In March, Protiviti published its 2011 Internal Audit Capabilities and Needs Survey. The JofA interviewed Protiviti’s executive vice president and head of global internal audit, Robert B. Hirth Jr., CPA, for tips on how CPAs who oversee or conduct internal audits can take their group to the next level:
Conduct a risk assessment. Although management holds primary responsibility for risk assessment and internal control, internal audit, according to Hirth, has always been another layer of protection to mitigate risk. To properly mitigate risks, they need to be identified and continually updated.
Identify emerging risks. Regardless of whether there are separate risk management and strategic planning groups in your company, internal audit should be involved in identifying emerging risks, not just the ones it knows today. Hirth says convergence of U.S. GAAP with IFRS is one such example.
Prioritize. All internal audit groups prioritize their projects. But how up-to-date are your priorities? You should be looking at them no less than quarterly and in some cases weekly.
Reach beyond Sarbanes-Oxley (SOX). One of the first things you’ve got to get in line with in a public company is SOX requirements, says Hirth. He recommends internal audit groups allocate resources to balancing the three-legged stool of the Committee of Sponsoring Organizations of the Treadway Commission’s internal control model: the effectiveness and efficiency of operations, the reliability of financial reporting, and compliance with applicable laws and regulations.
Evaluate IT security and privacy. Like most enterprise risks, internal audit should not be the primary control group for IT risks. But Hirth sees IT as a high-risk area where internal audit should be involved to provide an independent layer of additional security. He recommends internal auditors ask: Who can get into our systems? When they get in, what can they get? Is that what we want, and how do we know? Have we understood what is private by law and what is not?
Collaborate with other control groups. One of the best ways to assess the effectiveness of internal audit is to assess its reputation among other groups in your company, says Hirth. Is internal audit supporting the efforts of other groups or being a nuisance that takes up others’ time without providing useful feedback?
Leverage technology to increase quantitative output. The more high-risk transactions you test, the better your chances of discovering problems. “With all company information digitized, don’t just test 30 transactions but test 300,000 transactions,” says Hirth.
Demonstrate positive change. When your internal audit function reports on its work, it’s important to know what positive changes were made as a result, says Hirth. For example, did internal audit recommendations prevent a restatement or statement of material weakness in internal control?
Perform a quality assurance review (QAR). The Institute of Internal Auditors’ standards require internal audit groups to have an outside QAR performed every five years. But less than half of internal audit groups recently reported having conducted a QAR in the past five years. If you are chairman of an audit committee, you want your internal audit group to follow professional standards, says Hirth.
Develop and distribute talent. Find a leader for your internal audit group who commits to recruiting and developing people for other opportunities within the company. By placing trained former internal auditors throughout the company in management positions, you raise the quality of controls, says Hirth, and it allows you to recruit better candidates because they see growth opportunities.
—By Matthew G. Lamoreaux (firstname.lastname@example.org), a JofA senior editor.
More from the JofA: