Improving the organization: the 3 steps of a successful internal auditing program

Key messages

Evaluate management policies

Evaluate controls effectiveness

Evaluate organisational efficiency

The author of this articleJean-Marie Bequevort - Expert Practice Leader
After years of auditing companies in a multitude of industries and geographies, it struck me that the way audit departments accomplish their objectives differs a lot from organization to organization. However, I noticed the most impactful audit programs had a methodological pattern in common. In all cases, the internal audit team rigorously follows a 3-steps review to evaluate the strengths and weaknesses of the organization, and propose meaningful improvement.

Step 1 : Evaluate management policies

The critical first step is to validate that the policies, procedures, and other controls defined by management are relevant and adequate for the company. There is no point in assessing a control system that is not relevant to your environment and operating model. Unfortunately, we have seen a lot of companies that do not have ‘adequate’ policies or procedures to govern their operations. The main risk, however, is not the absence of those policies and procedures but the likelihood that they are not kept up to date to account for a change in the business structure. We have seen many instances where policies were issued more than 10 years ago without any periodic reviews. A periodic assessment should be performed to ensure that each policy continuously fits the operating landscape, also covering strategic transactions (mergers and separations), re-organization of structures (business segments, shared service centers, outsourcing), management transformations (approvers, segregation of duties), technology landscape (ERP, applications, etc..), and the level of risk appetite (periodicity of controls, limits and levels,..)

Step 2 - Evaluate controls effectiveness

Once the policies and procedures have been estimated to be relevant, the next step is to ensure that the workforce is performing their tasks in compliance with the control expectations. Effectiveness is the degree to which a task is done in accordance with the expectation. This is the most traditional contribution of an auditor: validating and testing transactions against a set of rules. Sample testing is the most commonly used method but the emerging of data analytics technology offers the possibility to widen the scope of reviews and the strength of the assurance services. Instead of testing a sample, auditors can now test the full population of data and implement continuous auditing controls. Possible issues to be found are transactions that are carried out without the proper authorization: the lack of controls and oversight on the way work is being done, or the improper use of company assets and funds.

Step 3 - Evaluate organisational efficiency

When assured that policies are relevant and respected by the workforce, auditors start looking for efficiency gains. From their transversal perspective, auditors have a unique opportunity and mandate to look at where and how work is done throughout the organization. Audit techniques such as interviews, data analytics, work shadowing, and walkthroughs offer unique opportunities to identify improvement measures such as standardization and simplification of work processes, the clarification of roles and organizational structures, the automation of repetitive tasks, or the parametrization of business information systems.

Grow your career

Come join us

Expand your business

Let's work together

Sign up for the latest industry insights
Set preferences