Internal Audit has an assurance role and partners with management and other parties to obtain assurance that the controls in place are working and that the business objectives are being met. This is one of the two main functions that modern Internal Audit performs, the role of assurance partner. The other function is that of Compliance Captain.
Senior and executive management is not directly involved in the running of the business (the operational side of the business). They have more of a strategic role to play to ensure that the business is heading in the right direction and that adjustments are made for changes in the business landscape. This is something like the captain of the ship who plots a course and is thereafter always vigilant for storms, ice-bergs and even pirate attacks. He leaves the actual running of the ship to his crew. His main role is to ensure that the ship reaches its destination intact.
Being divorced from the operational side of the business, senior and executive management rely on Internal Audit to give them information on how the business is doing. This information needs to be pro-active so that management can adjust their course prior to disaster occurring. It is therefore necessary to look at the high-risk areas of the business, starting with a risk assessment prior to determining what systems, processes or activities will be audited. We build relationships with line management and are one of the only departments who get to know the whole business, through visiting every department. When functioning properly we, as Internal Audit, become the eyes and ears of the business, somewhat like being in the crow’s nest and having an eagle eye of what is happening both on the ground and what lies ahead.
Unfortunately, Internal Audit is too often looking backwards at what happened and not looking now at what is happening and forwards to what could happen. Businesses and Internal Audit have to evolve to a more risk assurance-based approach and split the Internal Audit role into Compliance (ensuring that what should happen is happening) and Risk (looking at internal and external factors to see what could happen).
There are many models and tools that can be used and are not being used to help the captain ensure that the crew is performing as they should, that the ship is sailing in deep water and is avoiding any storms. We will mention some of the additional tools in the next article. There is an area of risk management called scenario planning that has not been adopted in most Internal Audit and this will also be discussed in detail.