Organizations face challenges to make their internal audit processes less labor intensive and more cost-effective. I recently collaborated with the SAP team on a recent article for GRC Expert describing how you can manage resources, schedules, tasks, and remediation activities for internal audit programs using SAP NetWeaver’s audit management functionality.
Audit activities can span a number of corporate functions, including IT, finance, management systems, and operations. They also provide greater transparency of the business operations of an organization. The Institute of Internal Auditors (IIA, www.theiia.org) suggests that an internal audit is “an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations.”
The process by which most organizations conduct audit activities can be summarized in a simple process model. Based on what triggers an audit schedule — perhaps business planning rounds, regularly scheduled risk mitigations, or even a compelling period of poor business performance — there is an element of planning in the form of scheduling and a level of pre-audit assessment. In a traditional audit process, this planning could include notification of the business operations or functional group that participates in the audit, the areas of the audit scope, and the schedule by which the audit is conducted.
Once the audit activities commence, a number of execution activities occur, including the formal launch of the audit, field work and examination, the development of working or so-called brown papers that consist of document comments and observations, and finally the formal audit findings. These findings and supporting documents are then presented in an exit conference during which the rationale of audit findings may also be shared. In a traditional setting this is the last on-site (or in today’s technology environment real-time) activity that occurs before the final report is developed and distributed to the organization. The organization then considers any corrections that need to be made or improvements to deficiencies found in the audit that need to implemented in the organization to improve business operations or meet a required level of compliance.
An internal audit adds value by providing key management- and board-level stakeholders with assurance that governance processes are effective, while identifying areas that can be improved. This assurance gives the stakeholders peace of mind, because they know they can rely on management’s governance and risk management processes, as well as the related systems of internal control.
In today’s economic environment, however, traditional labor-intensive audit models are difficult to justify. Opportunities to effectively and efficiently manage the traditional audit process and to augment with desk reviews conducted without a presence on-site make the audit process more palatable and cost-effective, particularly for small and midsized companies. In addition, the need to have audit processes use technology and be more tightly integrated with governance, risk, and compliance (GRC) processes suggests a next-generation, full lifecycle audit approach that addresses these new requirements of speed and efficiency that traditional models may lack.
To read the full article visit GRC Expert (login required). Many thanks to Norman Marks, James Chiu, and Joseph Arokiaraj of SAP who contributed to this article.