control, and governance
Five lessons can prepare internal auditors to advise business units on the design of IT systems and processes.
Much has been written about the need for the internal audit function to partner more with the business without compromising the independent assurance that it needs to provide to the board and other external stakeholders. There is concern that fulfilling one function will be at the expense of the other. The ideal is to have the right balance between providing independent assurance while simultaneously ensuring that the business implements a cost-effective control framework and mitigates the risk to an acceptable level.
Business partnering can be specifically beneficial for new projects such as IT systems or business process design. The auditor has an opportunity to review proposed process flows and design documents and can provide valuable feedback on the design of the controls. Management can act on this feedback before the project implementation, saving the organization money and improving efficiencies. Before they can enjoy the benefits of partnering, though, auditors and their business counterparts need to learn some key lessons.
1. OPEN COMMUNICATION
Although easier said than done, this variable is fundamental to ongoing success. Open communication can foster the relationship between internal audit and the business and provide the opportunity for a partnership. This communication process can give the business an understanding of the value that the internal audit function can bring to the table. This, in turn, is dependent on the individual personalities as well as the issue that both parties are seeking to resolve.
In an IT department, the "way in" to establish the business partnering relationship is through a project. For example, the internal auditor may be asked to review an IT system design document and provide feedback on the proposed control framework being suggested. This opportunity enables the auditor to review the control framework and recommend improvements that management can make. This is a win-win for both parties. First, the organization gains by reducing the need for rework and increasing the chance of getting the solution for the control framework component right the first time. For the internal auditor, it is an opportunity to demonstrate added value before the event rather than afterward. However, the internal auditor should ensure that the control advice provided meets the business requirements.
2. PERSONAL RELATIONSHIPS
When management is comfortable with a particular member of the internal audit team, this is the way in. If the internal auditor has previous operational experience, this could assist the business. For example, the auditor can translate his or her understanding of the demands and pressures of day-to-day business operations into practical control advice.
3. ADVICE VERSUS IMPLEMENTATION
An internal auditor may be asked to independently review the design of a system or process before it is implemented. However to avoid an actual or perceived conflict of interest, it is imperative that the auditor only provides advice and does not assist in the implementation of the IT project. Later, the auditor may review the implementation of that design.
4. FIRST INTERACTION
Like everything else, first impressions count. To set itself up for long-term success, internal audit should choose its first project carefully and ensure that the advice provided is practical. In most instances, the timing and choice of interaction is out of internal audit’s hands, as the request may come from upper management. Even so, there is always opportunity to influence people at a personal level. For example, in an informal conversation, auditors could give the project manager an opinion on a specific issue that may not have been considered previously, or they may ask a probing question during a crucial meeting.
5. PARTNERING SKILL SETS
Internal auditors should be ready to listen, listen, and listen. There are times when the conversation around a topic may be classified as "whine," as many reasons are provided for why things are not working or how they should work. In this instance, internal auditors should just listen and take the opportunity to better understand the business environment and get a feel for things on the ground. It is amazing what can be done over coffee. By having meetings in a more relaxed environment, personnel may be more comfortable and willing to share more information with the auditor.
When meeting a new member of the client’s team, auditors should explain their role and disclose their responsibilities to management and the board. That way, the client will not be surprised if auditors have to report issues. Auditors should inform the client that issues will be raised through a managed process and that the client will have an opportunity to address them.
The client team member must be able to trust the internal auditor; this is where individual relationships are important. In most instances, clients are well aware of the auditor’s role and will not do anything to compromise it. They will acknowledge that things can be improved, and it is at this point that the auditor must approach the issue from a business perspective using a risk-based decision-making approach. For example, if a specific deliverable in the system development life cycle (SDLC) is not required due to the nature of the project, that deliverable should not be produced solely to ensure that it is ticked off the SDLC checklist. Instead, areas within a process that need urgent attention must be raised and reported by the auditor through the normal channels. If less significant improvements need to be made to the control framework, then the auditor can work with the client to design a better control. This assistance can help build the relationship between the business and internal audit.
AN AUDIT IMPERATIVE
Business partnering is imperative if the business is to consider the internal audit function as a partner on the project. In this process, auditors have to alter their mind-set to one of risk-based decision-making rooted in commercial reality. Relationships play an integral part in partnerships, and auditors will only get one chance to make a lasting impression.
Shannon Buckley, CIA, CPA, CISA, CGEIT, is a senior auditor at Bupa International in Sydenham, Victoria, Australia.
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.