"Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation's operations" as defined by The Institute of Internal Auditors Australia. It holds numerous benefits for improving an organisation's risk management systems and procedures due to its systematic and disciplined approach.
Internal audit plays an important role for organisations to improve management and accountability and provide assurance to key stakeholders that the organisation is governed effectively.
Under the first line of defence, operational management has ownership, responsibility and accountability for directly assessing, controlling and mitigating risks.
The second line of defence consists of activities that specialise in risk management, quality and compliance. This line oversees and supports first line activities.
Internal audit forms the organisation’s third line of defence. An independent internal audit function will, through a risk-based approach to its work, provide assurance to the organisation’s board of directors
and senior management. This assurance will cover how effectively the organisation assesses and manages its risks and will include assurance on the effectiveness of the first and second lines of
There is clearly a concrete connection of internal audit to the enterprise risk framework.
Read the article: Risk Governance and the Three Lines of Defence
Internal audit has a number of avenues to support the planning mechanism:
A critical component of internal audit planning is understanding the key risks for particular business units or processes and their associated controls. This task is made a lot easier with Protecht.ERM as it centralises divisional risk assessments into a single platform, as opposed to a disparate disconnected set of spreadsheets. Risk profiling dashboards allow internal auditors to quickly view a divisional risk assessment to ascertain what are the key risks that have been identified by the first line. Filters allow specific business units or risks to be selected.
Controls can also be more easily investigated through the central library of controls that have been classified by control categories and control type.
Other features such as whether they are automated or manual, or whether they are a key control can also be captured.
Once classified, visualisation of the control framework across a division or organisation can be more easily achieved. In the example below we can quickly see a lack of segregation of duty controls, and a lack of reactive controls in this particular control library. Internal auditors can use this information to focus on control group weaknesses.
You can read the eBook we wrote about this topic: How to get more intimate with your controls
However, imagine being able to look at a business unit risk profile and see all connected information to a given risk at a glance. RiskInMotion™️ aggregates information such as:
And plots the aggregated information against the divisional or group risks.
Internal auditors can more quickly identify problem risks based on the volume of aggregated, connected information. Drilling down into the risk allows the auditor to see more detail about the aggregated information.
Apart from supporting the audit planning phase, Protecht.ERM facilitates capture of the plan details. The plan ‘form’ references library information already in the application such as business units being targeted, auditees (users), risks and controls being addressed and the expected time the audit will be executed. Planning documents can also be stored.
Once the audit has been planned, internal auditors will execute the audit. Execution and workpapers continue to be done in word or excel for the majority of our clients. However, Protecht.ERM now provides a central location to store completed workpapers, and ratings for the audits conducted.
Once the audit has been completed, a number of internal audit findings and recommendations will be raised for 1st line managers to consider.
Findings in traditional internal audit functions have the following weaknesses:
For the first weakness, internal audit findings can be connected to the central library of risks and controls. In the screenshot below we can see the connected risk for this finding, being fed from the central library
For the second weakness of findings stored in excel files, Protecht.ERM makes the whole process more efficient by:
These activities reduce the amount of time the internal audit team is spent administrating the
findings. Audit trails in an ERM application are also more robust than an excel file, to see how the
finding has been modified over time.
Apart from the issuance of audit reports, internal audit has the responsibility to ensure that findings,
first line responses and closure rates are reported to audit committees in a way that allows them to quickly visualise this information. Protecht.ERM’s integrated analytics engine allows such visualisation.
There is no escaping the hard yards to do internal audit properly; It takes time, dedication
and the appropriate resources.
If you are interested in learning more, please send an email to firstname.lastname@example.org.
David Bergmark consults on a variety of market and enterprise risk management issues and is actively involved in the development and implementation of Protecht's risk management software (ERM and ALM). David started out in the audit division of Price Waterhouse in 1990, handling clients such as Macquarie Bank and Bankers Trust. By 1994 he was Risk Controller for Carrington Securities - a financial markets trading company. In 1996 David left Carrington to head up the Risk Management Department at IBJ Australia Bank (IBJA) where he was responsible for the development of all risk disciplines at the bank – market, credit, liquidity and operational.