I'm working on our IA strategic plan. Aside from assurance and consulting, what is one Internal Audit activity that you think adds the most value to your organization?
Sort by:
The ‘people’ aspect is the most critical element . Particularly clear reporting lines and accountability and the level of skilled resourcing .
Internal audit is in a unique position to observe and comment on these aspects .
Thanks for your reply, Alice. That’s a very helpful idea. I don’t think we do enough of that at this point. What does that look like to you when your auditor makes a recommendation on skilled resourcing? I think we had a missed opportunity around this last year but I would like to look for chances to add that value in the future.
During walkthroughs and subsequent controls testing, some staff may not be able to articulate what is the purpose of the control that is being undertaken. eg, the impact of breaks in a reconciliation can lead to unknown transactions not being discovered or there are flow on downstream impact on other teams. The observations are helpful because beyond standard operating procedures and training, a real understanding of the how and why will strengthen the team's impact and align to how a staff member fit to the broader purpose of the organization. Let me know if this is helpful?
When you say consulting, what exactly are you referring to, because that is rather broad too? Are you referring to providing assurance on design of critical transformation? Are there any opportunities where IA can sit in steering committee of certain projects, while the mandate may be similar, your profile and voice and hence impact would be different.
Any thematic audits? That would cut across numerous businesses and provide a different level of assurance.
Happy to discuss if you have questions.
Thanks for your reply. You’re right, consulting can be pretty broad. We have good involvement in many large projects and are doing our first critical transformation project consult this year. It’s still a work in progress getting a seat at the table on all the most important steering committees and we really don’t have enough resources to be in everything that I wish we could be.<br><br>We actually did our first two thematic audits last year (brilliant idea from our IA Director) and they were very insightful. Thanks for your comments.<br>
I would say from an audit perspective, it's duplicates. We actually have some reporting that we pull from our systems to identify duplicate or suspected duplicate payments. It looks for invoices with common or similar data in fields—maybe it's the same supplier with similar invoice numbers. Finding those duplicates, typically your internal audit team looks at controls but also looks at your data. Some take a deeper dive into data and processes. They can find gaps or require certain fields on customers/suppliers. Maybe they have tools to look for those and dive into your data.
I think the most value from an audit is highlighting differences—if I have 65-day terms but pay 50% in 30 days. Those types of things look for anomalies. There are tools to help—process mining tools. We use one that interrogates. You tell it the standard process. It goes through transactions and highlights where you strayed from the process. Maybe you constantly change something, so you need to change the process or fix the root cause to achieve a standard.
It is about building trust through transparency and safety. You want business owners to be open, honest and comprehensive with potential risks and threats. This transparency should be recognized and rewarded openly with safety that there is no punishment or retaliation for sharing risk information.
I think knowing how best to work with your 1st and 2nd line is also really important, to avoid duplication of work or audit fatigue but also provides the board with more aligned views of risks and controls.