Is Your Internal Audit Function Adding Value?

Many internal audit functions within organisations fail to add practical value that exceeds their costs. Why is this?
Firstly, it is our experience that an internal audit function is hard pressed to demonstrate and deliver value if not underpinned by a robust Enterprise-wide Risk Management (ERM) process.  In fact, where there is no ERM process in place, it is our recommendation that internal audit resources should first be applied in establishing an ERM process. 
The practical value-add of the ERM process and internal audit function is maximised when the ERM process is facilitated by the internal audit function.  We do not subscribe to the (theoretical) notion that these two functions should be separated within an organisation.  In our experience, this is not cost-effective.
Secondly, the term “risk-based internal audit” is most often misunderstood and misapplied. 
Risks should not only inform the annual plan of the internal audit function, but also the scope of each individual review. 
Without a contextualised view of the risks facing the entire organisation, together with an indication of where assurance is currently obtained, the Board or Audit Committee cannot make an informed decision on the most appropriate application of internal audit resources.
When not auditing towards a conclusion, it is very difficult to establish the exact scope and direction of individual internal audit reviews.  Every review should be risk-based. In other words, the auditing effort should culminate in a single conclusion. For example, “We are managing the risk of ‘Not procuring input product of an appropriate quality’ effectively and efficiently”.  This conclusion must be directly linked to a high-level risk on the Risk Register.  This level of feedback from an internal audit function will then allow the Board or Audit Committee to fulfil its mandate with regards to the appropriate management of key risks facing the organisation.
By providing overall, contextualised feedback on the risks within the Risk Register, as well as ensuring effective and efficient application of internal audit resources by auditing towards a conclusion, internal audit will maximise its contribution to the organisation and add practical value.