“Why do I need an Internal Audit function and why should
it be risk-based?”
If you are a small organization, you don’t need an internal audit function. Usually, management’s span of attention is sufficient to keep things under control. An internal audit activity is advisable though, where:
- Senior management is separated from value creation activities by several organizational layers or by geographic distance;
- Accountability is a critical factor affecting achievement of objectives;
- The nature of the business is aligned to employees’ personal interests.
- The extent of self-validating automation is low.
- The institution is subject to a high degree of care towards customers/users, the public and society.
Small companies that grow into bigger ones tend to believe they can operate without the cost-burden of an internal audit function, especially if they haven’t experienced adversity. Many of these operate in blissful ignorance of ongoing wrongdoings and missed opportunities. Worse, in good times, control deficiencies are masked by growth and seeds of disaster fester until conditions worsen, cracks open and the skeletons emerge.
In some organizations where internal audit exists, we have witnessed their misuse. Often, management relies on audit to develop their internal control system, or sets up internal audit to report to operational management, both of which defeat the purpose of independent review and criticism.
RiskVeda’s consulting mantra is that the risk-based approach is the most effective way to manage. Given this, the RBIA function sets its engagement priorities and programs in line with enterprise risks. Backed by this capability, which must operate in an independent and objective fashion, the enterprise is poised for success. (Independence is best assured when Internal Audit reports to a Committee of the Board, usually the Audit Committee.)
For an RBIA function to succeed, it needs to operate within a risk-based internal control environment. If implementation of RBIA precedes the application of enterprise risk management, as sometimes happen, risk-based controls will have to be put in place concurrently.
For example, a client asked RiskVeda to assist it in implementing a new internal audit function with a risk focus. No formalized risk management was in place and the documentation of internal controls was unstructured. After two weeks of information-gathering, we engaged the operating units throughout the company in risk and control assessments. The output we gathered formed the basis for formalizing an operations internal control system. In addition, we developed with senior management an enterprise risk management profile.
These two information bases provided the new internal audit function with the direction and context it needed for its risk-based assessment of control effectiveness. (Seeing the door of opportunity before it, the client went further to implement risk management throughout the company.)
A Risk-Based Internal Audit function operating with independence and objectivity, shares accountability for the practice of effective risk management within an enterprise. RiskVeda sets up the RBIA function to play such a role for meeting stakeholders’ expectations versus the internal audit that stands on the sideline as uninvolved critic.