In our previous article, we shared insights on a PwC report – “State of the Internal Audit Profession Study: Finding True North in a period of rapid transformation”. The report was published in March 2015 and we are proud to say that the report marks PwC’s 11th annual State of the Internal Audit Profession Study and reflects the opinions of more than 1,300 Chief Audit Executives (CAEs), senior management and board members globally.
We concluded that article by sharing insights on four areas that are critical to pointing companies in the right direction on their internal audit function. In this article, we will shift our focus on lessons for internal audit functions in Ghana.
Lessons for internal audit functions in Ghana
A significant number of internal audit functions in Ghana are yet to evolve and keep pace with the changes in their businesses as well as international best practices. It is safe to suggest that most internal audit functions in the country are yet to fully migrate from the traditional approach of auditing ‘anything and everything’, to the more preferred, and internationally recommended, risk-based internal audit approach. Internal audit functions in Ghana can draw very valuable lessons from the results of the PwC study to help sustain the relevance of their functions.
To add value to their organisations, CAEs in Ghana must begin to re-assess the timelines of the assurance and consultancy services they provide to senior management and the board. Over time, most internal audit functions in the country have reclined their role to mostly pre and post transaction audits. Occasionally, representatives of internal audit get invited to sit in project meetings to help assess risks inherent in committee decisions and advice accordingly. At best, and perhaps rarely, the CAE adequately participates in key strategic corporate decisions. Strategic initiatives such as corporate rebranding by service organisations, cost reduction and re-engineering by mining companies, development of new products by banks, insurance and telecom companies, and vertical and horizontal integration by manufacturing companies are constantly ongoing as a means to business survival. To remain relevant, internal audit functions in such entities must become more proactive in terms of anticipating risks and providing input into the risk management processes in their companies. The timeliness of internal audit’s interventions must remain at the top of CAEs’ strategic initiatives. There is little value auditing a massive rebranding project only after it has been fully completed. Similarly, internal audit functions add little value auditing components of a new insurance product months after its introduction to the market. Change is here, internal audit is now responsible for providing timely advice and support prior to, or during the process.
The results of the study also reflect the current state of internal audit in many jurisdictions, including Ghana. Most internal audit functions have a staff composition of financial controllers, compliance officers and, occasionally, IT auditors. To remain relevant, however, CAEs must constantly endeavour to comply with the IIA Standard 2030 “the chief audit executive must ensure that internal audit resources are appropriate, sufficient and effectively deployed to achieve the approved plan”. We continue to learn from research that non-traditional internal audit skills are helping internal audit functions make the journey successfully. As companies in Ghana undergo transformation, internal audit functions must review the adequacy of their skills mix to keep pace with the changes. No doubt, even the most experienced financial auditor can only superficially review complex mine inventory or insurance actuarial models.
The IIA Standard 2010 states “the chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organisation’s goals”. Sadly, the concept of risk-based auditing is yet to be fully embraced by most internal audit functions. Historically, CAEs have planned their audits with the aim of achieving wider coverage rather than providing assurance over the areas which pose significant risks. Most companies in Ghana, and particularly those in the non-regulated industries, may still be in the process of maturing their risk management programmes. However, to become relevant and offer true value for their companies, applying the risk-based auditing approach is imperative. It is important for CAEs in Ghana to recognise that the activities of internal audit will lead to value addition only if they complement the efforts of senior management and the board towards achieving the strategic objectives of the company. As the third and final line of defence, internal audit provides this value-addition through risk-based planning and prioritising resources based on the areas of higher risks.
Most companies spend significant amounts to acquire IT resources which process and store large volumes of operational and financial data. However, such large volumes of data present opportunities and risks to companies. Whiles well-resourced internal audit functions have been able to effectively utilise this resource in providing assurance, others appear to have been taken by surprise. The internal audit functions in most average to large size companies that process large volumes of data, such as banks, manufacturing, telecom and insurance companies have recruited staff to provide assurance over risks from IT and data assets. Data analytics using tools such as ACL appears to have gained root in most organisations. To stay relevant, internal audit needs to continuously assess the level of skill of the resources which have been employed to provide assurance over IT risks.
In conclusion, it is typically easy to stay on course when you are familiar with the landscape. However, today’s business environment is not a familiar terrain. For this reason, internal audit leaders in Ghana must find and stay focused on new and innovative ways to create true value. This requires CAEs to keep pace with the changes in their organisations and stay focused on their critical risks.
In subsequent articles, we will evaluate the survey results for specific industries such as banking, insurance, mining and telecommunication, and assess the lessons that our internal audit practitioners can draw from them. Want to know more? Let’s talk.