Revolutionising internal auditing


Economic changes and changes in the risk profiles of organisations have brought with them certain demands which conventional auditing approaches and systems are not equipped to address.

The strategic organisational positioning of the internal audit function in most organisations indicates the high esteem with which this function is being held. While the strategic positioning and reporting structure requirements for the internal audit function are addressed, the question remains: Does internal audit address the risk exposures of the organisation or does it merely "mark the home-work' and complete a "fail or pass' report?

A revolution is defined by Wikipedia as a fundamental change in power or organisational structures that take place in a relatively short period of time. Fundamental changes often happen in a shorter period of time or they happen without notice.

Internal audit functions and internal audit practitioners need to respond to these changes swiftly. There is a need for robust preventative mechanisms to respond to changes that have a potential to lead to corporate collapses.

The modern internal audit function responds to these changes by focusing its people, systems and processes. The revolutionary internal auditor responds to the changes by adopting a risk-centric mindset. The question at the back of our minds as internal auditors should be, what could go wrong?

The Known Knowns, the Known Unknowns and the Unknown Unknowns

There is a necessary relationship between controls and risk. There is no intention on the part of the author to present these two aspects as converse to each other. The need for controls is driven by the risk exposure of an organisation.

In a press briefing in February 2002, Donald Rumsfeld, the former US Secretary of Defence, made this statement:

"There are known knowns; there are things we know that we know.
There are known unknowns; that is to say there are things that, we now know we don't know.

But there are also unknown unknowns - there are things we do not know, we don't know.'

The approach defined earlier in the article as the "home-work marking' approach is not fully equipped to address the "unknown unknowns'.

An example of this less-revolutionary approach is where an audit test is performed on the procurement process and certain attributes are tested on this process.

Subsequent to the test, a finding is raised regarding non-adherence to the delegation of authority requirements, e.g. an unauthorised official approved a procurement transaction.

A controls-focused or "home-work' marking approach will note this as a non-adherence and recommend that controls relating to delegation of authority need to be adhered to.

A risk-centric, revolutionary internal audit approach will take this finding a few levels down in detail ask the following questions, whose answer will equip the internal auditor with the full facts of the observation and enable a practical and value-adding recommendation:

? What led to this non-adherence? (Root Cause)
? What could go wrong? (Impact)

The "known knowns' and the "known unknowns' pose little audit risk in the sense that the auditor is aware of their existence or the existence of their symptoms.

It is the "unknown unknowns' that should keep the internal auditor awake at night. The things we do not know and are not able to observe from visual evidence and those whose existence we are not able to detect via verbal evidence based on our enquiries.

The product of this risk-centric approach will be an internal audit report that adds value, offers practical recommendations for improvement and ensures that there are no recurring control breakdowns of the same nature.

There is an increasing need for the internal audit function to stretch beyond its traditional focus areas, given the demands of organisations and the changing environments in which they operate.

The leadership of the internal auditing profession is continuing to respond appropriately to the need for internal audit practitioners to deliver a value-added service; however the practitioners themselves need to assume a proactive role in contributing to the evolution of the profession and its growing relevance to a changing world.