If a general question is raised to the top management and the board of directors about the role to be played by internal audit in the business entity. Surely, most of the responses will focus on being the defense line that protects the entity’s assets and detect weaknesses during the internal control review process.
However, such a prevailing view of the internal audit is untrue, and requires further clarification by the professionals concerned with the profession of internal audit, thus reflecting the true role of internal audit, which became a major partner in moving forward with the top management toward upgrading the entity and assisting it to achieve its objectives.
Moreover, the recent changes to the international professional framework for practicing the profession of internal audit confirm the correctness of such a trend, especially the principles adopted, making the internal audit prudential, initiative-oriented, and of future outlook, while supporting the development and improvement of the entity. Nevertheless, there are some contradicting matters that require us, as practitioners of internal audit, to be aware of.
Added Value or Corporate Protection?
Internal Audit is defined as “An independent, objective assurance and consulting activity designed to add value and improve an organization’s operations.
It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”
The definition clearly specifies two objectives of the internal audit: adding value to the organization, and improving its operations. The question is: Is adding value to the organization limited to identifying the control gaps and drawing recommendations to improve this situation, or does it extend to identifying the development areas of the organization, which require the auditor to be characterized by strategic thinking, prudence and foresight regarding the expected events that may affect future decision making, which may upgrade the organization’s performance?
From another perspective, the Institute of Internal Auditors (IIA) developed a mission for internal audit: “Support and protect the organization by providing assurance, advice, and risk-based objective prudence to the stakeholders.” The mission may clearly conflict – to some extent – with the objective of internal audit, and the principles adopted, which necessitate that internal auditing should be prudential, initiative-oriented, and of future outlook, as well as supporting and improving the organization.
Developing and Improving the Organization is Part of the Internal Auditing Definition
Having a close look at the internal auditing definition, we also note that it has set a clear mission for internal auditing, relating to the improvement of the organization’s operations.
The question is raised: is such a definition limited to improving the operations by identifying the weaknesses in control, risk management, and governance only, or improving all operations that exceed such scope? The objective of corporate governance is eventually to improve performance.
Further, one of the objectives of risk management is to manage and utilize corporate resources. Here, the question is raised: Do performance assessment audit, risk management, and corporate governance meet the principles adopted in relation to prudence, future outlook, and corporate development and improvement?
Risk Management Requires Addressing both Risk and Opportunity
The Institute of Internal Auditors (IIA) defines risk as the “Possible occurrence of an event that may have an impact on achieving the organization’s objectives.”
We are aware that risk management addresses uncertain events, and that risk is often something causing damage. Uncertain events could be positive, providing the organization with opportunities.
Hence, such events should be dealt with either as a risk or opportunity. Many internal audit departments build an audit plan based on risk assessment.
However, the such method ignores the opportunities, which constitute the core that can add value to the organization. On the other hand, if the audit programs prepared by auditors are assessed, we will notice that they are often free of a procedure relating to identifying the opportunities for improvement, whether administrative or financial.
They also do not link the audit objectives and the objectives of the organization, which indicates that the internal audit mission may not be consistent with the organization’s ambitions.
The Three Defense Lines Model: Why Defend while the Organization Needs to Move Forward?
Such contradictions may be aggravated when the three defense lines model stresses that internal audit is a third defense line while ignoring the internal audit’s objective and the role indicated under the definition of internal auditing.
Despite my personal reservation about the name of such a model, as it is not a defense model, by a model to provide assurance that the work of the entities referred to in the second line is not limited to defending the organization, but extends to developing it.
For example, under the second level reference was made to the functions relating to quality, of which the main task is to develop the organization, rather than defending and protecting it. So, is it reasonable to state that all parties to the model seek to defend the organization, without considering its future and development?
Changing the Culture is a Difficult Part that Requires Intellect and Awareness from the Profession Practitioners
At the outset of my career, I recall the first audit task I performed. Many auditors may share with me the same experience. I was asked to audit a work center.
During the audit task, it was my objective to write the largest number of observations relating to weak controls and non-compliance with the work procedures.
As my professional thinking developed, I became aware that compliance with the procedures is not an objective in itself. The procedures set out may not help achieve the objectives of the organization. During the audit tasks, I began to consider the necessity of compliance, and what procedures to follow for the development of this area.
Years later, as another phase of thinking developed, it was essential to look at a higher level of procedures. Looking at the organization’s strategy and how far it has achieved its main objectives has been of greater impact for the top management, and involving in providing consulting with a strategic dimension has been of much greater impact. Certainly, the forthcoming period exceeds this, as IIA, among the principles it adopted, has focused on the necessity that internal auditing be prudential, initiative-oriented, of future outlook, and that it should support the organization’s development.
The auditing culture formed by the top management depends on the content of reporting. If reports address adding value and developing the organization, internal auditing would become a strategic partner to the top management in leading the organization, rather than being an obstacle – that is the prevailing view of auditing – that hinders the management from moving forward. Moreover, internal auditors play a significant role in guiding the auditors and providing awareness to the top management of the role expected from internal auditing, in order to convert from defense to offense.
Standards Concerted with the New Internal Auditing Standards
Principles adopted by IIA include that internal auditing should be prudential, of future outlook, and support the organization. All of these require personal judgment and opinion. Meanwhile, standards on internal auditing, in their current form, do not help achieve the principles adopted.
Furthermore, the standards required the auditor to rely on sufficient, proper, relevant, and useful information. This may hinder giving opinions. Here, I do not mean involvement in decision-making instead of the management, but to share their interests and expectations relating to the development of the organization and improving its performance by providing initiatives of strategic dimensions, rather than being limited to criticizing reports. The exciting point about this matter is that the draft amended version of the standards did not consider covering this part. Why?
At the end of this article, conservatives whose view is that the internal auditing profession must remain unchanged may have an opinion contrary to mine.
Expectations of the top management may play a major role in keeping such a role unchanged. Meanwhile, those whose view is that the internal auditing profession is on the verge of a major change that may increase its importance to developing the organizations may agree with me.
Finally, these are ideas that raise several questions in a manner that requires us not to take any development to the professional framework for practicing internal auditing as is, but to consider its contents more deeply.