control, and governance
control, and governance
October 2006
Unearth the Power of Knowledge
Internal auditing can nurture best practices within the organization by becoming the resource center for risk and control information.
Richard J. Anderson, CPA, CFSA
Partner, Internal Audit Services
PricewaterhouseCoopers LLP
Susan J. Leandri
Managing Director, Global Best Practices
PricewaterhouseCoopers LLP
Most Internal Audit functions readily acknowledge that people are their most important assets. In particular, the knowledge, experiences, and expertise of the internal audit staff are critical to the activities of the audit function as well as to the entire organization. Internal auditing is also one of the few areas in an organization with an enterprisewide view and scope. Accordingly, the knowledge contained in the audit department is highly valuable. Yet, internal audit groups rarely view knowledge management (KM) as a core process within their department and, as a result, they may be missing a significant opportunity to enhance their own processes and add value to their organization by becoming a knowledge source.
Since its arrival on the business scene in the mid 1990s, KM has been a hot topic. Most organizations claim to embrace the concept that their knowledge assets — such as employee intelligence, work processes, brands, and relationships — are critical to creating value. Many organizations manage the formation, retention, and use of these intangible assets by developing processes, methodologies, and tools — networks, portals, knowledge bases, expert directories, and communities of practice (groups of people who share similar goals and interests) — that support knowledge sharing and promote a culture of continuous learning and collaboration.
Given its unique vantage point across the organization, internal auditing is well positioned to play a key role in the organization's KM strategy by capturing and sharing knowledge about best practices regarding business processes and controls. In fact, some organizations are harnessing their cumulative knowledge by empowering the internal audit function to act as an enterprisewide knowledge center and facilitator. The challenge for internal audit departments is to realize the potential value of KM as a tool to improve their effectiveness and that of their organizations. Audit departments can undertake several actions to help solidify their stature as the enterprisewide resource center for risk, control, and best practices information.
DEFINE A STRATEGY
Developing a KM strategy requires an understanding of internal auditing's role and mission. Audit departments should define the goals of their KM initiative within the audit charter and accompanying strategy documents. Although organizations are free to develop any goals for their KM programs, most efforts focus on internal controls, enterprisewide risk, internal audit efficiency, and business process best practices.
The KM strategy should also consider the users of the knowledge. Many find it helpful to differentiate between knowledge needed within the audit function and knowledge that would be useful to the business units. This distinction can be made by having multiple categories of information, such as function-specific and business unit-specific information.
A strategy that establishes content priorities can help avoid information overload. The audit group might make the management and sharing of recent findings a priority. This could include data collection, analysis, and templates to share the information while it is current. Updating general business materials and reference sources may be less of a priority. Also, it may be helpful to include a process to ensure that knowledge is relevant and timely. Some auditors use subject matter experts or knowledge managers to review information to ensure it meets the criteria for retention and is free of outdated information.
When setting goals, audit departments should identify how internal auditors will gather, extract, analyze, format, and disseminate knowledge. It is not sufficient to base a KM strategy on simply asking staff to share knowledge. Processes must be established to support the strategy.
Sophisticated KM programs embed knowledge gathering into work processes. Auditors identify best practices during the audit, record them in workpapers, and post them on databases accessible throughout the organization. For example, internal auditors at a U.S.-based global consumer goods conglomerate identify and record best practices throughout the course of an audit and write them up as mini case studies that are posted on the company's internal audit Web site. Additionally, it is helpful for auditors to identify critical success factors for the KM strategy such as senior management support, the sufficiency of resources, and how to handle change. For example, effective change management techniques such as training, communications plans, and project management offices should be deployed to ensure the success of a significant KM initiative.
EMBED KM IN TO THE AUDIT PROCESS
Ideally, KM activities are integrated into internal audit operations, helping to increase awareness among auditors and their stakeholders about the benefits of effective knowledge sharing. Staff training of auditors on KM as a core audit process should start when new auditors are hired or rotated into the department.
The auditor's work approach can systematically include the identification of new best practices in managing risks and controls and the potential for applying existing practices to other processes. By continually searching for ways that information and practices from one department or business unit can benefit other areas of the organization, internal auditors raise the value of their services to the business. A U.S. pharmaceutical company injects KM into its risk management strategy by using internal auditors as the conduit for gathering and sharing risk-related knowledge. Because the organization does not have a centralized risk management function, internal auditing is primarily responsible for assessing the risk profile. Once a year, in preparation for developing the annual audit plan, the audit department distributes a risk summary list to key executives. The list, which outlines 25 to 30 unique business risks, prompts executives to think proactively about the risks the organization faces and particularly about how various risks associated with one business unit may affect others. The audit function then uses executives' feedback relating to the risk summaries to construct the annual audit plan.
ACQUIRE ENABLING TECHNOLOGY
Although successful KM initiatives stem primarily from cultures that promote knowledge sharing and collaboration, technology helps companies achieve even greater efficiency in these efforts. An organization's KM strategy typically drives software selection. Thinking through the workflow process can help narrow technology requirements. Most companies opt for Web-based applications or client-server programs that can be accessed via corporate networks or the Internet. These applications typically feature controls to manage user data access, allowing certain stakeholders to alter the content and assigning others "read-only" access. Another option is groupware that has updatable databases, instant messaging, e-mail, and capabilities that enable shared access to document templates, past audit reports, and control, risk, and best practices inventories.
The best technologies offer capabilities that allow audit and business managers to access information such as the status of management corrective actions, number of audit findings outstanding or completed, types of risks or control issues being identified in audits, and profiles that summarize the essentials of open audit projects, including lead auditor, audit client contact, audit scope, and objectives. The audit department of a U.S.-based holding company that owns several financial services and insurance firms implemented Lotus Notes as a KM tool to assist its U.S. Sarbanes-Oxley Act of 2002 compliance efforts. The software includes comprehensive messaging, data storage, and retrieval components that can be customized to an organization's specific needs. The company's internal auditors used the software to document 178 unique business processes, each with seven to eight controls, and stored them in a massive virtual library within the Notes suite. The audit staff can now use system tools to analyze, track, and perform ad-hoc analyses on all internal controls.
LOOK FOR RISK-PROFILE CHANGES AND TRENDS
Managers and process owners are sometimes too close to a process to develop an objective assessment of risk factors; however, audit functions can use their capabilities to analyze organizational trends and look for patterns that might signal a change in the overall risk profile. By accessing risk and audit data from a Web portal or dashboard, audit practitioners can arrive at a wide-ranging outlook that provides a clearer, more accurate assessment of enterprisewide issues, trends, and risks. Many organizations benefit greatly from this type of information. Some audit groups compile and share trend information on a quarterly basis with the business units and audit committee.
A U.S. financial services company with nearly US $8 billion in sales uses a Web-accessible controls database that features tracking and notification systems that assist with Sarbanes-Oxley certifications and provides a single point to track audit issues. When certifications indicate a control weakness or exception, the automated system requires the owner to enter planned corrections and target dates to rectify the weakness. Failure to perform corrective action spurs the system to send automatic notifications to the owner, business-unit chief financial officer, and company controller. The system continues to send e-mails until the process owner corrects and closes the issue. Conversely, business unit managers can obtain copies of summary reports on audit issues that internal auditors use to keep senior executives apprised of audit concerns and trends.
CENTRALIZE STORAGE OF RISK AND CONTROL DATA
Realizing that diverse risks within the organization overlap and interact, internal auditors should continually strive to provide risk and control information to stakeholders, including process owners, their managers, external auditors, and senior management. Centralizing risk and control libraries is one of the most common KM applications for internal auditing, particularly since regulators have been targeting internal controls in the wake of high-profile accounting scandals.
Creating risk and control databases gives audit practitioners the capability to reference and update internal controls from anywhere in the world. Similarly, senior managers can access risk and control databases to obtain timely overviews of the organization's risk profile or of the current state of internal control. Auditors at the financial services company centralized critical compliance-related information by creating a controls database containing summaries of more than 11,000 control procedures for 350 business processes. The system facilitates the internal control certification process to comply with Sarbanes-Oxley Section 404. Interactive task menus indicate when lower-level managers certify their controls and provide them a vehicle with which to communicate any control weaknesses and their remedies. The system provides security to ensure that unauthorized personnel cannot change the control content.
CREATE A BEST PRACTICES DATABASE
Although many leading companies are shifting their KM efforts to emphasize risk and control, an audit approach that focuses on identifying best practices also has a place in mitigating risks, because true best practices inherently reduce risk and competitive vulnerability. Moreover, since internal auditors are firsthand observers of most processes within their organization, they are uniquely positioned to identify, document, and share best practices with others. As part of their quest for best practices, audit departments might also want the capability to access information from external sources, such as relevant articles by industry thought leaders and links to tools, checklists, and Web sites. This approach creates a process by which organizations, through their audit departments, continually accumulate knowledge and identify better ways of working.
Organizations that empower their internal audit staff to add value through consulting and process-improvement services can realize considerable gains in efficiency and quality. The audit department of the financial services organization primarily uses a risk-based audit approach but incorporates best practice information into its engagements as a secondary goal. Even without process improvement being its primary focus, the audit department has been able to make recommendations that have generated cost savings totaling more than three times the internal audit function's annual budget.
Best practices have the strongest impact when they are disseminated regularly and when audit clients understand their benefits. Internal audit departments can support the adoption of best practices by:
- Establishing a working definition of best practice on which auditors and other audit stakeholders agree and that can be used in discussing internal improvement initiatives. A best practice is commonly defined as one that has proven to deliver business process improvements, such as lower costs, improved quality, or reduced time.
- Communicating in the audit plan the goal of providing best practice insights. Although this is not an uncommon goal for audit departments, articulating it formally on the front end helps to emphasize auditors' knowledge-sharing role.
- Adopting a method of evaluating best practices. In addition to accessing external resources to validate best practices, internal audit departments can use both technology-based and traditional methods of knowledge sharing (e.g., discussion) to vet practices within the organization. This might involve considering alternative approaches to achieving a best practice and reaching consensus on standard recommendations.
- Developing a template for sharing best practices in a clear, consistent manner. The format for the template might be as simple as bulleted lists of recommended best practices for a specific business process.
Internal auditors can supplement best practices with benchmarking to quantify performance improvement. Benchmarking against internal performance measures can gauge process improvement after a business unit has implemented a best practice, while external benchmarking against organizations of similar size or within the same industry can help identify areas of competitive vulnerability. Companies may want to include both internal and external benchmarking information for easy reference, enabling auditors to compare a business unit or functional group's performance in a specific area with a peer company or group.
BECOME THE EDUCATION HUB
To maintain their professionalism and ability to offer high-quality assurance services, internal auditors continually pursue professional training and keep abreast of regulatory, legal, and accounting issues, as well as business trends. Therefore, it follows that internal auditors are uniquely qualified to act as corporate advisers in matters relating to risk, control, and governance.
Many organizations are enlisting internal auditors to partner with corporate trainers to develop or coordinate education programs. The administration of these programs is usually handed off to an organization's training and development department. For instance, in response to recent heightened expectations of audit committees, a US $10 billion electronics manufacturer and service provider engaged its chief audit executive (CAE) to perform an assessment of the audit committee's understanding of its duties. The CAE identified five areas where the audit committee could benefit from additional knowledge:
- Principles of risk management and internal controls.
- Financial reporting and accounting standards.
- Risk identification.
- Understanding of the industry.
- The committee's own responsibilities and expectations for regulators, investors, management, and internal and external auditors.
Based on these findings, the CAE developed a training plan that incorporated personal presentations, reading materials, and off-site training. The result was a much stronger audit committee whose members were prepared to weather the challenges presented by increased investor and regulatory scrutiny.
At the U.S.-based financial services company, the internal audit staff teamed with the corporate education services function to develop a Web-accessible training program to teach managers about internal controls and control self-assessments (CSAs). The intranet site allowed managers to perform CSAs online and peruse control summaries for 27 common industry-related functions. The internal audit management team supplemented the intranet site with "road show" presentations at senior management meetings, as well as a videotaped walk-through of a CSA session.
|
Measures of Success How well does your organization's audit department centralize and share risk, control, and best practice information? Performance measures that can help you track and quantify your knowledge management efforts include:
By monitoring some or all of these measures, audit departments can gauge their success in capturing and sharing knowledge and delivering even greater value to their organizations. |
MONITOR, MEASURE, AND REWARD RESULTS
As the saying goes, "What gets measured gets done." Too often, organizations embark on well-intended initiatives to develop KM and ask employees to share information or populate databases, but without putting measurement processes in place. Ultimately, in such cases, the KM program often develops little activity, knowledge is not shared, and no real value comes of the effort.
Accordingly, key success factors for a KM program are robust measurement and comparison to the goals of the program (see "Measures of Success" at right). It must be clear that KM is a core process for internal auditing and a required activity for auditors. Some organizations have found that staff members become more active participants in knowledge sharing when their individual contributions are monitored and rewarded, either through public praise or sometimes also as an evaluation point during the performance appraisal process.
WHERE KNOWLEDGE RESIDES
Internal auditors have always been logical gatherers and disseminators of best practice information because their work touches every corner of the organization. Corporate governance reforms have served to underscore the importance of having a centralized place where knowledge resides: an organizational control center. By establishing internal auditing as an enterprisewide resource center, organizations have ready access to risk, control, and best practice information. And by sharing this knowledge with process owners, internal auditors continually add value to the audit process, helping ensure that intellectual assets and shared learning are leveraged fully.
The focus on knowledge sharing will become even more critical in the years ahead, as millions of baby boomers near retirement age and organizations face significant workforce turnover, especially in the ranks of their most experienced employees. Further enhancing internal auditing's role as a keeper of organizational knowledge will provide a hedge against the threat of an aging and ever more transient workforce.
To comment on this article, e-mail the authors at richard.anderson@theiia.org.
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.
To make something bold:
<strong>Text to bold</strong>
To make something italic:
<em>Text to italicize</em>
To make a hyperlink:
<a href="URL">Text to link</a>
