A shift from Conventional Internal Audit to Risk Based Internal Audit
The present Internal Audit across small and mid-sized organization involves a dry review of Purchase, Sales, Operations, Finance and Payroll functions with results more likely to reveal inefficiencies in process, authorization and non adherence to documented policies. Unfortunately such results most number of times does not lead to cost optimisation or a risk mitigation measure. Also the lacuna in the Internal Audit of the said functions is that most checklist are not designed or geared to cover essential risk that each of such functional area embed and its consequential impact on the organisation as a whole.
A clear shift is warranted in the manner in which Internal Audit is perceived today. Lack of technological data analytics support, unclear risk identification strategy has made the process and controls in the company vulnerable to risk. There is a clear lack of technical expertise coupled with experienced bandwidth to provide a rounded solution to the management and stakeholders at large.
With information technology advancement, new products being launched, pressure on supply chain management, increased stress on Human Capital Management, the present Internal Auditors must tailor their expertise towards devising means and methods that enable organization have answers to correct pricing strategy, business disaster plan, exception transaction reporting and optimisation of turnaround time in processes.
Although no statutory definition of Risk Based Internal Audit exists, the Risk Based Internal Audit encompasses essentially:
1. Verification aimed at identifying Risk
2. Developing a Risk Methodology framework
3. Value Creation through benchmarked process and cost optimization
4. Risk Mitigation Strategy
5. Ongoing Monitoring by Management, Business owners and Risk Based Internal Auditor's
The Risk Based Internal Audit Team should present its audit finding in a matrix categorising risk into -three broad categories namely 1) Acceptable 2) Medium 3) Un-Acceptable. Special attention should be given to Risk categorised as ‘Un-acceptable’ and comprehensive recommendatory risk mitigation strategy should be developed in consultation with the management and implemented as immediate recourse. Risk that unarguably forms part of ‘Un-acceptable risk’ includes: Lack of Business Recovery Plan, severe overriding controls, governance default etc. For the above to be achieved, technological audit tools will play a pivotal role in maximising the desired results. Data analytics tools, defining risk universe, stratic sampling will help in identifying the correct and relevant sample population.
Going forward Risk based Internal Audit consultants would be treated as business partners and management will seek to work closely with them to attain greater business value. In retrospect there will be greater and constant pressure on Risk Based Internal Audit consultants to demonstrate Value Propositions to the management which would be possible only if they stay abreast with the latest reform changes, its likely impact and prepare organization to face and overcome challenges at different phases of its business life cycle.
My other non Technical articles link:
Shall I Do Business or Continue My Job
Who are you Self or Identity