In order to start talking about issues that are related to Internal Audit (IA), we have to clarify which is the role of this function. Many companies think about it as “a necessary evil”…something that is needed but it is not welcome. Some other companies equate Internal Audit as the “police”…the whistleblower of everything that happens…but these perceptions are way behind of its true essence and meaning.
Internal Audit has been in the world for a very long time. It has different types according to the scope but in general it can be said that verifies that what is being doing is what it should be. So its expertise is based in two main things: first, know and deploy the business risk management and second, know all the processes within the company. Hence its revisions or audits should be based on the knowledge of the business, its vulnerabilities and the result of other revisions which implies there is lack of control.
So its knowledge is integral. Therefore it is a consultant area; an area of service. For whom? To the Management Board, Committees, CEO, other Directors; to the company itself in order to protect it from business risks. To do such job, Internal Audit should be:
-Independent, objective and ethical: its personnel must have total independence in order to not be considered “judge and jury” at the same time. Also, be skeptical, impartial alike and behave ethically in every situation and circumstance.
-Have the support of senior management; meaning: shareholders, members of the Board of Directors, Committees, CEO. This includes that the head of IA be positioned at the same level of other heads and report directly to the Audit Committee and CEO. In addition to have enough budget to hire suitable staff, have technological tools and perform audits in any location the company has branches.
-Be updated on relevant issues that may affect the company such as: risk management, fraud prevention and money laundering, data protection, etc. Also, know any new regulation that the company should comply.
-Audit performance: the importance of an audit relies on the observations made but most important to get the cause that generates such. In this way, the risk management is useful in order to attack the cause, the root of the lack of control. Add to this the knowledge of the company and here it is the key: the audit has been made as a tailored suit with the creativity of the Internal Auditor. But here the show is just beginning! The follow-up to the audits is another key element. How the audited area is deploying the recommendations? Or better why have they not done anything?
Internal Audit independence also includes performing its revisions without telling anybody when they will be. Surprise…!!! For everybody adding changes in its scope, periods to review, etc.
So, we are not the “ugly ducks”…or the police. We are an area that detects lack of controls; issues observations and recommendations. We are an area that sees the company in an integrated vision: therefore our work starts with an audit, consolidates with a business risk model (which we will talk later) and adds value to the company by our knowledge and expertise in protecting and preventing towards new risks.
Internal Audit is the key!
By Mónica Ramírez Chimal, México
Partner of her own consultancy Firm, Asserto RSC. www.TheAssertoRSC.com
Author of the book, “Don´t let them wash, Nor dry!” published in Spanish and English and internationally remark. She has written several articles about risks, data protection, virtual currencies, money laundering. Monica is international lecturer and instructor and has been Internal Audit Director for an international company.