1. Home
2. Insights
3. The Value of Internal Audit - a mindset, not a tick box

The Value of Internal Audit - a mindset, not a tick box

We don’t believe that Internal Audit should be a nice to have (or perhaps more likely, a ‘have to have!) but is a key part of any organisation. We believe that effective audit is:

• enabled by a mindset of seeing auditors as part of the team working towards achieving an organisation’s objectives and that auditors challenging and suggesting action, where required, is useful
• delivered by auditors who are invested in the organisation, committed to contributing to the achievement of objectives and using their expertise in areas including governance and risk management

Internal Audit, done well:

• doesn’t add to the burden but helps Boards get to where they want to be
• brings expertise and resources to help Boards and management focus on where the key risks are and what can be done to provide assurance. This includes focus on the positive – how strengths of good processes can be maintained and where they can be shared across the organisation – as well as where processes can be improved
• helps Boards leverage resources earlier rather than later before risks materialise and so in a more efficient way

The what: Assisting you in managing risks and achieving objectives

Internal Audit is a tool for the Board supporting the overall governance framework. It works most effectively where it operates as part of the three lines of defence within an organisation, protecting the Board, management and staff from risks materialising and objectives not being achieved.

Internal Audit’s expertise in governance and risk management can be utilised by organisations in ways outside of what has traditionally been considered the audit remit, including:

• being the eyes and ears of the business, particularly in devolved environments
• supporting new system developments
• looking at end to end processes to help teams work effectively together

Outcomes include helping to improve:

• operating efficiency and productivity
• end user experience, for example customers and patients
• the quality and safety of services

Internal Audit is not there to catch anybody out, or to make recommendations and work for the sake of it. It is an engaged part of the business working together with Board, management and staff to ensure that processes and controls are in place to manage risks and achieve objectives.

The why: Internal Audit’s role is as important as ever

The role of Internal Audit in providing independent assurance to those responsible for governance and risk management hasn’t changed and remains as important as ever. In fact, Internal Audit’s role has been re-iterated in the context of the increased risk resulting from both the controls and the people operating them being under increased pressure.

Where there is increased pressure and increased risk it is beneficial to have increased assurance. Are you confident that you have enough assurance?

The how: Internal Audit’s approach has changed to some extent

Internal Auditors are aware of the need to adapt and that the same pressure on all areas of the business to deliver efficiently and effectively, and often more for less, exists for Internal Audit too. We are also aware that we are a back line function. Yet we still believe that Internal Audit can contribute to success and deliver in a real-time, agile way.

The Elsiarc approach includes being:

* Elsiarc’s 4 core values

The who: A balance of skills

Internal Audit has been described as an organisation’s ‘critical friend’ which can sound like a backhanded compliment! Who really wants a critical friend? However, the phrase brings together two key facets of effective auditing:

• Critical: giving an objective, independent assessment of what is both being done well and what isn’t, critical in the sense of inquiring and using knowledge of risks and controls to identify weaknesses and consider what could be done to address them
• Friend: knowing the processes of the organisation and working collaboratively to find solutions to improve the governance framework where this is required. Internal audit shouldn’t be the stereotype of catching people out or raising recommendations for the sake of it. Instead, Internal Audit are part of the same team, working with staff and management in combining our audit methodology and knowledge of how processes can work well, with their detailed knowledge of the processes

Internal auditors have a breadth of knowledge that can help management in times of change and as a trusted advisor.

The when: Contact Elsiarc

Internal Audit is helpful to an organisation at any stage of maturity and with any level of confidence in their processes. Internal Audit works with organisations starting out in managing risks by highlighting where the key risks are and what controls can be developed to mitigate them. Where an organisation is further along the journey Internal Audit provides evidence to support the Board’s reliance on the effectiveness of their operations and highlights where risks have changed and not been reflected in updated processes. Internal audit adds value in all organisations.

Internal Audit is also valuable across all areas of the business and we encourage Boards to think outside of the more traditional areas of compliance and consider how Internal Audit could provide assurance over emerging risks to the business. Where are there gaps in your assurance as a Director and Board member? Where would enhancing or introducing an Internal Audit function improve your overall governance?

If you would like to explore your internal audit resource further, please consider contacting us. We have experience in highly regulated and devolved environments, particularly in relation to the Health and Social Care sector.