Parallel to the great upsurge another factor that hunting the board room of the corporate are “Risk”. There can be any type of the risk whether it is liquidity risk, fraud risk, reputation risk, competition risk and sundry other risks. Thus the internal audit profession has witnessed a sea change in the era, a change from traditional typical ‘compliance’ or ‘transaction’ audit to the much more dynamic and interest based ‘Risk based audit’. It can be also define as control assessment or control rationalization. It is much more different from the traditional internal audit, which is just related to compliance and bothers the employees of the organization as it is not give any productivity or return to the organization or auditee. Now a day, the internal audit is turned in to risk assessment mechanism which provide analysis of risk evolved in any business activity. Along with that it also refers to the assessment of the control and rationalization of the authorities. It involve whether the proper person has a proper job.
In the modern era, the internal auditors have much more responsibilities than previous ones. There vital areas are now:
i. Review operations, policies and procedures.
ii. Help ensures goals and objectives are met.
iii. Understanding of big picture and diverse operations.
iv. Make recommendations to improve economy and efficiency.
The enhanced role of internal auditor covers financial analysis, risk evaluations, improving operations and business performance, supply suggestions and recommendations and adding value to the organization. Internal auditor indentify all auditable activities and risk factors, and assess their significance, investigate the factor, evaluate them and then identify potential trouble out of it, communicate same to the management, anticipate emerging issues and grab the opportunity involve new areas to the audit.
The Internal audit function for organization has had to reinvest itself in order to keep pace with organization, to keep pace with changing and increasing sophisticated technology, to keep pace with changing risk profile of organization and to keep pace with increasing level of expectation. The internal audit function must be carried out in planed and stepped manner. Anything that is not planned well cannot be executed well.
First of all, we have to create a risk profile of the enterprise. Understand the environment of the business and evaluation of the same is the key factor to understand the risk involved. Other information that is assessed at this point should include the work culture of the organization, the strategic plan, the current years business plan, the financial plan and other known related issues. We have to analysis all these to create a profile of the organization. Unless you don’t know the environment and other factors effecting the organization as a whole, you will never know where the risk is and degree of complexity of risk. The audit program can be designed to address the specific risk and suggest further examination and control in high risk areas. The risk based audit methodology can follow a four step process:-
a. Know your client: Gain understanding of business unit’s operations and corporate functions and business environment in which unit operates.
b. Risk assessment and planning: Assess the risk profile of the business unit and plan an audit approach to address those risks.
c.Testing and evaluation: Perform the audit work in an efficient and effective manner to evaluate the results of audit test within business context.
d.Communicate results: Communicate audit results in most efficient and effective manner that effective that adds value to the auditees with an alignment to risk and business objective.
Effective communication between the top level management and internal auditor is blood line for any internal audit function. An effective audit without an effective communication of the results to the top management of the organization is not much use. Unless you communicate your assessment of risk at organization level to the proper authorities, it is not much helpful to the organization. A proper person can use proper information in a proper manner. That is the key of the reporting of the finding made by internal audit.
The thing to keep in mind is that the top management has not much time to read everything in details. You have to set a format according to their requirement and needs. An executive summary is also a unforgettable part of any report. You cannot expect the higher management to read every point in details. You must prepare a brief summary that will cover all relevant issues and points for considerations. The important one must be highlighted and eye catching.
In last, I must say that internal audit function will work as a filter for any organization where bad policies and procedure must catch on and communicated.
CA Prashant Gupta