Robert L. Mainardi - Beyond Audit

The three pillars of risk, control, and oversight form the basic structure of any effective risk-based audit methodology. It is critical that all internal audit team members have a clear and consistent understanding and the ability to define them to a client in nonaudit terms. So, let's briefly discuss each one, starting with risk.

Risk is the probability that an event or action will adversely impact the organization or business unit. Now that may seem like a good explanation of risk to an auditor, but business personnel do not speak in these terms. This definition seems too formal and comes off as the auditor lecturing the business partner, creating an environment equal to a teacher and a student. The key to any introduction or interaction with a client should feel like two people discussing a process – more importantly, the business process being examined. The auditor should try to turn every meeting with the client into a conversation about the business process and focus on developing a relationship that does not feel so much like an examination of what the business does not do well but an interaction between two people where the business representative is the process expert and the other person is there to learn how the process works from start to finish. Trying to communicate with this objective in mind will promote a healthy relationship foundation and that encourages the exchange of process-based knowledge instead of a judgment examination of the business process. As the business process knowledge sharing meeting continues, the auditor can work with the client to discuss risks without giving the formal definition to explain it. Any time the topic of risk comes up with a business partner, one of the first things the business partner will say is “losing money is a big risk for us.” While that may sound valuable to an auditor, losing money is not actually a risk. It is an impact of a risk happening in the business process. Think of it like this: A particular business risk was realized, and it cost the company money. So, remember, losing money may sound like a process risk but it is an impact of a risk and not a risk itself. Auditors must educate their business partner on risk being a barrier to the business team being able to accomplish their day-to-day activities to meet their business objectives. Risks do not represent impacts to the business process but impediments to doing their jobs.

When it comes to control, no business team is sitting in their offices looking for ways to add new controls to their process to strengthen the environment of their business operations. Most business units are wondering how they can do what they do faster so they can get more business and process more transactions. And in the business effort to go faster and process more transactions, it creates an environment that is ultimately not well controlled. As the auditor introduces the control concept, it should be linked to the idea of removing any barriers that could impede the business process from being completed in the most effective and efficient manner.

The control concept is then easily linked to the business oversight concept. Business oversight focuses on the information the business leadership team receives indicating that all business process components are operating as intended. As stated previously, there will be a deep dive on the three audit concepts of risk, control, and oversight in Chapter 5.

Once the auditor has cleared the first hurdle of explaining the key concepts of what audit does, it is important to clarify why audit does it. Most business teams can say they understand what the audit is trying to accomplish but will follow that up with “the business process works fine without any help from audit.” This is where the auditor must be able to articulate the two potential outcomes of an audit that, in the end, are designed to benefit their business partner. One of the outcomes of an audit is that the audit results will show the business process has been effectively designed, built, implemented, executed, and accurately reported. These five factors of the business process, when done correctly, will produce the expected results. Keep in mind, every process will deliver a result. The key, which must be verified through data examination and effective reporting, is whether the business process achieves the intended result. The examination of the data and reporting should be done on an ongoing basis by the business unit and is the same information the audit team will examine during their review. The other outcome of an audit is that after a detailed review of the data and validation with the business partner, the audit reveals a breakdown(s) in the business process that does not produce the intended results. This breakdown is going to be directly linked to one of the five factors from design to reporting, and it is the job of the auditors, in partnership with their business partner, to identify the root cause (to be discussed in Chapter 7) of where the process breakdown occurred. It is always critical to ensure the business partner is involved in all aspects of the audit process. Once the business partner has obtained a clear understanding of what audit does, along with the two potential outcomes explaining the audit objective, the auditor can now detail what the business partner can expect in an audit from start to finish.

The most important part of marketing the audit department is to deliver an unfiltered account of what the business partner is to expect in the three main phases of an audit – planning, fieldwork, and reporting. It is critical to provide perspective on the internal audit department before diving into the details of the three phases of an audit. Most importantly, explain that every audit department, like other business units, must adhere to standards and methodology requirements. It is not necessary to get into the details of the Institute of Internal Audit (IIA) standards, but it does help in building rapport with the audit client to state the audit department has guidelines to adhere to, just like the business unit, in completing their job. In addition to the standards are the specific audit methodology requirements, and it helps to explain these regarding the three main phases. This type of discussion gives the business partners the background knowledge to help them understand where the audit department is coming from during the review. This information is even more important during a remote audit because the client is only going to be getting requests from the audit department and may not understand why the audit team keeps asking for additional information. However, if the business partner understands the three main phases of an audit, it will make the request and delivery of information during the audit go much more smoothly.

Even before drilling down into the phase details with the client, the auditor can provide perspective of the internal audit department by informing the client of the different types of reviews audit can perform. This not only provides perspective on internal audit, but also plants the seed for future reviews that could be performed at the client's request. Let your business partner know that the audit department offerings include risk-based audits, continuous audits, operational reviews, and partnering on significant business projects or system implementations. The key on any audit is to let the business partner know that audit is a partner to the business and not just a group tasked with examining existing business operations. Again, the auditor should focus on building the relationship with every client on every job. It is even more critical during a remote audit to offer audit assistance to the business operation's team with any challenges they could be facing in this remote operational environment. Additionally, the auditor always wants to focus on internal audit's mission to consistently provide value on each engagement. That value is in process valuation and improvement, independent assessment, the risk and control knowledge sharing, and data-driven recommendations. All of these value points are linked to assisting the business units to meet their objectives consistently.