In order to start talking about issues that are related to Internal Audit (IA), we have to clarify which is the role of this function. Many companies think about it as “a necessary evil”…something that is needed but it is not welcome. Some other companies equate Internal Audit as the “police”…the whistleblower of everything that happens…but these perceptions are way behind of its true essence and meaning.
Internal
Audit has been in the world for a very long time. It has different types
according to the scope but in general it can be said that verifies that what is
being doing is what it should be. So its expertise is based in two main things:
first, know and deploy the business risk management and second, know all the
processes within the company. Hence its revisions or audits should be based on
the knowledge of the business, its vulnerabilities and the result of other
revisions which implies there is lack of control.
So its knowledge
is integral. Therefore it is a consultant area; an area of service. For whom?
To the Management Board, Committees, CEO, other Directors; to the company
itself in order to protect it from business risks. To do such job, Internal
Audit should be:
-Independent,
objective and ethical: its personnel must have total independence in order to
not be considered “judge and jury” at the same time. Also, be skeptical,
impartial alike and behave ethically in every situation and circumstance.
-Have the
support of senior management; meaning: shareholders, members of the Board of
Directors, Committees, CEO. This includes that the head of IA be positioned at
the same level of other heads and report directly to the Audit Committee and
CEO. In addition to have enough budget to hire suitable staff, have
technological tools and perform audits in any location the company has
branches.
-Be updated
on relevant issues that may affect the company such as: risk management, fraud
prevention and money laundering, data protection, etc. Also, know any new
regulation that the company should comply.
-Audit
performance: the importance of an audit relies on the observations made but
most important to get the cause that generates such. In this way, the risk
management is useful in order to attack the cause, the root of the lack of
control. Add to this the knowledge of the company and here it is the key: the
audit has been made as a tailored suit with the creativity of the Internal Auditor.
But here the show is just beginning! The follow-up to the audits is another key
element. How the audited area is deploying the recommendations? Or better why
have they not done anything?
Internal
Audit independence also includes performing its revisions without telling
anybody when they will be. Surprise…!!! For everybody adding changes in its
scope, periods to review, etc.
So, we are
not the “ugly ducks”…or the police. We are an area that detects lack of
controls; issues observations and recommendations. We are an area that sees the
company in an integrated vision: therefore our work starts with an audit,
consolidates with a business risk model (which we will talk later) and adds
value to the company by our knowledge and expertise in protecting and
preventing towards new risks.
Internal
Audit is the key!
By Mónica Ramírez Chimal, México
Partner of
her own consultancy Firm, Asserto RSC. www.TheAssertoRSC.com
Author of
the book, “Don´t let them wash, Nor dry!” published in Spanish and
English and internationally remark. She has written several articles about
risks, data protection, virtual currencies, money laundering. Monica is
international lecturer and instructor and has been Internal Audit Director for
an international company.
No comments:
Post a Comment