Robert L. Mainardi

Beyond Audit


Скачать книгу

audit. For business personnel, while the explanation sounds official and uses the standard business terminology, it still might not convey the true objective of internal audit and how it affects the business units within the company.

      While I believe the previous paragraph clearly depicts and explains internal audit's primary objective, it does not consider what I call the terminology gap when discussing key components of the internal audit function. As auditors, we can sit around a table and discuss risk and controls for hours and completely understand what each of us is talking about. However, the business owners and their teams are not familiar with these terms as it applies specifically to their own processes. This gap in an equal understanding of the internal audit foundational concepts creates a basic misperception when business teams are trying to understand what internal audit is going to be examining in the day-to-day operations of the business unit. Internal audit must ensure all of the auditors on the team can effectively articulate the internal audit objective and the associated terms like risk, control, and oversight. While the Beyond Audit Objective, Risk, and Control methodology will be discussed in detail in Chapter 5, it is important to spend a moment discussing it here. As a member of the audit team, being able to understand and explain these three terms is crucial to communicating the internal audit objective as well as building a strong, honest, and upfront foundation for the relationship with the business client.

      Risk is the probability that an event or action will adversely impact the organization or business unit. Now that may seem like a good explanation of risk to an auditor, but business personnel do not speak in these terms. This definition seems too formal and comes off as the auditor lecturing the business partner, creating an environment equal to a teacher and a student. The key to any introduction or interaction with a client should feel like two people discussing a process – more importantly, the business process being examined. The auditor should try to turn every meeting with the client into a conversation about the business process and focus on developing a relationship that does not feel so much like an examination of what the business does not do well but an interaction between two people where the business representative is the process expert and the other person is there to learn how the process works from start to finish. Trying to communicate with this objective in mind will promote a healthy relationship foundation and that encourages the exchange of process-based knowledge instead of a judgment examination of the business process. As the business process knowledge sharing meeting continues, the auditor can work with the client to discuss risks without giving the formal definition to explain it. Any time the topic of risk comes up with a business partner, one of the first things the business partner will say is “losing money is a big risk for us.” While that may sound valuable to an auditor, losing money is not actually a risk. It is an impact of a risk happening in the business process. Think of it like this: A particular business risk was realized, and it cost the company money. So, remember, losing money may sound like a process risk but it is an impact of a risk and not a risk itself. Auditors must educate their business partner on risk being a barrier to the business team being able to accomplish their day-to-day activities to meet their business objectives. Risks do not represent impacts to the business process but impediments to doing their jobs.

      The control concept is then easily linked to the business oversight concept. Business oversight focuses on the information the business leadership team receives indicating that all business process components are operating as intended. As stated previously, there will be a deep dive on the three audit concepts of risk, control, and oversight in Chapter 5.

      Once the auditor has cleared the first hurdle of explaining the key concepts of what audit does, it is important to clarify why audit does it. Most business teams can say they understand what the audit is trying to accomplish but will follow that up with “the business process works fine without any help from audit.” This is where the auditor must be able to articulate the two potential outcomes of an audit that, in the end, are designed to benefit their business partner. One of the outcomes of an audit is that the audit results will show the business process has been effectively designed, built, implemented, executed, and accurately reported. These five factors of the business process, when done correctly, will produce the expected results. Keep in mind, every process will deliver a result. The key, which must be verified through data examination and effective reporting, is whether the business process achieves the intended result. The examination of the data and reporting should be done on an ongoing basis by the business unit and is the same information the audit team will examine during their review. The other outcome of an audit is that after a detailed review of the data and validation with the business partner, the audit reveals a breakdown(s) in the business process that does not produce the intended results. This breakdown is going to be directly linked to one of the five factors from design to reporting, and it is the job of the auditors, in partnership with their business partner, to identify the root cause (to be discussed in Chapter 7) of where the process breakdown occurred. It is always critical to ensure the business partner is involved in all aspects of the audit process. Once the business partner has obtained a clear understanding of what audit does, along with the two potential outcomes explaining the audit objective, the auditor can now detail what the business partner can expect in an audit from start to finish.