A Quarterly Newsletter from the UAE and Oman member firms of the PKF International Ltd. network

VOL 18, Issue 4 October 2016



Why internal audit?

Whilst the Board formulates plans and strategies and assembles resources necessary to achieve organisational goals, the actual execution of tasks to achieve these objectives is entrusted to the management. However, the time lag between the planning process and execution of the plan creates the risk that conditions can change from those envisaged at the planning stage. Further, it is difficult at the planning stage to anticipate (and control) all the ways in which performance measures can fail. To overcome this difficulty, it is necessary that a “monitoring” or an “audit function” should be established in the organization.

The internal audit function is, thus, a natural and necessary part of any organization, although its set-up may differ depending upon the organization’s needs and external influences. As the organization grows and changes its size and scale of operations, so does the role of the internal auditor. Therefore, the role of the internal auditor is a reflection of the needs and expectations of the organization as a whole at a particular phase in its development. Its scope should be determined by where the company wants to scale.

Need for value addition

All organizations exist to add value to their stakeholders. But “value” is an elusive word which can mean different things to different stakeholders – to shareholders, “value” could mean a rise in the share price; to senior management, it could mean bringing in operational effectiveness; to the board of directors, it could mean no surprises at reporting dates; and to regulatory authorities, value would, generally, mean compliance with relevant laws.

For internal audit, the need to add value is fundamental for its survival or sustainability – failing which it could be a “victim to recession”. Internal audit in any organisation is uniquely positioned to add value to the organisation. Its unique position as an objective review function provides an opportunity to bring value and insight to the business units and functions that it audits. Internal audit can therefore play an important role in providing the stakeholders with an objective view as to how well the business understands the risks it faces and successfully and efficiently mitigates them.

Partnering with management

In its assurance role, it will provide comfort to the management that the policies and procedures followed by the business units/functions are in sync with the established norms and deviations, if any, are addressed effectively to bring to bring back to the desired level of compliance. In its compliance role, there is always a danger that the matter communicated by the internal auditor is a one-sided view. One could be tempted to rush and state based on audit tests carried out, that “Compliance is considered ineffective and auditee response is sought to ensure compliance”. This behavior/ reporting style is typically driven by the power of the engagement and results in undesirable conflicts at the function level without addressing the real risk. What is essential is to address the real risk of non-compliance. To add value in this process, additional time and effort needs to be put in by the auditor to understand the background of the situation and the impact of failure on non-compliance. It is here that there should be collaborative effort with the management to understand how significant the risk of control failure is, whether management is aware about it and what they are doing to fix it. This collaborative effort/ multi-dimensional view will place “the issue” at the centre of the discussion and through deliberation bring in the desired change(s) in action, behavior or conduct at the people or process level to improve the level of compliance. This approach would thus facilitate a holistic yet balanced view of risk and control environment.

Maintaining a culture by establishing partnership over independence without losing objectivity could also help organizations view internal audit functions as a value-add resource. Rather than merely spending time and effort in identifying internal control weakness, the function should also find ways to improve the functioning of the business.

Working towards a common goal

Organisational alignment is another way by which the function can stay relevant to the organisation. Best-in-class internal audit departments align internal auditors as “relationship managers” to specific areas within the lines of business. In this way, they stay in contact with the area specific manager and conduct periodic meetings or hold impromptu discussions to share common control issues identified in other departments and also stay abreast of changing risk profile to the business unit. These meetings not only build relationships within the organisation but it also helps to stay current of the risk profile. Thus, the more time internal audit is engaged with different working groups in the company, the more access to information they have. This would the identification of risks and make proper, logical use of information they have access to, resulting in recommendations being more practical.

Offering a bouquet of services

Lastly, more than just being an appraiser function, to be relevant to the organization, internal audit should have a wide array of services under their assurance and consulting role. These could include process audit, internal control and risk assessment, conducting self-assessment workshops, assess operational effectiveness; determine cost reduction opportunities and waste elimination opportunities and evaluate corporate governance effectiveness.

Sharing “good practices” is an efficient method of adding value within organizations. But it is important that the good practices shared are concise enough so that the areas not directly involved in the audit will be willing to take account of them. It is equally important that the report should be long enough to present ideas in a coherent manner.

Thus there is a huge challenge for internal audit teams to serve their stakeholders at the appropriate level and to provide all proactive and independent assurance required with the expected value.

In conclusion

How an organisation does use the internal audit function is entirely up to it, but for the function to add value, it is of paramount importance that internal audit leadership demonstrates the right skills, talent and aptitude and the internal audit team have the breadth and depth of skills to meet the needs of today’s demanding environment.

(This article has been compiled by our associate partner, Mr. Shajan Abraham who heads the Risk Advisory service.)