor.
When planning an audit, it is possible to initiate a risk-based audit (RBA) approach. Phil Griffiths, founder and CEO of Business Risk Management, affirms that this approach “is designed to assess all the key activities, risks and controls and, therefore, major areas of concern should be identified”.
It is good practice for auditors to develop their own audit planning checklist of key items that are needed, or have to be reviewed prior to the audit. This might include, but is not limited to, reviewing past audit reports and assessing whether there are any repeated control failures.
The non-cooperation of management in dealing with opportunities for improvement in their respective functions should not be underestimated. When planning for an audit it is, therefore, important to learn as much as possible about those being audited.
The PwC 2016 State of the Internal Audit Profession study posed an interesting question: “Is your internal audit function optimally aligned with other assurance functions?” Changes in an organisation’s structure can indicate the level of assurance that might be required. If a change in the management structure was due to lack of proper governance and controls, resulting in significant losses or opportunities, this should be taken into account when planning for the audit.
Identification and provision of resources
Availability and effective use of resources plays a significant role in achieving the audit objectives. For example, inadequate time allocated to planning of risk-based audits will impact on identifying important internal and external aspects that impact on business operations.
Here’s an example. When planning to audit an organisation’s supply chain function, although it is vital to assess the overall performance of the supply chain process, the auditor should perhaps start by looking at any risks that were – or could be – caused within the value chain as a result of supply chain activities. This insight requires more time and, in some instances, technical knowledge of the business.
When selecting audit team members, the collective capabilities of the team and their impact on the effectiveness of the audits to be conducted should be taken into account. In nutshell, financial resources, availability of auditors and relevant technical experts, as well as costs associated with travelling and accommodation, all need to be considered.
The achievement of audit objectives might be impacted by different risks within or outside the internal audit function. However, the challenge for personnel managing the function is to continually identify additional risks beyond those related to audit planning and resources.
Hope Mugagga Kiwekete is a managing consultant at the Centre for Enterprise Sustainability. He has practiced as a management systems consultant, trainer and auditor in different multicultural environments, which entailed environmental, occupational health and safety and quality management in various industry sectors in east and southern Africa and Asia. He is a Certified ISO 9001 Lead Auditor with the Southern African Auditors Training Certification Authority (SAATCA) and a member of the SABS Technical Committees for Quality Assurance, Environmental Management and Occupational Health and Safety Management Systems.