GRC Be connected: about auditing
The first presentation, by Monique Garsoux, Head of the Audit Office at Belfius, provided an overview of the internal auditor mission. It is about “how to enhance and protect organizational value by providing risk-based, objective assurance, advice and insight.” This is the result of activities based on standards, core principles and a code of ethics by independent professionals, to provide value to all stakeholders in the ‘three lines model’, whether operational people, management, governance bodies, externals and/or regulators, “to improve things, not to find problems.”
Bluntly, the internal auditor should not be a bogeyperson, but a trusted advisor in a bi-directional relationship with the organization, participating in the everyday workings through joining workgroups, meetings etc. The purpose is to turn the audited parties into allies, with auditors being asked for advice. Rather than focusing on known risks, the function of the auditor should be the thought leader, anticipating future and emerging risks, by keeping abreast with new technologies and business evolutions.
Indeed, an audit is about benefits, for the auditor, the client and audit-savvy professionals – that is the mainstay of the presentation by Prof. Georges Ataya, Solvay Brussels School of Economics & Management. Why were audits invented? To offer comfort to persons wondering whether their organization is on par regarding risks and challenges, and to provide validated opinions on which decisions can be reliably based.
An audit is about the relation between who requests an audit, the accountable party and the assurance professional. It is about the scope of the assurance initiative, including the subject matter over which assurance is to be provided; about understanding the subject, including suitable criteria against which the subject matter will be assessed; and about communicating the results. It is about providing the requested comfort statement to who needs it, as e.g. board of directors.
In this presentation, Prof. Ataya once again points out the advantages of mapping actions and requirements on the Cobit-approach!
Ultimately, an audit is about opportunities. For the auditor, this is a matter of focusing on the client’s request and to justify every conclusion. The audit-savvy professional will turn it to his advantage to prove the use of resources or to obtain arguments for additional efforts. The audit client will value the auditor as a source of a solid second opinion.
At the end of his presentation Prof. Ataya urged the attendees to check with ISACA, either ‘connected’ or as a member for the many advantages.
In the ‘Anatomy of an audit assignment’, Kelly Hogan, audit expert and trainer, provides an overview of the parts of an audit, with a focus on planning, performing the audit and communicating the results, based on the structure of the IIA audit model (Institute of Internal Auditors).
Of particular importance is the planning phase, with Kelly Hogan providing an overview of the basic steps, objectives, scope and – important – the use of a risk & control matrix. This phase is crucial for a successful audit, and a ‘must understand’ for the audited parties (e.g., explaining why this phase may consume 40 to 60% of the budget, because of a huge learning/’getting acquainted’ effort). She also points out the deliverables the audited parties should expect to receive, with possibly already some preliminary recommendations. A solid planning is money and effort well spent!
Next she explains how an auditor will be about performing the audit: the ‘field work’ for ‘collecting sufficient, reliable, relevant and useful information’. Test results must be documented, to confirm facts. Again, a list of deliverables is given.
The communication phase – reporting – is again a multi-step activity, starting with a draft report. Feedback for comments on the draft is a must (both regarding facts and tone), leading to a final report and a customer survey (how well did the auditor do?).