Best Practices

in Internal Audit
Gone are the days when internal audits were limited to annual
assessments of operational and financial controls alone.
Today’s internal auditors are expected to do more – to step out
of their comfort zones and provide assurance on a range of
new and emerging risks, while also delivering timely insights to
guide key strategic decisions. Stakeholders are increasingly
relying on internal auditors to help them navigate the choppy
waters of rapidly changing regulations, large-scale data breach-
es, complex global business ecosystems, and geopolitical un-
certainties. How internal audit responds to these expectations
will determine their success, relevance, and value in the coming
years.

With that in mind, here are 5 best practices for internal auditors
to successfully meet stakeholder expectations, and drive excep-
tional business performance in their organizations:
 1
Put Risk at the
Front and Center
of the Audit Plan
Insight
We live in a world where risks are changing at an
incredible pace; where events that might not have
been foreseen a year ago have become a reality.
Consider the unprecedented vote by U.K. citizens to
exit the EU, the bitter and deeply divided political
battle in the U.S., the simmering refugee crisis in
Europe, or the increasing cyberattacks against criti-
cal infrastructure.
For internal auditors, these developments are a
strong reminder that risks need to be constantly
reassessed, and audit plans revised to reflect the
changing risk environment. While risk identification
is ultimately a management responsibility, auditors
would do well to stay informed on the new and
emerging risks that would hinder the achievement
of the organization’s objectives. They must be able
to provide assurance that existing risks, as well as
the big risks around the corner are being properly
controlled. Achieving these objectives calls for con-
tinuous, risk-based audits.
Recommendations
• Get a sense of the top risks to the business
through conversations with stakeholders, internal
observations, surveys, and industry analyses
• Coordinate with other assurance groups to assess
and score risks in a top-down manner
• Tailor risk assessments to understand how various
risks are interconnected and what causes them
• Rank and prioritize the risks based on their impact
and likelihood; make sure to get management
buy-in on the risk priorities
• Ensure that the areas of highest risk and the
associated controls are audited more frequently
than others
• Conduct periodic reviews throughout the year to
determine if the prioritization of risks is still applica-
ble
 2
Collaborate
Closely with the
Second Line of
Defense
Insight
For the board and management, it can be frustrat-
ing and confusing to receive multiple reports from
various assurance functions, each addressing simi-
lar risks and issues, but talking in a different risk
language, and providing different recommenda-
tions. If internal auditors are to truly add value, they
must collaborate and communicate more effective-
ly with the second line of defense, working towards
a holistic, integrated view of risk and compliance.
This kind of combined assurance gives stakehold-
ers better visibility into critical risks and opportuni-
ties which, in turn, enables them to make better,
faster business decisions on how to tackle the
changes in the risk and regulatory environment.
Recommendations
• Establish a common risk and control language that
will enable the second and third line of defense to
communicate with each other, and report risk more
effectively
• Conduct periodic meetings between internal audit
and other assurance functions to share informa-
tion, and to align risk priorities
• Don’t hesitate to question and challenge the
findings from risk and compliance functions
• Link the risk function’s assessments of key risks to
audit planning; in turn, share the risk-based audit
plan with the risk function to get their insights and
perspectives
• Report key risks, issues, and opportunities to
stakeholders in an integrated manner with inputs
from all assurance functions
• Standardize and streamline risk assessment and
control evaluation processes to ensure that there
are no redundancies or overlaps between assur-
ance functions
 3
Provide Advice and
Insights that Focus
More on Foresight,
Less on Hindsight
Insight
PwC’s 2016 State of the Internal Audit Profession
Study found that 62% of stakeholders expect more
value from internal audit, including half of those
who already reported experiencing significant
value. Many stakeholders want internal audit to
expand its value beyond assurance, and be a more
proactive trusted advisor.
While the work of providing assurance is extremely
critical, internal auditors are also uniquely posi-
tioned to deliver insights that can guide and influ-
ence decision-making at the highest levels of the
organization. They have the ability to advise stake-
holders on important business process improve-
ments, while also alerting management to emerging
issues and risks. The key is to focus less on the
issues and risks that have already occurred, and
instead look ahead to understand where the organi-
zation is heading and how its risk profile is likely to
change as a result.
Recommendations
• Decide how to balance the time spent on advisory
and assurance work based on the organization’s
strategy, stability, business environment, and other
such factors
• Spend time understanding the organization’s busi-
ness processes, strategy, and performance indica-
tors; that makes it easier to spot areas of concern,
and add value to discussions
• Balance hindsight with foresight; focus on for-
ward-looking analyses that anticipate the issues
that could occur, so that the organization isn’t
caught off-guard
• Communicate insights to stakeholders in a simple,
succinct, and timely manner; separate the signal
from the noise
• Instead of providing too many details, focus on
strategic questions such as “what caused these risks
or issues,” and “what can be done to prevent their
recurrence”
• Engage actively with industry associations to
exchange knowledge with peers, and to understand
how they are responding to stakeholder expecta-
tions for better insights
 4
Expand and
Sharpen Internal
Audit’s Skills
Insight
The world is rapidly changing, but audit skills
are not evolving fast enough. In Deloitte’s 2016
Global Chief Audit Executive Survey, 57% of
Chief Audit Executives (CAEs) reported
being unconvinced that their teams had the
skills and expertise needed to deliver on
stakeholders’ current expectations – let alone
future demands.
Today’s auditors need to have a broad range of
skills that go beyond operational and financial
auditing, to include enterprise risk management,
regulatory compliance, vendor risk management,
anti-bribery, corruption, and even cyber security.
Auditors must understand how to not only test
con-trols effectively, but also communicate with a
range of stakeholders. Critical thinking, analytics,
and technology skills are also important.
Many organizations are addressing these skills
gaps in their teams through comprehensive
training. Others are hiring new audit professionals,
while still others are looking at co-sourcing and
outsourcing options.
Recommendations
• Evaluate the existing skills of the internal audit
team; identify gaps, and conduct periodic training
to address these issues
• Align training and development programs with
emerging risk and regulatory developments, as well
as business objectives
• When recruiting new resources, evaluate their
communication skills as much as their auditing
qualifications; trying to teach soft skills later can
often be difficult
• Explore alternative staffing models such as rota-
tion (exchanging talent between the business and
internal audit) or guest auditor programs (bringing
in subject matter experts from the business to help
conduct in-depth audit reviews)
• Build relationships with external service providers
who can provide specialized audit skills without
long-term investments
 5
Automate Wherever
Possible with
Technology
Insight
While internal audit’s roles and responsibilities may
be increasing, budgets are limited, and talent is diffi-
cult to come by. In fact, auditors often find them-
selves having to do more with less. Many are turn-
ing to technology to simplify and automate manual-
ly-intensive audit processes, thus freeing up time to
focus on more value-added activities such as risk
analysis.
With big data analytics, technology also provides
the ability to aggregate and analyze tremendous
volumes of data (from both inside and outside the
organization), and deliver risk and compliance intel-
ligence in real time. These insights enable auditors
to better predict the risks, issues, and opportunities
that lie ahead, thereby providing timely advice to
the board and leadership team.
Recommendations
• Consider replacing siloed spreadsheets and tools
with integrated audit systems that can streamline
and automate audit workflows across the enter-
prise
• Build a centralized library to integrate and map
audit data, including risks, objectives, controls, and
auditable entities (This tightly-knit data model helps
understand the relationships between various data
elements, and enables more targeted and focused
audits)
• Leverage mobile auditing tools to enter audit find-
ings on the go, and to easily capture photos and
videos as evidence
• Implement intuitive dashboards and reporting
tools that can roll up audit and risk data from
across the enterprise, summarizing key observa-
tions, and highlighting critical information
• Adopt analytics to derive valuable risk intelligence
that can drive decision-making
Conclusion
Internal audit is faced with an important choice. It can
either refuse to evolve and, thereby, fade in relevance.
Or it can find ways to reinvent itself and drive greater
business value. The successful internal auditors of
tomorrow will be those that can keep pace with the
risks and changes in the business environment,
communicate more effectively with stakeholders
across functions, and deliver timely and forward-look-
ing insights that matter to the business. Just as import-
ant will be their commitment to continually sharpen
their auditing skills and knowledge, and leverage
world-class tools and technologies. Achieving these
objectives will go a long way towards helping internal
audit attain its full potential and become an even
greater asset to the business.

Email: info@metricstream.com
US: +1-650-620-2955 Europe: +41-615-880-111 UK: +44-203-318-8554
Copyright MetricStream.
India: +91-(0)80-4962-8000 UAE: +971-50-728-724 Australia: +61-870-708-014 All Rights Reserved.