Contemporary internal auditing has come a long way since the humble beginnings of the Institute of Internal Auditors (IIA) in 1941. Traditionally viewed as a 'watchdog' to check for compliance and the '3Es' – effectiveness, efficiency and economics – of operations, the role of internal audit is fast moving up the value chain of enterprises and industries.
The IIA Research Foundation's 2010 Common Body of Knowledge (CBOK) Global Internal Audit Survey reveals that the focus of the profession will undergo tremendous changes over the coming years. Attention will switch to corporate governance, enterprise risk management and migration to International Financial Reporting Standards (IFRS), while more traditional roles such as operational and compliance audit take a back seat. The table opposite shows the focus areas from 2010 to 2015.
Governance and risk
The 13,582 responses from more than 100 countries show a clear convergence trend when it comes to governance and internal control, especially in emerging countries. Increased stakeholder expectation, recent corporate failures, enhanced corporate governance compliance by regulators of public corporations and demand for improved governance in the public sector have created a need for internal auditors to play a more critical role. Malaysia is no different.
The revised Malaysian Code of Corporate Governance 2012 (MCCG 2012), issued by the Securities Commission, requires the board to establish a sound framework to manage risks. Internal controls are important for risk management and the board should be committed to articulating, implementing and reviewing the company's internal controls system. For this, periodic testing of the effectiveness and efficiency of the internal controls procedures and processes must be conducted to ensure that the system is viable and robust.
MCCG 2012 also sets out that internal auditors should conduct regular reviews and appraisals of the effectiveness of the governance, risk management and internal controls processes within the company.
It is also becoming more apparent that internal audit has a significant role in assessing the adequacy of risk management and reporting on the framework and its implementation to the board. IIA Standard 2120 states: 'The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.'
For this to be effective, the internal audit team, including its chief audit executive, must relook into focus areas while developing plans, designing (and revamping where necessary) audit programmes (including related quality assurance programmes) and approaches that would encompass auditable areas in relation to governance structure, policies and procedures as well as the risk management framework, methodology and process within the organisation, and not just merely on operational and/or compliance areas. Core competencies must therefore take a leap towards understanding enterprise risk management, especially relating to risk-based audit-planning techniques, risk analysis and control assessment techniques. To assist auditors, the IIA has published a Practice Guide – Assessing the Adequacy of Risk Management Using ISO 31000.
While financial reporting is usually associated with external auditors, the need for internal auditors to understand the nature and impact of financial information and reporting is becoming increasingly important, especially with IFRS and its constant changes. As IFRS reporting can be quite tedious, detailed and even onerous on the part of management (and not only the finance function), internal audit plays an important role in assessing the effectiveness of related data management, general and application controls over financial information and IT systems, accounting software and reporting process in relation to whether these systems, controls and processes comply and correspond to IFRS requirements for proper measurement, presentation and disclosures of business transactions. It is therefore not surprising that financial reporting itself would become a valid, auditable area in an internal audit plan, if it already hasn't.
The role of internal audit in financial reporting was further validated and emphasised when the International Audit and Assurance Board of the International Federation of Accountants revised ISA 610, Using the Work of Internal Auditors, in 2013, whereby external auditors may further consider and use the work of internal auditors in external auditing (if prescribed criteria are met) as part of their planning and risk assessment procedures and even using their work to form part of the external auditors' assurance in the audits of historical financial statements.
While ethics audit is not new in Europe and the US, it is somewhat unheard of in Asia and Malaysia alike. The reasons for examining an organisation's ethics include pressure from society, part of risk management, stakeholder expectations and identifying a basis to measure future improvements. In some cases, an organisation's poor or lack of ethical behaviour may have resulted in costly legal action, stricter government regulation or even reprimand.
Ethical auditing is a process which reviews and assesses the internal and external consistency of an organisation's values base. It is value linked in that it incorporates a stakeholder approach. It aims to promote accountability and transparency towards stakeholders and it is intended for internal control, to meet the ethical objectives of the organisation.
The value of the ethical audit is that it enables the company to see itself through a variety of lenses, capturing its ethical profile. An ethical profile can be invaluable to boosting an organisation's reputation.
In the cloud
Besides the above, other areas gaining the attention of internal auditors, especially in Asia and Malaysia, are cloud computing and sustainability audits. As more organisations move more data to internet-based services, internal auditors will need to assess how these critical 'assets of the organisation' are managed. The key areas related to an audit of an organisation's cloud computing include:
- compliance of data protection and privacy laws and regulations, including sufficiency and appropriateness of internal data security policies;
- roles and responsibilities of IT personnel/information officers;
- safeguarding of sensitive, confidential and personal information and intellectual property and trade secrets;
- controls over access; and
- service level and contract management with cloud computing vendors.
A typical audit approach for cloud computing would be a 'layered' approach, also known as a 'defence-in-depth' approach. It starts with the hardware and infrastructure level, followed by the database layer, then the server level, followed by the application layer and finally the network level.
Sustainability audit refers to the review and assessment on the appropriateness and sufficiency of an organisation's adoption of environmentally responsible practices, sound social policies and exceptional governance structure in order to minimise risks and volatility and to enhance the long-term development impact of corporate activities. It is done by comparing the existing practices of the organisation with best practices, standards and regulations, as well as against specific sustainability-based KPIs. The objective of such audits is to provide the various stakeholders with assurance on how the entity/corporation is managing its 'triple bottom line' or a good balance of 'people, planet and profit'.
The role of internal auditing has, without a doubt, gone through a massive 'makeover' since the industrial age to our current times. From the typical 'watchdog' who 'hounded' management with compliance and effectiveness of operations, internal auditing is now becoming an independent but key ally to various stakeholders of the organisation.
With the changing business environment, demands for proper governance and risk management, varying social trends, emergence of new technology and business operating platforms, and borderless enterprise, the control landscape has certainly been transformed. This has certainly required the value proposition of internal auditing to move to a new and enhanced level, beyond the call of controls.
The internal audit function has and will continue to become a major support and consulting function for management, the audit committee, the board of directors and the external auditors, as well as other key stakeholders.
Ramesh Ruben Louis is a professional trainer and consultant in audit and assurance, risk management and corporate governance, corporate finance and public practice advisory