5 best practices for auditors
Under the Sarbanes-Oxley Act (SOX), the role of internal audit has become increasingly important. Auditors are responsible for providing independent assurance that an organization’s risk management, governance, and internal control processes are effective. They can provide oversight beyond the financial implications, looking at the organization’s operations at large, including reputation, employee treatment, and environmental impact. When working in an open and collaborative environment, auditors have the opportunity to not only identify problem areas, but also to provide strategic insights that will propel the organization forward.
In many organizations, however, that open collaboration doesn’t happen—there’s a disconnect between the internal audit function and the rest of the business. In that case, auditors don’t have visibility within the organization, and they are often left out of key strategic decisions. They can’t always get access to the data they need to generate reports and strategic recommendations. They’re left flying blind, and the rest of the organization may see them as an irritation, rather than as a strategic partner.
Fortunately, Dan Clark, principal of D. Clark Risk Advisory Services, has provided us with 5 recommended methods for closing the gap between audit and the rest of the business.
Five best practices for auditors to close the gap:
1. Build Alignment With Stakeholders Across the Business
Almost half of poll respondents said that the biggest barrier to building alignment between internal audit and business functions was a lack of ongoing communication (45%), followed by a mistrust of internal audit by business functions (22%) and a lack of clear lines of process ownership (21%).
In many organizations, roles and responsibilities aren’t clearly articulated, and divisions don’t collaborate enough to understand priorities, leading to miscommunication and duplication of labor across departments.
But some auditors have come up with creative ways to address these issues. Dan recounts the story of an auditor named Deb, whose process teams struggled with communication. She decided to host a pizza party for all of the teams—it was the first time everyone had been in the same room in three years.
During the gathering, they discussed their own roles in the audit process and began openly communicating about how to work together to solve problems. The pizza party was so successful that Deb made it a quarterly event that focused on issues impacting their day-to-day operations. The organization saw a sizable increase in cohesion among staff, and audits began running faster and more smoothly. Since then, Deb has been promoted to operations manager.
While a pizza party isn’t always feasible (especially during a pandemic), look for opportunities to bring together different functions in a casual roundtable setting. Host an online workshop and invite a guest speaker to discuss a current regulatory issue that your team members will be interested in. On an ongoing basis, consider using your intranet or a knowledge-sharing tool to ask and answer questions across departments and to facilitate ongoing discussion. By building a culture of collaboration across all of the process teams, you’ll be able to easily share insights and improve the audit process for everyone involved.
2. Evolve the Three Lines of Defense (3LoD) Model Through New Audit Tools
In today’s highly regulatory environment, auditors should be on the front line from the beginning, working with the risk management and compliance teams to build a strategy for assessing and managing business risk. However, it’s often a challenge for auditors to have their voices heard.
The solution comes down to creativity. In one case study, credit risk review officer Scott wanted to prove his division’s value to the organization and get other teams to better understand the auditing process. In order to do so, he was able to convince leadership to have all new loan officers spend their first 30 days working in credit risk review. This helped them see what the audit team did and how they did it, and gave them a new perspective on the business function. He also spearheaded educational content, including quarterly workshops and a bimonthly newsletter. The newsletter was so popular that the commercial lending team took ownership of it, providing new respect and recognition to the credit risk review function.
Auditors can look for new opportunities to present their information—whether through newsletters, workshops, videos, or graphic presentations, or even via interactive websites. By giving business functions many ways to take in content, you can make the audit team more relevant and compelling to the organization.
3. Deepen Analytics to Get More Timely Insights Into Risk
In-depth analytics are critical for auditors. They can help us better understand processes and data flow, create better audit programs, and enhance internal audit’s value proposition to the organization. But business functions are often reluctant to share their data with the audit team.
However, by making an effort to be of value to business functions, auditors can expand their access to data. Dan cites the example of Stephanie, a senior auditor with exceptional Excel and PowerPoint skills. When a business function manager had to give a presentation to the board, but didn’t know how to drill down into the data to get the information she needed or how to present it effectively, Stephanie offered to help her, working after hours to collaborate on the presentation.
On the day of the presentation, the manager called Stephanie into the board meeting to recognize her contributions and thank her for her work. From that point, Stephanie was able to ensure access to the data she needed for her work on the auditing team.
In order to gain access to data from other business functions, look at how you can use your skills to help them, and build trust between teams. Better collaboration will help you get access to the information you need to make both teams successful.
4. Communicate More effectively With the C-Suite
Many auditors find that the C-suite doesn’t recognize the value of the internal audit team. They tend to think that auditors are just there to check controls, and they want the audit team to keep doing things the way they’ve always done them. In many cases, the team hasn’t clearly communicated how they add value, or has struggled to find ways to add value. All of this results in low engagement between leadership and the audit teams.
How do we get around this? Focus on better education about what you do, and open the lines of communication. Dan knows one auditor who began sending the C-suite a regular audit “snap”: a one-pager that included the status of the audit plan, a success story where a business function had implemented audit’s suggestions with positive results, and an opinion piece on policy, risk, and controls. The auditor began to receive regular feedback from the board and senior management, as well as invitations to board meetings and sessions where her feedback was solicited. By providing thought leadership in your field, you can prove your value and become part of the conversation with your C-suite.
5. Become a Strategic Partner by Offering Data-Driven Information
Finally, one of the best ways that you can enhance internal audit’s brand is by serving as a strategic consulting partner to lines of business. Doing so can help you highlight your team’s skills, demonstrate audit’s work in a more collaborative light, give business units a reason to reach out to audit, and provide more ways for audit to add value.
For instance, as COVID-19 began and businesses were forced to radically reshape their operations, some audit teams were able to take on additional responsibilities in risk assessment, offering strategic recommendations around introducing new protocols. Make it clear that your audit team can do what’s needed to help, even if it falls outside of traditional job descriptions.
Audit teams can also support business units with ongoing advisory and consulting services, using their skill sets as auditors to help business teams with strategic support, instead of focusing only on compliance. For example, one audit team was able to begin a consulting practice focusing on data risk management, providing the business unit with recommendations and an action plan. The management team was so happy with this approach that it asked the audit team to consult in other areas; using their in-house expertise resulted in saving $500,000 in outside consulting fees.
The audit function often suffers from a lack of communication with other lines of business—but by making a concerted effort to foster cross-team collaboration and showcase their value to the rest of the organization as in the examples shown above, audit can generate new respect and authority within the organization. By ensuring that the audit team’s voice is heard throughout the process, you’ll be able to conduct better risk analysis and audits, improving the organization’s overall performance.
Learn more about how audit solutions from Diligent can position your audit team for greater success.