Internal audit: four steps to improve the strategic impact on a business
(As originally published in FEI Canada F.A.R. member e-newsletter, September 2012)
By Monica Chadha, Senior Manager, Ernst & Young LLP
With risk, control and compliance becoming increasingly important, a new global survey of 695 CAEs and C-suite executives released by Ernst & Young reveals that 80% of organizations acknowledge that their internal audit function has room for improvement. Improving risk assessment processes and expanding internal audit’s focus to include broader organizational risks to create value and help the organization achieve its objectives are top priorities of chief audit executives (CAEs).
The future of internal audit is now report highlights that 75% of respondents believe strong risk management has a positive impact on their long-term earnings performance, and an equal percentage believe that their internal audit function has a positive impact on their overall risk management efforts. And yet, 80% of respondents acknowledge that their internal audit function has room for improvement.
Based on a previous Ernst & Young study, we’ve found that companies with more mature risk management practices generated the highest growth in revenue, EBITDA and EBITDA/EV.1 Therefore, it’s more critical now than ever that today’s internal audit function is aligned to the organization’s strategic initiatives in order to be relevant. Audit functions must revisit their respective mandates and adjust their focus to include coverage of strategic and operational business risks, and not only financial compliance.
Based on our research, we’ve outlined four steps internal audit functions need to take to realize strategic alignment, increase its relevance to the business, and help the company achieve a risk maturity that accelerates stronger financial performance:
- Leverage the organizational strategy: To create value and maximize relevance to the organization, CAEs need to have a line of sight and a solid understanding of the organization’s broader business imperatives. Internal audit can use the organization’s overarching organizational strategy to identify the risks that matter most in the context of the organization’s risk appetite.
The survey identifies that the key priorities of CAEs and stakeholders have clearly shifted from compliance and financial controls to risk coverage and business relevance. More specifically, CAEs surveyed say their teams now play a more prominent role in strategic organizational initiatives such as major capital projects (49%), IT systems implementations (42%), mergers and acquisitions (37%), and material contracts (32%). Additional focus areas include improving the risk assessment process and enhancing the ability to monitor emerging risks.
- Develop a well-aligned internal audit strategy: This should match the organization’s strategic plan time horizon to increase organizational alignment and improve internal audit’s relevance to other operating functions. This four-step strategy should include:
- Developing and refining internal audit’s strategic vision – including the function’s roles and responsibilities, the needs of its key stakeholders, its mandate and objectives.
- Identifying and prioritizing key strategic initiatives –including aligning initiatives to key business risks and key operational and financial priorities. Making sure that processes, methodologies and tools are up to date, internal audit has the industry and functional insights it needs, and staffing models are flexible enough to anticipate change and address emerging risks/issues.
- Designing key performance indicators (KPIs) – including how internal audit measures its success, aligns with stakeholder expectations and tracks productivity.
- Developing an operating strategy – including detailing activities that enable internal audit to achieve its strategic initiatives, identify key milestones and determine how to communicate to key stakeholders.
- Employ critical enablers throughout the audit life cycle. In addition to internal audit knowledge, stakeholders expect internal auditors to have the ability to team with management and business units on relevant business issues. They also expect internal audit resources to have deep sector knowledge and business acumen. It is of great importance for today’s internal audit committees to constantly assess and understand the skills their team has and needs.
As an organization changes and grows, its risk, control and compliance activities often become fragmented, siloed, independent and misaligned. Coordinating risk functions can improve key risk coverage and drive valuable strategic insights for the business. Coordinated risk reporting also gives the audit committee a more thorough perspective into the health of the organization.
- Run internal audit like a business. Internal audit needs to operate like other facets of the business, holding itself accountable for operational excellence, continuous improvement and tracking impact. It can do this by employing data analytics to drive enterprise efficiencies and results, and by designing a value charter and scorecard that defines how value to the organization is measured and whether internal audit is achieving its goals.
Our survey found that 40% of respondents only perform annual updates to their risk-related audit plans, while six percent perform no updates at all. This can leave a company unprepared for events that could crop up throughout the year such as new product launches, new market entries or litigation.
With the right internal audit-focused strategy in place, internal audit can add value to the business by becoming strategic advisors, identifying efficiencies across the enterprise, supporting key business initiatives and quantifying internal audit’s return on investment.
1Ernst & Young, Turning risk into results: how leading companies use risk management to fuel better performance, 2011.
About the survey: in January 2012, Ernst & Young commissioned Forbes Insights to conduct a global survey of 695 stakeholders and audit professionals about the evolving role of internal audit. Respondents included CAEs, C-suite executives and board members representing organizations with global revenues of US $500 million or more and spanning 26 industry sectors. Learn more in The future of internal audit is now.