While I believe the previous paragraph clearly depicts and explains internal audit's primary objective, it does not consider what I call the terminology gap when discussing key components of the internal audit function. As auditors, we can sit around a table and discuss risk and controls for hours and completely understand what each of us is talking about. However, the business owners and their teams are not familiar with these terms as it applies specifically to their own processes. This gap in an equal understanding of the internal audit foundational concepts creates a basic misperception when business teams are trying to understand what internal audit is going to be examining in the day-to-day operations of the business unit. Internal audit must ensure all of the auditors on the team can effectively articulate the internal audit objective and the associated terms like risk, control, and oversight. While the Beyond Audit Objective, Risk, and Control methodology will be discussed in detail in Chapter 5, it is important to spend a moment discussing it here. As a member of the audit team, being able to understand and explain these three terms is crucial to communicating the internal audit objective as well as building a strong, honest, and upfront foundation for the relationship with the business client.
INTERNAL AUDIT'S THREE PILLARS
The three pillars of risk, control, and oversight form the basic structure of any effective risk-based audit methodology. It is critical that all internal audit team members have a clear and consistent understanding and the ability to define them to a client in nonaudit terms. So, let's briefly discuss each one, starting with risk.
Risk is the probability that an event or action will adversely impact the organization or business unit. Now that may seem like a good explanation of risk to an auditor, but business personnel do not speak in these terms. This definition seems too formal and comes off as the auditor lecturing the business partner, creating an environment equal to a teacher and a student. The key to any introduction or interaction with a client should feel like two people discussing a process – more importantly, the business process being examined. The auditor should try to turn every meeting with the client into a conversation about the business process and focus on developing a relationship that does not feel so much like an examination of what the business does not do well but an interaction between two people where the business representative is the process expert and the other person is there to learn how the process works from start to finish. Trying to communicate with this objective in mind will promote a healthy relationship foundation and that encourages the exchange of process-based knowledge instead of a judgment examination of the business process. As the business process knowledge sharing meeting continues, the auditor can work with the client to discuss risks without giving the formal definition to explain it. Any time the topic of risk comes up with a business partner, one of the first things the business partner will say is “losing money is a big risk for us.” While that may sound valuable to an auditor, losing money is not actually a risk. It is an impact of a risk happening in the business process. Think of it like this: A particular business risk was realized, and it cost the company money. So, remember, losing money may sound like a process risk but it is an impact of a risk and not a risk itself. Auditors must educate their business partner on risk being a barrier to the business team being able to accomplish their day-to-day activities to meet their business objectives. Risks do not represent impacts to the business process but impediments to doing their jobs.
When it comes to control, no business team is sitting in their offices looking for ways to add new controls to their process to strengthen the environment of their business operations. Most business units are wondering how they can do what they do faster so they can get more business and process more transactions. And in the business effort to go faster and process more transactions, it creates an environment that is ultimately not well controlled. As the auditor introduces the control concept, it should be linked to the idea of removing any barriers that could impede the business process from being completed in the most effective and efficient manner.
The control concept is then easily linked to the business oversight concept. Business oversight focuses on the information the business leadership team receives indicating that all business process components are operating as intended. As stated previously, there will be a deep dive on the three audit concepts of risk, control, and oversight in Chapter 5.
Once the auditor has cleared the first hurdle of explaining the key concepts of what audit does, it is important to clarify why audit does it. Most business teams can say they understand what the audit is trying to accomplish but will follow that up with “the business process works fine without any help from audit.” This is where the auditor must be able to articulate the two potential outcomes of an audit that, in the end, are designed to benefit their business partner. One of the outcomes of an audit is that the audit results will show the business process has been effectively designed, built, implemented, executed, and accurately reported. These five factors of the business process, when done correctly, will produce the expected results. Keep in mind, every process will deliver a result. The key, which must be verified through data examination and effective reporting, is whether the business process achieves the intended result. The examination of the data and reporting should be done on an ongoing basis by the business unit and is the same information the audit team will examine during their review. The other outcome of an audit is that after a detailed review of the data and validation with the business partner, the audit reveals a breakdown(s) in the business process that does not produce the intended results. This breakdown is going to be directly linked to one of the five factors from design to reporting, and it is the job of the auditors, in partnership with their business partner, to identify the root cause (to be discussed in Chapter 7) of where the process breakdown occurred. It is always critical to ensure the business partner is involved in all aspects of the audit process. Once the business partner has obtained a clear understanding of what audit does, along with the two potential outcomes explaining the audit objective, the auditor can now detail what the business partner can expect in an audit from start to finish.
EXPLAINING THE AUDIT PHASES
The most important part of marketing the audit department is to deliver an unfiltered account of what the business partner is to expect in the three main phases of an audit – planning, fieldwork, and reporting. It is critical to provide perspective on the internal audit department before diving into the details of the three phases of an audit. Most importantly, explain that every audit department, like other business units, must adhere to standards and methodology requirements. It is not necessary to get into the details of the Institute of Internal Audit (IIA) standards, but it does help in building rapport with the audit client to state the audit department has guidelines to adhere to, just like the business unit, in completing their job. In addition to the standards are the specific audit methodology requirements, and it helps to explain these regarding the three main phases. This type of discussion gives the business partners the background knowledge to help them understand where the audit department is coming from during the review. This information is even more important during a remote audit because the client is only going to be getting requests from the audit department and may not understand why the audit team keeps asking for additional information. However, if the business partner understands the three main phases of an audit, it will make the request and delivery of information during the audit go much more smoothly.
Even before drilling down into the phase details with the client, the auditor can provide perspective of the internal audit department by informing the client of the different types of reviews audit can perform. This not only provides perspective on internal audit, but also plants the seed for future reviews that could be performed at the client's request. Let your business partner know that the audit department offerings include risk-based audits, continuous audits, operational reviews, and partnering