"Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation's operations" as defined by The Institute of Internal Auditors Australia. It holds numerous benefits for improving an organisation's risk management systems and procedures due to its systematic and disciplined approach.
Internal audit plays an important role for organisations to improve management and accountability and provide assurance to key stakeholders that the organisation is governed effectively.
Internal audit provides:
- Independent and unbiased assessments of the operations of the organisation.
- Management with information on the effectiveness of their operating controls.
- Recommendations and advice to improve processes.
- First line of defence
Under the first line of defence, operational management has ownership, responsibility and accountability for directly assessing, controlling and mitigating risks.
- Second line of defence
The second line of defence consists of activities that specialise in risk management, quality and compliance. This line oversees and supports first line activities.
- Third line of defence
Internal audit forms the organisation’s third line of defence. An independent internal audit function will, through a risk-based approach to its work, provide assurance to the organisation’s board of directors
and senior management. This assurance will cover how effectively the organisation assesses and manages its risks and will include assurance on the effectiveness of the first and second lines of
There is clearly a concrete connection of internal audit to the enterprise risk framework.
Read the article: Risk Governance and the Three Lines of Defence
Internal Audit Planning
Internal audit has a number of avenues to support the planning mechanism:
- Consultation with executives, managers and the audit committee.
- Analysis of management reports, risk profiles, incidents, complaints, metrics, prior audits and external audit work.
- Researching market trends, regulations and emerging risks.
A critical component of internal audit planning is understanding the key risks for particular business units or processes and their associated controls. This task is made a lot easier with Protecht.ERM as it centralises divisional risk assessments into a single platform, as opposed to a disparate disconnected set of spreadsheets. Risk profiling dashboards allow internal auditors to quickly view a divisional risk assessment to ascertain what are the key risks that have been identified by the first line. Filters allow specific business units or risks to be selected.
Controls can also be more easily investigated through the central library of controls that have been classified by control categories and control type. Other features such as whether they are automated or manual, or whether they are a key control can also be captured.
Once classified, visualisation of the control framework across a division or organisation can be more easily achieved. In the example below we can quickly see a lack of segregation of duty controls, and a lack of reactive controls in this particular control library. Internal auditors can use this information to focus on control group weaknesses.
You can read the eBook we wrote about this topic: How to get more intimate with your controls
However, imagine being able to look at a business unit risk profile and see all connected information to a given risk at a glance. RiskInMotion™️ aggregates information such as:
- Control testing results
- Key risk indicators
- Overdue actions or regulatory findings
And plots the aggregated information against the divisional or group risks.
Internal auditors can more quickly identify problem risks based on the volume of aggregated, connected information. Drilling down into the risk allows the auditor to see more detail about the aggregated information.
Apart from supporting the audit planning phase, Protecht.ERM facilitates capture of the plan details. The plan ‘form’ references library information already in the application such as business units being targeted, auditees (users), risks and controls being addressed and the expected time the audit will be executed. Planning documents can also be stored.
Once the audit has been planned, internal auditors will execute the audit. Execution and workpapers continue to be done in word or excel for the majority of our clients. However, Protecht.ERM now provides a central location to store completed workpapers, and ratings for the audits conducted.
Once the audit has been completed, a number of internal audit findings and recommendations will be raised for 1st line managers to consider.
Findings in traditional internal audit functions have the following weaknesses:
- Findings are not connected to a risk – making aggregation against the risk profile difficult if not impossible.
- Findings are kept in an excel file for tracking with manual emails generated to owners to provide
an update on recommended actions that is then transposed into the master excel file.
For the first weakness, internal audit findings can be connected to the central library of risks and controls. In the screenshot below we can see the connected risk for this finding, being fed from the central library
For the second weakness of findings stored in excel files, Protecht.ERM makes the whole process more efficient by:
- Centrally storing the findings
- Automatically generating emails for update requests and closure reviews through the workflow engine.
- Allowing owners to directly update the finding and or associated actions in the application.
These activities reduce the amount of time the internal audit team is spent administrating the
findings. Audit trails in an ERM application are also more robust than an excel file, to see how the
finding has been modified over time.
Internal Audit Reporting
Apart from the issuance of audit reports, internal audit has the responsibility to ensure that findings,
first line responses and closure rates are reported to audit committees in a way that allows them to quickly visualise this information. Protecht.ERM’s integrated analytics engine allows such visualisation.
There is no escaping the hard yards to do internal audit properly; It takes time, dedication
and the appropriate resources.
If you are interested in learning more, please send an email to firstname.lastname@example.org.
For more information you can watch the webinar recording: