Executing internal audits beyond the traditional scope

Internal Audit taking up a business partner role

The scope and objectives of Internal Audit have expanded over time to adapt to emerging risks, regulatory requirements and evolving business needs. In the current disruptive business environment, how can Internal Audit create value?

‘Previously, Internal Audit primarily focused on assessing process compliance. This narrow view limited the exploration of its broader possibilities,’ says Annemie. ‘However, with the current business disruptions and shifts happening, the C-suite is starting to recognize the potential of internal audit in assessing and mitigating the emerging risks associated with these disruptions. This shift in tone at the top will enable Internal Auditors to take up a business partner role. Today, Internal Audit supports C-suite with the achievement of the company’s objectives.

Risk-based audit plan

A risk-based internal audit plan will help Internal Audit in addressing the (emerging) risks the organization faces today, anticipating future risks and providing insights that will help management achieve a competitive advantage.

The development and implementation of a risk-based internal audit plan requires a rolling risk assessment, in which Internal Audit and the business assess the likelihood and impact of existing and emerging risks on a periodic basis, taking into account the maturity level of the relevant internal controls.

Based on a number of parameters and together with management, Internal Audit then decides which (emerging) risks can be addressed by an internal audit, which will create impact and add value to the organization. ‘We refer to this type of audit as high impact internal audit,’ Annemie says. 

She specifically identifies emerging risks as the catalyst for high-impact internal auditing. ‘High impact audits address emerging strategic, operational, financial and compliance risks that are top of mind with C-suite,’ she says.

‘During these internal audits, we also test full data sets to create impact,’ Steve adds. ‘If you tell a CFO that 25 invoices were paid twice or that all invoices were paid twice ... that's a very different ballgame.’

High-impact internal audits

Examples of high-impact internal audits that will be discussed in detail during upcoming webinars and round tables are recruitment, ERP and shared service center audits. 

1. Recruitment. ‘During our recruitment internal audit,' Annemie says, 'we assess, for instance, if risks related to the recruitment process such as incorrectly forecasted personnel needs, unspecified selection criteria or wages that are not market-conform are mitigated by internal controls. That way, the organization avoids under/overstaffing or unqualified employees incorrectly performing their job, both of which can result in the organization not meeting its objectives.’ The importance of the emerging risks in relation to the recruitment process is also highlighted in the 2024 IIA survey, where ‘Human Capital’ is rated as the second highest risk by C-suite members worldwide.
2. ERP systems.  Another example of a high-impact internal audit revolves around the implementation of new ERP systems, which is often a key lever for transformation. ‘We monitor both project-related and substantive risks,’ says Annemie. ‘From implementation delays and budget overruns to the quality of the transferred data and the customization of the ERP package. And of course: How is change management handled?’ ‘A lot of companies do that after the facts, in a kind of firefighter mode,’ says Steve. ‘When in fact you could just as well have included it preventively. Under the motto: prevention is better than cure.’
3. Shared Service Centers. A third high-impact internal audit that Annemie and Steve recurringly see included in risk-based audit plans, assess if Shared Service Centers are operating effectively and efficiently.
‘This internal audit checks whether the center has achieved its initial goals,’ Steve says, ‘and whether all inherent risks are covered by internal controls. This usually involves processes in multiple countries, and process flows running completely differently in, say, the US from here. Implementing a Shared Service Center often brings a lot of change as well. Your processes change, but also your organizational structure and sometimes even your systems. You're also faced with a knowledge transfer from your local team to the Shared Service Center team. So that's where that change management comes in again.’

Internal Audit adapting to rapid change

When an internal auditor claims the role of business partner, the support of the audit committee and the C-suite is indispensable. They must have faith in Internal Audit's ability to deliver, offering essential support, credibility, and endorsement for the added value that we provide and which will make a significant impact.

That's the ideal scenario. CEOs still need to be convinced of the importance of Internal Audit which is still too often seen as a pure compliance exercise or a cost. ‘But the world is moving so fast these days,’ Annemie says.

‘The pace of change is relentless,’ Annemie emphasizes. ‘We use AI widely; data processing has increased exponentially. As a result, the risk of process anomalies and errors increases dramatically. Internal audit importance grows accordingly.’