Mobile Edition
Print
Get the Mag
Weekly UpdatesIT IS NO SECRET THAT CHALLENGING times are also times of great opportunity. Characteristics of strength are never more evident than in the presence of stress. Stress exposes weaknesses, bringing the demise of things low in quality and value. It is within this crucible of challenge that internal auditors must ensure our position of strength as a partner of governance and management. In performing to ideal expectations, we can increase our influence and strengthen the internal audit role. However, we must first understand the ideal context for adding value to the organizations we serve.
As consumers, we are innately effective at judging value. We measure products quickly and easily against the benefits we see or feel. We rapidly class and compare similar products--the sound of a car door when it's slammed shut, the grace of a turn, and the feel of the seats all illustrate value. We make numerous decisions daily based on the value we perceive. The choices we evaluate are largely available because a vendor has made thousands of decisions in creating the choice. The vendor has sought to provide customers something of value in a way no other can. They make their decisions in an effort to gain a return on their invested time and resources. Every choice the vendor makes brings risk of failure. Successful vendors prosper, and those who make poor choices succumb to risk and see their resources consumed in failure.
Internal auditors work for vendors with objectives--even if the organization is governmental or not-for-profit, it still must use its resources effectively for the objectives it sets. Organizations have a purpose or vision that they are trying to achieve. Internal auditors help our organizations reach their objectives. Auditors do not own the decision-making or the resources that are on the line. Yet, we provide assistance by professionally assessing governance, risk management, and internal control. Ultimately, by definition, internal auditing should contribute to the likelihood the end objective will be successful. Ensuring that internal auditors reach our potential requires a discussion of ideals. What does the ideal internal audit shop produce, and how does it contribute to an ideal organization?
IDEAL INTERNAL AUDITING Defining an ideal usually requires many considerations by a variety of individuals with various backgrounds and experiences--the think tank. However, too often ideals are associated with implementation methods rather than results and the search for the ideal is lost. Fortunately, we have a definition of internal auditing that facilitates assumptions of the ideal internal audit result. From that definition auditors can define our value to the organization as based on the quality and usefulness of our assessments in improving the organization's governance, risk management, and internal control. Useful assessments help the organization improve the likelihood of reaching its objectives. However, auditors still cannot guarantee success because we do not own the decision-making. Thus, auditors get to the internal audit ideal by helping our organizations improve the likelihood that they will reach their objectives, by strengthening governance, risk management, and internal control. To strengthen these areas, however, we must first understand what the ideal is for each function. And even before we can define these ideal functions we must understand their context or role within the ideal organization.
IDEAL ORGANIZATION Using results again instead of methods, the ideal organization can be defined simply as one that consistently achieves its objectives. If the ideal organization were a defending army, its characteristics could be defined by the maturity of leadership in battle planning, the strength and experience of the soldiers, weapons available, and quality of armor. Similarly, an ideal organization has an effective strategy, the right people, strong processes, adequate technology, and appropriate systems of control. The weakest trait among these characteristics will define the level of organizational vulnerability. An ideal organization has optimal strength in all characteristics. Internal auditing's assessment of governance, risk management, and internal control should contribute to the achievement of this optimal strength.
IDEAL GOVERNANCE ASSESSMENT Governance seems to be an area that many in internal auditing are not comfortable assessing. In most cases, it feels like reviewing the quality of the boss's work. However, focusing on the desired result of governance can help determine assessment priorities. Good governance results in effective oversight of the CEO in executing strategy and assigning accountability, which is core to objective achievement. Good governance includes weighing staff morale, considering risks, and requesting responses to vulnerabilities. Governance needs to be competent and have adequate information to carry out its role. The commander in chief of all armed services is responsible for reviewing the strategic direction and ensuring that accountability for its implementation is clear. He or she also needs real time information for evaluating risks to exercises and operational vulnerabilities. In an organization, a board of directors acts similarly by reviewing the strategic direction and accountability for operational implementation. The board also evaluates reporting on risks and vulnerabilities to strategy, helping management set the risk appetite.
However, many board members may not fully grasp their role in governance. An assessment of governance by internal auditing may result in recommended training for members to improve their awareness of their roles and responsibilities. Internal auditors can also play a role in assessing the adequacy of information that governance (or board members) receives. Governance should be able to answer several questions:
* Has accountability been effectively disseminated throughout the organization from the CEO down to the lowest-level employee?
* Is the ethical tone at the top appropriate?
* Where is the organization vulnerable?
* What are the key risks?
Internal auditors bring value to governance by strengthening board members' awareness of their role and the information they need to execute that role.
IDEAL RISK MANAGEMENT ASSESSMENT
Ideals for risk management are often lost in debate on the method of implementation, or even the definition of risk. Without entering that debate we can get to internal auditing's ideal value contribution to risk management by defining ideal management in general. Executive management creates operational plans to implement its strategy. Management then assigns accountability to each of its subordinates, who further delegate to their staff. Each individual will ideally consider his or her tasks/objectives and potential risks to achieving them and develop efficient and effective business processes with systems of control to deflect or warn of impending risks. The two elements of understanding accountability and responding effectively are critical to the success of any organization. The formality of management's understanding of its objectives, and its response to these objectives, defines its strength. Internal auditing can assess these two elements, throwing risk into the equation, and report on the strength of management/ risk management at any location within the organization. This assessment is particularly valuable in that inadequate management leads to inadequately designed business processes and controls.
IDEAL INTERNAL CONTROL Internal auditors are very familiar with systems of internal control. We have many ways to document and validate them. However, some methods are two-dimensional and do not consider the organization's objectives. Within an organization, business units and management may jump at an opportunity where there is no business process in place. An organization that is growing needs to have realistic control systems that reflect the capacity of the current business process and help the organization take the next step toward strengthening it. Internal auditing's assessment of systems of internal control are ideal when they provide the best next step for business processes and related growth in internal controls.
Ultimately, internal auditing's value to the organization it serves will be defined by its ability to help the organization achieve its strategic and business objectives. There are many ways to add value to an organization; however, within the role of internal auditing, three actions are particularly important in ensuring the future strength of the auditor's role.
* Assessing governance to identify governance education needs and needed information on organizational risks and vulnerabilities. By providing these details, internal auditing can help those responsible for governance take action to strengthen their position.
* Considering the adequacy of disseminated accountability and management's response to objectives over any large or small set of objectives. This is a key part of what illustrates organizational vulnerability. Communicating gaps in accountability or effective implementation of objectives is an element of risk management.
* Determining whether the systems of control are promoting the strengthening of business processes effectively at an acceptable pace.
It is internal auditing's role to bring professional assessment of governance, risk management, and internal control to an organization. Considering the ideals discussed in this article can assure the value of internal auditing if we effectively respond to our defined objectives in the development of audit processes capable of producing these products for governance.
DAN CLAYTON is director of Knowledge Management at CHAN Healthcare Auditors in St. Louis.
FEED