What Now for Internal Audit?
Now that many companies have tackled Sarbanes-Oxley compliance, what’s next for the internal audit function?
Many organizations are finding a whole new value for internal audit they have never seen before. The challenge for internal audit is to maintain its independence to ensure it can provide an un-biased opinion. That independence is still very important.
The difference is that operations executives have begun to see internal audit as a source for change. One factor is the trend toward risk-based audits. The audit rotation can be defined according to a risk-based model.
Internal audit can provide ad hoc services to assess a loss, the risk of a loss, and the appropriate remediation steps to resolve issues. Services can include fraud investigations, project oversight and contract reviews.
Now that businesses increasingly understand the value of an effective controls environment, internal audit is being seen as more of an extension of the business.
Internal audit is being used to assess the operating environment, provide guidance to meet compliance requirements and identify best practices regarding the design and implementation of an effective operating environment.
Internal audit is also providing guidance on the definition, establishment and monitoring of key performance indicators and service-level agreements that ensure an organization and its third parties are performing according to expectations.
In addition, many internal auditors now design and implement integrated management compliance systems that enable real-time monitoring, reporting and resolution of compliance issues.
Some organizations are concerned the new services will create an independence issue and have created the role of compliance management officer to handle these additional roles and responsibilities. The CMO works independently of the internal audit department to oversee compliance matters, improve compliance performance and reporting, and ensure that changes or new implementations are performed according to compliance requirements.