Internal Audit (IA) is uniquely positioned to use its cross functional / external perspective to provide strategic guidance to the business while balancing the need to perform its traditional work.
Align IA with the most significant business risks:
- Lead the enterprise wide business risk assessment focused on business risk, not solely financial statement or auditable risks.
- Keep the business risk assessment refreshed with emerging risks and business changes.
- Set the audit plan to address highest potential risk areas. Continuously re-assess and adjust real time.
- Facilitate dialogue on acceptable levels of risk tolerance and alternative risk mitigation.
Shift hours from compliance to advisory work:
- Specific hours set aside in the audit plan.
- Partner with the business to address control issues identified, process challenges, business changes, etc.
- Trade spend optimization
- Control Health Checks
- Process / control documentation for business implementations
- Contingency planning for sole source providers
- Audit Committee and / or executive management requests early in the process.
- Focus on the business risk.
- Customize solutions.
Balance objectivity with strong relationships:
- Partner with the business. Understand business goals / objectives and how audit can help enable them.
- Relationships matter.
- Establish credibility
- Audit is intimidating. Being approachable is critical.
- Watch out: maintaining independence (perception of not being objective)
Practice what you preach: eliminate costs and inefficiencies:
- Eliminate and / or reduce lower risk audits.
- Assess IA's processes to eliminate non value added work.
- Leverage non audit internal resources to complete traditional compliance work with IA reviewing.
- Simplify reporting.
- Manage travel and expenses.
- As the business evolves, IA needs to evolve with it.
- Finding the balance of traditional audit and business partnership is powerful.
- Continuous re-assessment is required.