Making Internal Audit a Value-Adding Contributor to Economic Recovery

Making Internal Audit a Value-Adding Contributor to Economic Recovery

The severity of the current global economic downturn has left organizations around the world searching for ways to contain costs, improve efficiencies, maintain customer satisfaction levels and protect their balance sheets. This unprecedented economic crisis has been nothing short of an urgent call to action for more robust risk management practices in global organizations of every size and industry.

In retrospect, the role of the internal audit (IA) function may have been somewhat overlooked in the economic storm. As organizations struggle to right the ship, we see more of them recognizing that IA is positioned to play a critical role in helping to manage the change that must come. These organizations are looking to IA to provide assurances that existing and emerging risks are identified, monitored and managed so that they can move forward with confidence in executing their business model. This issue of The Bulletin explores how IA can contribute to organizations as they recover from the crisis and what management and boards should expect of IA going forward.

Take a fresh look at the role of internal audit

The cumulative effects of poor risk management were a leading contributor to the downturn. However, there were other contributing factors. As noted in Protiviti’s Global Financial Crisis Bulletin, which contains frequently asked questions about the economic crisis:1

Deficiencies in corporate governance processes obviated the contribution of any risk management processes in place. In many cases, there was a lack of effective transparency, accountability and escalation in the institutions affected, which led directors and senior managers to a position of not knowing the extent of the risks undertaken. Collectively, these issues reach well beyond the scope of risk management and touch upon such areas as corporate governance, executive management, and the role of the board and the audit committee.

IA’s role touches – or should touch – every aspect of business operations, including information technology (IT) security, business continuity and crisis management, supply chain management, operating expenditures, talent management, brand/reputation management, and more. The fundamental question is how do executive management and the board view IA? Is it strictly an auditing activity? Is its primary focus on keeping the external auditor’s fees to a minimum? Is it a resource for staffing the Sarbanes-Oxley Section 404 compliance process? Or is it a consulting activity designed to add value and improve an organization’s operations? In the end, the value-add of IA is marginalized if it is not bringing a systematic, disciplined approach for evaluating and improving the effectiveness of risk management, internal control, and governance processes. In this way, IA can help an organization realize its business objectives and execute its strategy successfully.

More important, most IA teams today have a distinctly global, enterprisewide focus with a clear objective: Implement a consistent, standardized audit methodology throughout every business unit and at all levels of the organization. This global orientation can be a powerful enabler to helping businesses regain their economic footing. The message is this: Management and directors are missing an opportunity if they do not view IA as a resource for assessing risk and improving operations, risk management and the internal control structure.

Every crisis, while presenting myriad challenges, also is an opportunity to take a fresh look at traditional functions and examine how to execute their roles differently. Following are a series of strategies that IA functions and their organizations can employ in the current economic environment to position themselves for growth and success during the upcoming recovery. These strategies will require active support by executive management. The value proposition can be summed up as follows: Vigilant monitoring of risk and risk management performance will help validate and reshape the organization’s risk responses over time as it executes its strategy to improve long-term business performance and enhance sustainable competitive advantage while protecting reputation. Though highly relevant to the current environment, the following IA strategies should be employed regardless of the state of the economy.

Rethink, revise and revalidate

Risk assessment is the core of every IA function. A comprehensive risk assessment process will identify the organization’s existing and emerging risks, and help determine how these risks are controlled and where gaps exist within the operations of the business.

Risk assessments are not static processes; they must be revised and revalidated to ensure they are relevant in a changing business environment. For example, at a worldwide leader of digital security, the IA team’s primary audit methodology is risk-based scoping for the audit plan. The audit team creates a list of risks linked with a critical business area, and the team interacts with business owners to gain a better understanding of those risks, including their potential impact and priority. For every audited area and location, the team defines a materiality level to adapt the audit to the particular area’s and location’s relative size and significance. IA also leads an enterprise risk assessment, which is a risk-mapping exercise that prioritizes the risks the company faces and all related actions taken to manage those risks. This information leads to the development of the annual audit plan and positions IA to provide useful insights to senior management and the board.

Key questions for management and boards to consider:

  • Have we updated our risk assessment in the wake of the global financial crisis?
  • Do we have a process for keeping our risk assessments up to date?
  • Are we evaluating new and emerging risks to the organization?
  • Are we overlooking any important risks?
  • Are we satisfied we have minimized what we don’t know about our risks?
  • Can IA assist us in addressing the above questions?

Focus on operational and integrated audits

Operational audits by IA improve business processes by increasing quality, compressing cycle time, and reducing and recovering costs. An operational audit is a comprehensive review of various functions within an organization to appraise their efficiency and effectiveness. For example, internal controls are reviewed from a cost-benefit standpoint, and performance reports are evaluated in terms of their reliability and timeliness. When IA functions focus on operational auditing, they can cover their own costs by establishing healthier processes and enhancing efficiency, thereby establishing IA as a cost-saving center.

Organizations should ensure that the audits IA performs are integrated in nature. By “integrated,” we mean audits that (a) incorporate operational, financial, compliance, security and IT issues and (b) are designed to uncover errors, omissions, near misses, weaknesses, redundancies, fraudulent activities and missed opportunities. Ensuring that audits are integrated will help an organization maintain firm control over all of its critical operations and greatly improve business performance. It can make a global audit methodology a valuable enterprise asset.

At a major U.S. airline, for instance, the IA department receives key accounting and operational data from field locations that identify key risks such as late deposits, late sales reporting and disbursement errors. This data allows IA to determine which field locations are having problems and work with management to mitigate these risks expeditiously. Sound auditor skepticism and judgment, coupled with the use of continuous risk monitoring, are integral to the airline’s ability to stay abreast of its challenges. This dynamic is made possible by the airline’s core IA team, which has more than 75 combined years of airline audit experience. While leadership and professionalism are always important, it is especially critical for IA to be an experienced and credible source of information during a significant economic downturn.

Key questions for management and boards to consider:

  • Do audits planned by IA target business opportunities that can improve efficiency and create bottom-line savings?
  • In addition to an operational focus, do existing audits explore issues related to IT, security, compliance and finance?
  • Do we take full advantage of the experience and knowledge of our auditors?

Evaluate IA headcount and leverage technology

Rigorous human resources management is essential to every function in any organization. Containing costs today often means constricting headcount. IA has a long history of “doing more with less” and can be effective with a lean staff as long as its methodologies and processes are focused and efficient. Technology, such as risk management information systems, will help IA streamline and improve its processes. It also remains one of the top priorities for chief audit executives and IA functions to develop. In the three years that Protiviti has conducted its Internal Audit Capabilities and Needs Survey, continuous auditing and monitoring, along with computer-assisted audit techniques (CAATs), consistently have ranked among the top areas in need of improvement among internal auditors.2

Technology-based auditing is being employed by more IA departments to improve audit processes, as well as resource utilization. At an industry leader in application software, technology is leveraged by IA in two major areas:

  1. Technology Enabled Continuous Assurance (TECA) is one of two major technology initiatives deployed by the IA team. TECA increases risk coverage through data analysis and enhances audit staff data analysis skills. Leveraging Access, Excel and SQL software, IA has used the TECA program to develop a rich set of data analysis queries that broaden audit and risk coverage, and improve the company’s continuous assurance capabilities. Many areas are currently under TECA development, including expense account accruals analysis, logical user access review, and audit issue resolution. Not only does the TECA program transform the way the company’s IA team performs audits, it increases IA’s reach and achieves more coverage. By using this technology, auditors are free to spend more time and effort on building relationships and expanding their advisory roles throughout the company.
  2. Auditweb, another major technology initiative employed by IA at this company, is used for information management and workflow. With Microsoft Office SharePoint technology, the IA team developed a common portal to link auditors to workflow, documents and data. Auditweb is used to facilitate audit committee reporting and performance evaluations, view the audit plan and share common documents.

Key questions for management and boards to consider:

  • Are we using self-assessment capabilities to gain a clearer picture of our processes and where we can improve efficiency and save money?
  • Is IA making intelligent use of continuous auditing and CAATs?
  • Are we eliminating, simplifying, focusing and automating controls where we should?
  • Do we use outside resources to improve service levels and lower costs in areas where IA lacks the requisite skill sets?

Review governance and ethics programs

The current economic crisis is an indication of many failings, including a flawed tone at the top. Public ire has been directed at many industry leaders accused of failing their shareholders. Some have asserted that the board of directors did not discharge its risk oversight responsibilities as well as it should have. IA can help improve and clarify governance and ethics programs and improve the board’s risk oversight. This in turn bolsters the organization’s image and reputation, by establishing a clear reporting line to the board of directors. The board – typically through the audit committee – needs to play an active role in elevating the stature of the IA function. Additionally, recent changes to The Institute of Internal Auditors (IIA) Standards require IA to review the organization’s ethics program and report the results of this review to the board.

To illustrate, since 2005, one of the largest banks in the Asia-Pacific region has strongly emphasized corporate governance principles. When an audit is conducted in each business unit, the IA team reviews both risk management and governance processes. For the past three years, an independent corporate governance review has been conducted by an independent third party. Last year, reviewers concluded that the bank exhibited best practices in corporate governance.

The bank has adopted a two-tier board structure consisting of a board of commissioners and a board of directors. The board of commissioners is composed of representatives of shareholders and independent commissioners, and is not involved in day-to-day management of the organization. The audit committee is a subset of the board of commissioners, while the board of directors is composed of senior management and C-level executives. The chief audit executive of the bank has a solid reporting line to the chairman of the board of directors (the CEO) and a dotted reporting line relationship to the board of commissioners through the audit committee. This reporting line provides independence and objectivity for the IA group and is in compliance with Indonesian Central Bank regulations.

Key questions for management and boards to consider:

  • Do we have an optimal governance structure and entity-level control environment?
  • Have this structure and our ethics program been reviewed recently?
  • Do we have the appropriate industry knowledge and expertise on our board of directors?
  • Can IA assist us in evaluating our governance structure, ethics program and other aspects of our entity-level control environment?

Enhance fraud risk management

It is generally understood that as economic conditions decline, incidents of fraud increase. The story line we often see in the press asserts that disgruntled employees, dishonest executives and other individuals inside and outside the organization who are financially desperate create a climate for fraudulent behavior, which further exacerbates the economic crisis. Unfortunately, this is more than mere conjecture; it is based on experience in past down economies.

Effective fraud risk management begins with a written policy that clearly defines fraud and the specific risks associated with it. Based on the established policy, organizations implement preventive controls, detective controls and appropriate deterrents, as well as reporting and investigative processes designed to deal timely with instances of fraud when they arise. Finally, communicating to and educating the organization on fraud awareness plays an important role in both prevention and deterrence, and more firmly establishes an anti-fraud culture within the organization and, hopefully, on a global scale as well. Once again, The IIA’s recent revisions to its standards address the importance of fraud risk management requirements.

At a leading European power company, the commitment in the fight against corruption is spelled out in its Zero Tolerance towards Corruption Plan (ZTC Plan), which outlines the general principles of the company’s code of ethics regarding the rejection of corruption. Incorporating anti-corruption principles, the ZTC Plan document is distributed within and outside of the company to indicate the responsibilities and actions to be taken across different company divisions and to inform outsiders of the company’s policies. The code of ethics covers bribes, contributions to political parties and charitable organizations, sponsorships, facilitations, gifts, hospitality and expenses.

Key questions for management and boards to consider:

  • Do we communicate regularly to our employees about the seriousness and impact of fraud?
  • Does our program employ appropriate measures to prevent, deter and detect fraud, as well as reporting and investigative processes?
  • Is our program armed with effective strategies to enforce the policy and truly mitigate fraud?
  • Do we utilize IA to evaluate fraud risk and the effectiveness of our anti-fraud program?

Identify emerging risks using key performance indicators and metrics

The roots of the current economic crisis can be traced back to new or emerging risks – factors that were not well-understood or were improperly identified, such as risks associated with derivatives and credit default swaps and concentration and liquidity risks. “Knowing what you don’t know” has become the perpetual search for the Holy Grail, particularly in industries where there are significant market, credit, liquidity and commodity pricing risks. This is why IA must be attuned to changes in the organization if it is to be a value-adding player to senior management and the board. To this end, it is important to develop a balanced family of lead and lag performance indicators and trending metrics to identify when risk events occur. Such performance indicators and metrics should help communicate risks to the IA team, senior management and the board. In this way, IA is in tune with the right issues at the time they should be getting the attention of management and directors.
Some emerging risks in the economic crisis include supply chain and business interruption exposures, commodity risk, third-party liability risk, and talent management challenges. IA can help the organization identify previously unknown risks and manage new and emerging risks by linking relevant performance indicators and trending metrics to annual risk assessments. By using the assessment, reporting, management and monitoring systems the IA team already has in place, IA can be an invaluable resource for management and the board on the road to economic recovery and long-term sustainability.

Key questions for management and boards to consider:

  • Have we tied our risk assessments to relevant performance indicators and trending metrics?
  • Do we use technology to report key risk indicators (KRIs)?
  • Is there a process in place to trigger an effective and immediate response when KRIs highlight emerging issues?

Stay focused on the basics that matter

The last suggested strategy for IA (and perhaps the most fundamental) is to maintain focus on the basics in the organization. Too often, particularly amid challenging economic conditions, IA can lose sight of its priorities in helping management and the board of directors understand and manage the organization’s risks. In the current environment, one common example is management fostering more entrepreneurialism among business units and employees to drive transaction volume and revenue growth without identifying, mitigating and monitoring the risks resulting from such opportunity-seeking behavior.

At the same time, IA must ensure its activities are focused on key organizational strategies and priorities, revenue-generating opportunities and other initiatives that will have an immediate positive impact on the organization. To accomplish this, IA must employ the strategies detailed earlier and, in particular, establish strong lines of communication with management and the board to ensure IA activities are in alignment with the organization’s current focus and objectives.

Key questions for management and boards to consider:

  • Are we focused on the things that matter to our organization today?
  • Are our activities in sync with the risk appetite and other expectations agreed to between management and the board?
  • Are there areas we should have IA review to determine whether there are cultural issues or organizational dysfunctional behavior that could lead to unacceptable risks?


Given the scope of the audit plan, the IA team can play a major role in helping lead businesses out of the current economic downturn and into recovery – but only if supported by executive management and the board. The efforts that IA leaders initiate now will help reshape and solidify robust and effective risk management strategies, and prepare their organizations to face future challenges. Not only is it essential for IA to ensure that its activities are fully aligned with the expectations of the organization’s leadership, it is vital for the organization’s leaders to look to IA for the support and, at times, the guidance they need – both in good times and bad. IA should be a value-adding resource to the organization.

Ask how Protiviti helps internal audit become an enterprise asset.

The strategies discussed in this issue of The Bulletin are keystones for building a value-adding internal audit (IA) function. Many times, organizations benefit from an independent advisor who can take a fresh look at their IA function. At Protiviti, we act as a catalyst to help management and boards reshape and solidify risk management strategies and align their audit plan to organizational imperatives. The result is an IA function that can help pull you out of the current economic downturn and prepare you for challenges in the future. Could your IA function use a fresh perspective? Ask how at today.

1For more information, read Protiviti’s Global Financial Crisis Bulletin series.
2For more information, read Protiviti’s 2009 Internal Audit Capabilities and Needs Survey, available at

The Bulletin (Volume 3, Issue 11)

Click here to access all series

Ready to work with us?