This is a question I am frequently asked.
What is clear is that many audit shops have either not identified the answer to this question nor taken meaningful steps to put in place a framework that ensures they employ enough adequately competent internal auditors.
I would like to outline the essential facets of competence in this arena. How does your internal audit function compare?
The Philosophy of Internal Auditing
Firstly it is important that your team members understand the fundamental purpose of internal auditing. “Providing assurance” is a frequently used expression but what exactly does it means?
I would prefer to understand that they exist to challenge the business’ understanding of the risks they run, to challenge whether controls are designed to mitigate these risks within an appropriate risk appetite and to confirm that controls are operating effectively.
Furthermore does the department exist to provide an opinion on the control framework in relation to risk management or perhaps acts as a change agent with a mandate to act to improve controls in its capacity as third line of defence?
The Methodology
This is one area that most large audit functions teach very well – the fundamental audit methodology employed by the department.
Hopefully your own methodology will include the following components:-
- The macro planning dimensions;
- How to effectively plan an audit assignment
- How to examine control design
- Gauging whether a control process is working effectively or not
- How to write a meaningful internal audit report
Does your methodology have any other components?
The Principles of Good Control
Do your staff understand the principles of good control?
Some pressure points that are worthy of consideration:-
- The meaning of segregation of duties;
- What is dual control?
- The difference and appropriateness of the following control types:-
- Preventative
- Detective
- Deterrent – Encouragement
- Directive
- Forms of authorization and approval mechanisms
- Effective Supervision
Some audit functions will teach this theme using the COSO framework. Does this work for you?
Corporate Governance
The corporate governance framework within which an internal control mechanism operates is clearly critical.
Does your staff understand what the key components of this framework should look like including:-
- The role of the board and governing body
- The role of the various board committees
- Non executive responsibilities versus executive roles
- The meaning of the notion of “three lines”.
The Fundamentals of Risk Management
So far all we have covered are the basics of internal auditing and control but what about the risk management fundamentals of your sector.
If I look at financial services (my sector) I would like to confirm that my staff understand what the different risk classes look like? By this I mean:-
- Credit risk;
- Market risk;
- The different forms of operational risk;
Can your team describe examples of the different forms of risk in relation to your company’s product offering?
The Basics of Regulation
Given the importance of regulation does your department understand the following dimensions:-
- The core principles of effective regulatory compliance?
- Which products are regulated?
- How does your regulator articulate rules and principles?
- How does your regulator enforces these rules and requirements?
- The consequences of non-compliance?
Technology
We see a polarization between business auditors and technology auditors.
Is this fully appropriate?
Whilst I strongly believe that all technology auditors should possess the baseline knowledge outlined above, I also believe all business auditors should have an understanding of the following technology themes:-
- IT governance
- Access controls
- Software development controls
- Data accuracy, completeness and maintenance
- Cyber security
- Processing interfaces.
The Human Dimension
You probably won’t be surprised about my strong view that internal auditors should understand something about the human condition. Key controls are operated by humans not computers. As auditors we need to understand something about the beautifully illogical nature of what is means to be human. In particular I would advise the following areas of focus:-
- The meaning of the term “culture”
- The threats to appropriate conduct
- Modern thinking on managing one-self, a team and collaboration
What Next?
If you believe all of your team possesses this baseline level of knowledge then please complement yourselves. Congratulations – you really take capability seriously.
If you believe there are gaps then perhaps it is time to address this competence challenge.