Based on what I saw in organizations all over the world, the most successful audit organizations share 4 characteristics:
First, the audit activities are focused on what matters to the board and the executive team. Audits are conducted to evaluate the control against the biggest risks. The scope of activities is significantly beyond financial reporting and compliance. It looks at strategy, the organization structure, the process of decision making, and new risks such as social media and data privacy.
More importantly, I have observed that strong audit organizations adopt a more flexible audit plan, with fewer audits on the schedule. They don’t operate with a fixed schedule. Items enter and leave the audit plan as priorities change and new risks emerge.
As the chief audit executive of a large US multinational recently told me ‘we only do 7-8 audits a year here’. It was a distinctive statement. Usually, audit managers brag about the 25+ audits executed each year by the audit team.
Second, the audit department is a platform to learn and grow in the company. Not only for young professionals or high potentials, but it’s also applicable for more senior professionals.
As an example, a large Belgian company has put an interesting program in place. Mid-career professionals with 15 years of experience start in internal audit for a fixed period of 3 years. Then, they automatically move into a business management position. The idea is to provide them with a platform to explore the inner workings of the company, build a network, and understand the core business drivers. In return, the audit team benefits from their subject matter experience and perspective.
Third, their audits are administered efficiently. Kick-off meetings, testing sheets, narratives, and documentation are kept short. Auditors are not using technical jargon or unnecessary audit terms, they write concise reports with the goal to be understood by all recipients.
A good illustration is a company with which we did 2 audits in a lapse of 3 years:
In the first audit assignment, only a few executives provided responses to the draft report and participated in the formal closing meeting. In the 2nd audit, most executives attended the meeting and the report was the subject of a good discussion.
The main difference was the recruitment of a new audit manager who quickly introduced new instructions for the preparation of the audit report: maximum of 2 pages and more focus on recommendations than on the description of control failures.
Fourth, the audit leader reports to the CEO or the strategy office. (S)he does not report to the CFO. The aim is to prevent that the audit function is seen as just another finance intrusion into other business areas.
A good reason put forward by an audit director at a conference was that ‘it ensures that the organizational position matches the mandate received’. One of the most revealing statistics on the subject is the fact that internal audit functions that work administratively for the CFO dedicate in excess of 60 percent more resources to strict compliance than their counterparts in the profession who report administratively to other executives. In those cases, the internal audit function has a narrower focus and mostly works for CFO related priorities.
These are some of the ingredients observed through my recent client activity. Some will argue that there are nuances as some sectors face stronger regulatory scrutiny or administrative obligations than others. True – however, the role of internal audit is too important for the audit organization to keep on working hard for no impact.
I welcome your comments and opinions.