Internal Audit has been in the world for a very long time. It has different types according to the scope but in general it can be said that verifies that what is being doing is what it should be. So its expertise is based in two main things: first, know and deploy the business risk management and second, know all the processes within the company. Hence its revisions or audits should be based on the knowledge of the business, its vulnerabilities and the result of other revisions which implies there is lack of control.
So its knowledge is integral. Therefore it is a consultant area; an area of service. For whom? To the Management Board, Committees, CEO, other Directors; to the company itself in order to protect it from business risks. To do such job, Internal Audit should be:
-Independent, objective and ethical: its personnel must have total independence in order to not be considered “judge and jury” at the same time. Also, be skeptical, impartial alike and behave ethically in every situation and circumstance.
-Have the support of senior management; meaning: shareholders, members of the Board of Directors, Committees, CEO. This includes that the head of IA be positioned at the same level of other heads and report directly to the Audit Committee and CEO. In addition to have enough budget to hire suitable staff, have technological tools and perform audits in any location the company has subsidiaries or branches.
-Be updated on relevant issues that may affect the company such as: risk management, fraud prevention and money laundering, data protection, etc. Also, know any new regulation that the company should comply with.
-Audit performance: the importance of an audit relies on the observations made but most important to get the cause that generates such. In this way, the risk management is useful in order to attack the cause, the root of the lack of control. Add to this the knowledge of the company and here it is the key: the audit has been made as a tailored suit with the creativity of the Internal Auditor. But here the show is just beginning! The follow-up to the audits is another key element. How the audited area is deploying the recommendations? Or better why have they not done anything?
The independence of Internal Audit also includes performing its revisions without telling anybody when they will be. Surprise…!!! Applies to all, as well as changes in its scope, areas, processes, etc.
So, we are not the “ugly ducks”…or the police. We are an area that detects lack of controls; issues observations and recommendations. We are an area that sees the company in an integrated vision: therefore our work starts with an audit, consolidates with a business risk model (which we will talk later) and adds value to the company by our knowledge and expertise in protecting and preventing towards new risks.
Therefore, Internal Audit is the key!