Your internal audit function: analyzing quality helps assure quality.


Bookmark and Share
 

The following article was prepared by Ajilon Finance Solutions in conjunction with an internal expert consultant in the area of risk management.

Firms worried that their internal audit function is not doing a good enough job of identifying risk may want to consider instituting a quality assurance program.

You can't eliminate risk, but you can manage it.

The first step in the quality assurance analysis is to review the audit methodology. This requires a well-defined process based on a comprehensive understanding of the business. The results of that process over time must be understood. How well did the process identify unwanted events before they materialized? What was the cost of audit methodology?

The analysis should address several other questions, including:

Are the critical building blocks in place?

It is impossible to have an effective audit program without certain building blocks. One is a set of dynamic standards agreed upon by all stakeholders. The absence of standards creates inefficiency and risk, as well as a dysfunctional climate where the focus is on self-survival instead of organizational goals.

Also important is a philosophy that risk management is part of everyone's job. This is not simply a case of risk economics; it also guides human behavior. In addition, there must be a formal process to prioritize risks. Not every risk has equal weight.

Is the audit strategy balanced?

There is a bias toward quantitative analysis in assessing risk. Since the future cannot be foretold, any risk management strategy should also have a qualitative component. Qualitative implies several things:

First is the idea that factors that can't be easily quantified — rare events, for instance — are part of the analysis. Second is that individual and group human behavior is also considered, because people's behavior can affect organizations in surprising ways. Third, some events are not foreseeable, but may be cataclysmic. They need to be conceptually embraced, not ignored.

Are the audit resources economically deployed?

Audit resources should be economically deployed to identify critical risks in a timely manner. In deploying the firm's resources several guidelines are essential. First and foremost, don't overspend to identify risks. Someone in the firm knows most risks.

Encourage self-identification of risks. Some risks won't be self-identified, so a thoughtful program of surprise audits is needed. Aligning resources with risk is important. Not every risk has the same potential impact, so don't treat them identically — prioritize resources.

It also helps to build a partnership with all stakeholders in the firm. This is essential to the economic deployment of resources and is characterized by candor, transparency, and a proactive approach on each stockholder's part.

• Is a supportive culture in place?

Risk management cannot be effective without the right corporate culture. This starts at the top and percolates down; the walk and the talk must be in sync. Every manager needs to do several things with regard to their direct reports. One is to convey, in words and deeds, how value is created for both the individual and the firm. If there is a disconnect here, neither the firm nor the individual will prosper. Another is to ensure the manager demonstrates the behavioral norms.

The right thing to do is usually obvious; doing it is often hard. The manager can influence the doing. Finally, ensure that the individual's goals are clear and consistent with the value creation.

Are the metrics relevant?

The metrics must be timely and must accurately reflect the risk profile and support risk management. If they are linked to compensation, they support the desired behavioral result: managing risk. The true test of the metrics is that they actually reflect the risk.

One approach is to learn from unwanted historical events and analyze how the audit process identified them before they materialized. Another is to ensure that cataclysmic events will be identified as soon as possible. Another still is to utilize peer comparisons; where possible, compare your firm's quality assurance metrics with those of your peers.

Is cumulative risk captured?

An unwanted event is often preceded by a series of actions that may be relatively insignificant individually, but cumulatively can be disastrous. The quality assurance analysis should determine if the audit methodology has the ability to detect such risk. When executed properly, audit quality assurance can assure that the audit output corresponds with the expectations of the firm's senior managers.

To learn more about how to develop and implement a quality assurance program for your internal audit function, or to find out how you can work with top-level expert consultants like the author, please contact your local Ajilon Finance Solutions branch today.

© 2009 Ajilon. All rights reserved.