The internal audit team of today is a world away from simply a compliance function. But in most organisations, there’s still scope to make internal audit more commercially-minded with a greater strategic focus.
If internal audit (IA) is to grow in stature in the boardroom, the profession needs to have a more strategic focus. Not only should auditors provide assurance on how new and emerging risks can be identified, mitigated and controlled, they should also advise the organisation about how it can manage them for commercial gain – keeping an eye on profitability, as well as control.
According to Katie Clinton, UK head of internal audit at KPMG in the UK, “internal audit needs to develop a keen commercial sense and show that it understands the business, as well as present effective challenge.
“However, internal auditors also need the tools – such as an appreciation of data analytics – and the technical skills to show how their insights can help manage the commercial risks, the opportunities and the environment that the organisation is operating within.”
Much of internal audit’s work will remain focused on internal and financial controls. “But some of the biggest risks to an organisation are external rather than internal and consequently internal audit needs to take a broader view of how the business operates,” says Tim Childs, director at KPMG.
That might include almost anything, from the actions of an organisation’s competitors, to the pressures on pricing and service delivery; from Brexit’s impact on the workforce, to which markets are thriving or going through a downturn.
As organisations have developed a keener understanding of risk – and the opportunities that come with it – there is a much greater demand for assurance across a wider range of areas. IA has to keep pace with demand, which means ensuring it has the necessary capabilities to satisfy these broader management needs.
According to Ryan Aitken, director of internal audit at KPMG, IA functions need to invest in training and recruitment to ensure they have the necessary talent, mix of skills and experience to meet the expectations of management and the board.
“The function needs to be multi-disciplinary, investing in skills, training and co-sourcing, to up-skill both internal audit colleagues and the function as a whole to serve the organisation’s needs,” he says. “It must foster a diverse workforce that has the right mix of skills and experience to ensure that it can provide the appropriate level of assurance to the board. In particular, audit teams need to have the right balance between internal audit specialists and colleagues who really understand how the organisation works and the challenges it faces (at all levels),” he adds.
Learning skills in new technologies, for example, or developing softer skills – or, at the very least, being able to source people with such experience – is essential. “The world is becoming much more technological and digitised, so internal audit’s approach needs to reflect this,” says Clinton. “There needs to be a much greater awareness and reliance on new technologies to improve the audit process, such as using data analytics and continuous monitoring.”
Childs believes internal audit should increasingly be regarded as a business partner by management and other heads of departments across the business – though one that is not afraid to present critical challenge. IA can learn from others by refining its approach to communication better ¬– and having the IA teams interact more effectively with other departments in the business to share knowledge and skills.
“It is important to develop a strong talent pool within internal audit,” says Childs. ”The function is going to receive ever more demands for assurance on a wider variety of risks – and it is not feasible for it to say that it does not have the skills, knowledge or experience to step in.”
Besides improving its skills-set and taking a more strategic interest, IA should also be more assertive. The Institute of Internal Auditors’ (IIA) Financial Services Code says there should be “no limit” to the scope of internal audit’s review work. Internal auditors working in other industries should adopt the same premise. That means building out the network at the top of the organisation, as well as across departments. “If internal audit thinks that it is important to review a particular area of the business, then it should have access to do so – and, crucially, support from the audit committee and the board,” says Aitken. To ensure audit committee and executive buy-in, internal audit also needs to be able to influence and persuade. “Internal auditors must be good communicators and justify why particular areas of review are necessary,” says Clinton.
“They need to have good working relationships with the second and first lines of defence and not be afraid to challenge management thinking,” she concludes. Today’s uncertain business environment – and risk-aware boards – demand nothing less.
This article was written by Katie Clinton UK head of internal audit at KPMG in the UK, Tim Childs, director at KPMG in the UK, and Ryan Aitken director of internal audit at KPMG in the UK.
Subscribe to future editions of Cornerstone for the latest thinking on internal audit.