Internal audit has been moving toward more value-added functions, away from its historical focus on compliance and financial risks and controls. The role of the internal auditor has evolved to one that involves identifying risks and issues that previously lay outside of its ‘compliance-only’ remit. It is expected that internal audit and risk management should have a real and demonstrable impact on a company’s performance and financial position.
What are the problems I may face when tackling this issue?
Many businesses don’t realise there is a shortcoming in their organisational risk set-up until it is too late. The challenge is to look more widely at business risks than you are obliged to from a compliance point of view.
The questions you should ask include the following.
- Are we too focused on basic compliance objectives?
- Are we monitoring the right risks?
- Are our risk mechanisms alerting us to the right risks, at the right time?
- Why are we focusing so strongly on the financial risks when there are actually more non-financial risks within the business that go unmonitored?
So what should I do?
- Take an assessment of your risks across the whole organisation, creating a ‘map’ of risk hot-spots. Don’t forget to include potential vulnerabilities.
- Put an appropriate controls framework in place. This should include an emphasis on a risk aware organisation where management and staff members have a common understanding about the organisation’s expectations around risk management.
- Ask questions about how your business is set up to respond to a risk issue and whether the right people, policies and procedures are in place.
- Determine if internal audit has aligned its plan to address the organisation’s top risks and if it has the skilled people to execute it, or whether internal audit strategic sourcing is required?
Do you want your internal auditors to be monitoring solely those risks that tick a compliance box? Or do you want your internal auditors to operate within a framework that makes them much more valuable:
- identifying diverse financial and non-financial risks across the whole business
- heading off issues before they arise
- driving recommendations to enhance controls and performance.
How can KPMG firms' professionals help
KPMG professionals can advise you on:
- managing risk at the enterprise level
- seeking efficiency and effectiveness of internal audit
- achieving value from the risks and control framework
- preventing, detecting and investigating fraud
- helping to limit exposure to major capital projects, technology and global threats.