The current Internal Audit across mid-sized and smaller organisation involves a dry review of Purchase, Sales, Operations, Finance and Payroll functions with results or outcome more likely to reveal inefficiencies in the process, authorisation and non adherence to documented policies. Unfortunately such results more often than not do not lead to cost optimisation or a risk mitigation measure. Also the lacuna in the Internal Audit of the said functions is that most checklist are not designed or geared up to cover essential risk that each of such functional area embed and its consequential impact on the organisation as a whole.
A clear shift is warranted in the manner in which Internal Audit is perceived today. Lack of technological data analytics support, unclear risk identification strategy has made the process and controls in the company vulnerable to risk. There is a clear lack of technical expertise coupled with experienced bandwidth to provide a rounded solution to the management and stakeholders at large.
With information technology advancement, new products being launched, pressure on supply chain management, increased stress on Human Capital Management, the present Internal Auditors must tailor their expertise towards devising means and methods that enable organization have answers to correct pricing strategy, business disaster plan, exception transaction reporting and optimisation of turnaround time in processes.
Although no statutory definition of Risk Based Internal Audit exists, the Risk Based Internal Audit encompasses essentially:
1. Verification aimed at identifying Risk
2. Developing a Risk Methodology framework
3. Value Creation through benchmarked process and cost optimization
4. Risk Mitigation Strategy
5. Ongoing Monitoring by Management, Business owners and Risk Based Internal Auditor
One of the most tested way of performing a risk based review is drawing up a Control Matrix which for each financial statements areas identifies what can go wrong, the controls that are in place to mitigate what can go wrong, and a regular monitoring mechanism to stay on course during the whole process.
The Risk Based Internal Audit Team should present its audit finding in a matrix categorising risk into -three broad categories namely 1) Acceptable 2) Medium 3) Un-Acceptable. Special attention should be given to Risk categorised as ‘Un-acceptable’ and comprehensive recommendatory risk mitigation strategy should be developed in consultation with the management and implemented as immediate recourse. Risk that unarguably forms part of ‘Un-acceptable risk’ includes: Lack of Business Recovery Plan, severe overriding controls, governance default etc. For the above to be achieved technological audit tools will play a pivotal role in maximising the desired results. Data analytics tools, defining risk universe, stratic sampling will help in identifying the correct and relevant sample population.
Going forward Risk based Internal Audit consultants would be treated as business partners and management will seek to work closely with them to attain greater business value. In retrospect there will be greater and constant pressure on Risk Based Internal Audit consultants to demonstrate Value Propositions to the management which would be possible only if they stay abreast with the latest reform changes, its likely impact and prepare organization to face and overcome challenges at different phases of its business life cycle.