Solution Brief

Effective Internal Audit Management

Get the flexibility and end-to-end functionality you need
Matured solution to improve internal audit effectiveness and
efficiency significantly

Governance, Risk, Compliance and Quality Management Solutions

 Table of Contents
Introduction 4

The Challenges 4

Overcoming Challenges 7

Internal Audit Framework 8

MetricStream Solution 10
Introduction
With economic slowdown predominating throughout this year, the boards and audit committees are focusing to
leverage the internal audit function to mitigate a wide array of risks associated with liquidity, cash management,
and market volatility. Auditors today need to vigilantly track the company’s debt situation including debt maturities,
access to capital markets, and the impact of the recession on the company’s supply chain and distribution channels.
The pressure to maintain performance and meet expectations during the economic downturn has necessitated
corresponding increase in the knowledge, skills, and expertise of internal audit professionals.

Internal auditors are expected to maximize the assurance provided to the Board, the Audit Committee and
management, and contribute to the continuous improvement strategies of the organization without impairing its
objectivity and independence. Internal auditor’s role involves providing guidance and expertise in areas including,
but not limited to, corporate governance, ERM, fraud policies and prevention, and information technology systems,
in addition to the traditional area of internal controls. Audit departments are realizing that paper-based systems,
software point solutions, and electronic processes are inadequate to handle the rising number and types of audits.

The MetricStream solution for Internal Audits provides dependable automation and protection from risk management
perspective and regulatory standpoint. The solution ensures effective compliance, creates opportunities for cost
savings, brings operational efficiencies and above all, gives the true status of a company’s exposure to risk.

Internal Audit Management - The

Challenges A survey by Ernst & Young titled ‘The
The current business environment has turned the spotlight on the Shifting Internal Audit Landscape’
role that a robust internal audit system must play within the larger reveals that
drive towards effective governance, risk, compliance and quality
management. An internal auditor has to work as a savvy in-house • Stakeholder expectations are
cop who not only reports problems, but also gives constructive increasing with greater focus on
suggestions to line managers about how to improve the performance enterprise-wide risk assessment
of the business. As a result, the internal auditing and corporate control and business and operational risk.
environment are receiving increased attention and resources, necessary
to comply with the regulations. • In implementing enterprisewide
risk assessments, as well as
Despite the increased exposure and buy-in from executive covering of key risk areas, there is
management, internal audit departments face many challenges. A few an opportunity for Internal Audit
of them have been discussed below: to improve coordination with
other risk management groups
• Immature Implementation of Risk Strategies: The credit crisis and within the company.
resulting uncertain economic conditions have forced organizations
to scrutinize their risk exposures in greater detail. Most of the • There is an opportunity for
organizations, however, support perfunctorily developed risk Internal Audit to better leverage
management strategies. According to a survey of audit committee technology and knowledge
members attending the 4th Annual Audit Committee Issues collection and sharing tools to
Introduction Conference , 44% of conference attendees said that improve effectiveness and
their company’s processes to identify significant business risk efficiency significantly.

4
 need improvement, and 18% said the risk reports that management provides to the audit committee are not
meaningful/useful. “Audit committees are taking a hard look at risk management processes, with a particular focus
on the quality of risk inventories and assessments, as well as the usefulness of management’s risk reports,” said one
of the directors at the conference. He says, “Key challenges include identifying risks early-on, and maintaining a ‘big
picture’ view of the risks facing the business.”

• Top-Down View: A careful analysis of frauds, which led to the genesis of SOX legislation, exposed major
weaknesses in the top management and the control environment. This put spotlight on internal auditors to view
the business from the top-down, and increase scope of reviews at corporate offices. The purview should not only
include day to day transactions, but specific monthly, quarterly, and yearly management processes that strongly
influence the financial statements.

• Complex Financial Disclosures: The board shoulders the ultimate responsibility for the integrity of the
corporation’s financial disclosure. The challenge for internal auditors is to identify if there are discrepancies in
company’s financial statements, confirm whether they are abiding by the financial reporting standards, verify
whether sufficient controls are in place, and affirm whether shareholders or potential investors or lenders have
sufficient information to make informed decisions. The Management is responsible for a fair presentation of the
financial statements but the internal audits department must ensure that the financial statements do pass the
litmus test.

• Complex Business Models: The board and management are responsible for ensuring the integrity of the
business, while the internal auditor is responsible for validating, directly or indirectly, whether the company’s
business model is sound. Internal audits confront issues like: “Will the company be able to survive, or compete in
the market?” “Does it adhere to sound business practices?” “Does it have appropriate place for risk management
and corporate governance programs in organization?” Moreover, with communication shrinking the world, and
global economies growing ever more intricately connected, organizations operate in a far more complex fashion
than before. This increases the potential for negative circumstances like inconsistency in enforcing audit processes
across business units, erroneous data collection, and various gaps that result from isolated silos of information. It
is difficult to gain the comprehensive visual map of the entire business, essential to effective management of risk,
governance, compliance and quality issues. The audit lifecycle can often meet a variety of roadblocks that drag
deadlines and jeopardize the quality and legal safeguards.

• Growing Regulatory Guidelines and Compliance Demands: The global regulatory environment is in an arena of
constant change. Stipulations and guidelines are regularly reviewed and refined to retain their effectiveness. Very
often, different countries may have distinct recommendations or legal expectations that can complicate the role
and consistency of internal audit process across a geographically spread enterprise. Whether it is ISO, SEC or SOX
guidelines, companies are now expected to proactively initiate internal, IT-enabled enterprise-wide audit solutions
that ensure compliance.

• Risk Quantification: Risk is an integral part of any endeavor. The risk management unit and the risk management
committee are responsible for risk management, but it is the internal auditor’s task to ensure the risk management
program works. An effective internal audit management system depends on the ability to build process cycles
against an accurate matrix of assessed risk. However, given the dynamic regulatory environment and the complex
inter-connectedness of business functionalities, it is often extremely difficult to assess the multi-faceted nature of
business risk.

5
• Governance: An ideal corporate governance framework consists of seven entwined elements: the board and
its committees, legal and regulatory concerns, business practices and ethics, disclosure and transparency, ERM,
monitoring, and communication. It is the task of internal auditors to review each of these elements, and report
their findings on a scorecard, rating their maturity along a scale as “compliant”, “developed”, or “advanced.” At
the outset, the CAEs need to review key organizational documents such as articles of incorporation, board and
committee minutes, the annual report, investor relations policy, code of conduct and ethics, shareholder rights,
and board calendar of events.

According to PwC research, internal

• Tone- at-the- Top: Top-to-down ‘buy in’ for internal audit is
auditors will be sharpening their focus
something that can only be achieved when the leadership
on continuous auditing between now
of the company is sensitized to and convinced of the vital
and 2012 in an effort to streamline the
impacts it has on compliance, quality, business continuity,
audit process. As risk assessments and
and operational profitability. Internal auditors should
risk monitoring assume a more real-time
work closely with the audit committee to establish the
dimension, audit timing will become
audit department’s responsibilities, and the board and
more dynamic. Audits will be conducted
management should support those duties. However, internal
on an as-needed basis, triggered more
audit processes can sometimes be ignored by the top
by changes to organizational risk profiles
management, who may chose to focus time and resources on
than by set plans.
areas they deem to be more pressing to bottom lines.

• Monitoring and Oversight: Most organizations expect internal audits department to provide additional input
to management, the board of directors, and the audit committee in form of monitoring and oversight; ensuring
compliance monitoring and enforcement of essential requirements. To address the issue of weaknesses in
oversight programs, the department needs to establish the minimum standards for monitoring compliance
and risk management programs. These standards should address compliance monitoring activities; technical
assistance; enforcement; and documentation, analysis, and reporting of results. Stiff penalties for non-compliance
have prompted employers and employees to take a proactive approach to reduce the risks of fraud within their
organizations. With an increase in awareness and interest in corporate governance, the audit function faces rise
in the number of special requests. In addition to this ascend in demand for services, implementing a system to
evaluate and prioritize the nature and timing of reviews will provide an additional challenge for businesses and
their audit function.
• Information Sharing and Communication: Although some The survey by Ernst & Young (‘The Shifting
companies, primarily in financial services, incorporated the Internal Audit Landscape’) reveals that
COSO (Committee of Sponsoring Organizations) framework when asked how they expect their Internal
model into their audit process over a decade ago, many Audit function will expand the use of
companies are still working towards implementing COSO or leading practices and benchmarking
a similar model into their organization. The length of COSO data to support audit activities, 47% of
implementation should be reduced by sharing information respondents indicated that they maintain
and communicating throughout the industry. Organizations a library of leading practices. Thirty-six
assist each other by sharing experiences and lessons. It would percent indicated that they maintain
also be advantageous for boards and executive management industry-based business process models.
to drive the implementation of such a model throughout the
business. This should provide those who lag behind with a
better perspective on risks and controls and what areas

6
need to be considered in the everyday conduct of business to allow employees to take a proactive approach in
enhancing the control environment.

Progressive companies are increasingly seeing the answer to these challenges in a unified approach that integrates
the audit cycle within closed loop systems and affords end-to-end functionality across the board.

Overcoming Challenges
To address the rising expectations of chief stakeholders, internal audit needs to find new ways to deploy its
risk and control-based skills to help the organization achieve its strategic objectives and enable value creation.
That effort extends to activities such as:

• Board of Directors and Senior Management Oversight: Internal Auditor’s assessment of the role of the top
management in overseeing a company’s efforts should address objective considerations, such as whether
the necessary resources (people and otherwise) and tools have been dedicated to the compliance and risk
management effort, whether the tone-at-the-top is inclined towards having tighter internal controls, and
whether the board of directors and senior management, through their words and actions, are communicating
the importance of risk awareness across the company. This also includes instituting communication channels,
including a whistleblower hotline to encourage reporting of compliance issues and risk concerns. Here the internal
audit department should evaluate the processes in place to establish and enforce accountability for compliance
deficiencies. If evidence suggests that there are discrepancies in internal controls and risk management structure,
this should be a cause for concern.

• Risk Identification and Assessment: The audit should examine whether the risk assessment process
synchronizes with latest changes in the organization, addresses all activities conducted by the company, includes
all applicable regulatory requirements, and documents the methodology used to conduct the risk assessment.

• Role Accountability and Responsibility: During this part of the evaluation, it is important to consider the
credibility, qualifications, and experience of key personnel who have been assigned the critical tasks. Internal
auditors are charged with the responsibility of assuring the board of directors that management, financial
systems, and processes are working effectively. In all other matters, the CEO represents management to the board
of directors. However, in this case, the CEO belongs to the group that is being audited, so it is important for the
internal auditors to have direct reporting channels to the board.

The audit should examine the plan these individuals have developed for directing the company’s Compliance
effort. This plan should be updated on regular basis, should set forth the goals of compliance and its tactics,
including monitoring, training, policy and procedure review and updating, for realizing these goals.

• Policies and Procedures: Internal Auditor’s assessment should focus on the company’s process for ensuring
that policies and procedures are comprehensive, reviewed and updated on a periodic and reasonably frequent
basis as well as accessible and understandable. This should also verify that the company has a process in place
for communicating important changes between periodic updates. In forming this assessment, internal auditors
can test the process by selecting a significant and relatively new regulatory requirement and determining how
effectively and efficiently the requirement has been incorporated into policies and procedures and communicated
to affected personnel.

7
 • Internal Controls: Consideration of whether or not there is a system of adequate internal controls should be
second nature to any internal auditor. The considerations are much the same as they would be in any other
auditable area: separation of duties, access limitations, second review processes and proper documentation
of review and approval, etc. Another consideration would be whether the controls are manual or automated.
Where internal controls are manual, internal auditors need to inspect whether the controls are addressing the
requirements of the organization. On the other hand where they are automated, the internal auditors need to
confirm that the workforce understands the technology.

• Self-Monitoring and Remediation: Internal auditor’s evaluation of a company’s self-monitoring and remediation
activities should begin with verifying that the monitoring program incorporates requirements specifically
mandated by laws or regulations, and that it is appropriately aligned with Compliance’s risk assessment.

• Reporting and Record Keeping: IA should also review how the company manages the myriad of reporting
and record keeping requirements faced by financial services companies. This requires validating that all such
applicable requirements have been identified, responsibilities are assigned, and controls are put into place to
ensure required information is retained and retrievable for prescribed periods.

Need of the hour is an internal audits framework that provides a strategic model, for internal auditors and
stakeholders, to understand the elements necessary to achieve a high quality and effective internal audit function.

Internal Audits Framework

Ever growing complex regulations have had significant implications on Internal Audits function – changing the
environment within which the rules for security, reliability, and permissible margin of inaccuracy were formed. Internal
auditors, today, need to adopt an integrated auditing approach while evaluating the internal controls, processes
and procedures of an organization. The COSO while defining internal control, in its report titled “Internal Control-
Integrated Framework”, emphasized on the role of internal audits to help management monitor the control system
and make them aware of its strengths and weaknesses. It holds internal auditors as a form of internal control that
functions by evaluating other forms of internal controls. Similarly there are other generic frameworks that internal
auditors can use to determine the scope of the audit, including: the Federal Sentencing Guidelines, the Basel
Committee principles on compliance (as documented in its publication entitled The Compliance Function in Banks), in
addition to general guidance published by various other sources. While none of these frameworks is identical, there is
a high degree of commonality among them suggesting a number of key program elements that should be included in
an effective internal audit program. Each of the following is a key area to address:

• Structure and Resources: Before embarking upon the auditing process, internal auditors establish the structure
of the internal audit function and assess the key internal audit personnel to be audited, and their respective
roles and responsibilities. Where the function is outsourced, the focus includes the terms of the outsourced
arrangement and how this is monitored.

• Independence: The board should ensure that the independence of the internal audit function is maintained.
The internal auditor should maintain dual reporting relationship to management and the organization’s most
senior oversight group. The internal auditor should report to executive management for assistance in establishing
support, and administrative interface; and typically to the audit committee for strategic direction, reinforcement,
and accountability.

8
• Approach: The approach taken by internal audit should be clear and may be one, or a combination of risk- based
focus on the high-risk areas of the institution; and review-based focus on reviews of various parts of the institution.
The board should endorse the approach and it should be scalable to future change, such that it adapts agilely to
issues requiring internal audit involvement.

• Segregation of Duties: Segregation of Duties ensures that no one person is solely responsible for the entire
process end-to-end, without effective checks and balances. For example, key authorization processes should
ave appropriate checks and balances. The person, who documents the transaction, should not be the same
person who conducts the transaction. These simple checks and balances ensure effective controls and reduce
organizational error rates.

• Policies and Procedures: Written policies and procedures codify management’s criteria for executing an
organization’s operations. They document business processes, personnel responsibilities, departmental
operations, and promote uniformity in executing and recording transactions. Thorough policies and procedures
serve as effective training tools for employees. Having a documented repository of your standard operating
procedures at the operational, financial, manufacturing unit levels, ensures consistency of processes and reduces
audit failures.

• Internal Audit Plan: The internal audit plan, which usually details the proposed internal audit work for the next 12
months, should be documented and endorsed by the board. Importantly, the plan should be consistent with the
type of approach to be taken and should be adequate for the scale and complexity of the institution’s operations.

9
• Audit Data: The internal audit should capture audit-related data on a single database for the entire enterprise, so
that all data mining, benchmarking, and trend analysis processes are significantly improved.

• Reviews and Approvals: When a process is performed within a department, there should always be another
level of review and approval performed by a knowledgeable individual independent of the process. The approval
should be documented to verify that a review was done. Review and approval are controls that help management
gauge whether operational and personnel goals and objectives are being met. In this time and age of emails
and web technologies, it is easier to document your approvals if you can refrain from verbal approvals and use
electronic methods to approve key policies and processes.

• Reporting: Internal auditor should report findings to the Audit Committee (or board) regularly. Serious issues
should be elevated to senior management and the Audit Committee (or board) without delay. The reporting
infrastructure is not just a way to create visibility into the status of key processes and activities, it also enables the
management and the auditors a way to get possibly real-time visibility into the key indicators of your organization.
Reporting of key Corrective Actions and Preventive Actions, Process KPI’s, employee training status to key
processes, supplier and partner scorecards, quality maintenance reports on critical equipments and plants is a
simple example of a well-designed management reporting system.

MetricStream Solution
The MetricStream’s Internal Audit Management solution is a comprehensive application designed to help companies
manage a wide range of audit-related programs, data and processes. It provides flexibility to support all types
of audits - internal audits, operational audits, IT audits, supplier audits and quality audits. The solution provides
end-to-end functionality for managing the complete audit lifecycle including risk assessment, audit planning and
scheduling, development of standard audit plans and checklists, field data collection, development of audit reports
and recommendations, review of audit recommendations by auditees and management and implementation of audit
recommendations and remediation.

10
• Audit Planning: The MetricStream’s Audit Management solution helps you create an audit program with a well-
defined objective and scope tied to quality, compliance and risk management processes. By virtue of the solution,
auditors can organize an audit in a logical structure and hierarchy with detailed audit templates and work orders.
The solution also helps organizations define evaluation and pass/fail criteria, checklists, and tasks that need to be
performed for executing the audit periodically or on an ad-hoc basis. Based on the master audit calendar, you can
select the auditor or a team of auditors and assign the audit responsibility to them with a due date. Automatic
notifications are sent to the auditor as well as the entity to be audited.

• Audit Execution: The MetricStream solution enables auditors to record qualitative or quantitative findings along
with detailed observations and recommendations in predefined formats, alongside the checklist of evaluation
criteria and questions. A unique offline capability allows auditors to enter audit findings in notebook computers
or handheld devices at remote field sites even without the access to the corporate network. They can later on
synchronize the data with the central repository while accessing the network. The audit managers can track
the status of the audit, and measure the progress against milestones to ensure timely execution. Time tracking
capability captures the time spent in auditing for optimal resource utilization.

• Audit Review: The MetricStream solution helps you route audit findings, observation reports and auditors’
recommendations for review and subsequent actions. The audit findings are sent to the audited entity to seek
response on findings or issues observed. The solution has built-in workflows for reviewing responses for approval
or rejection with the options to initiate remedial actions for undesirable variations and trends, as well as to
schedule follow-up audits.

• Reports and Metrics: The MetricStream solution provides comprehensive capabilities for compiling audit reports
and work-papers. It provides complete visibility into the audit process with easy status tracking. The solution
allows access to all audit data and histories, as well as analysis of auditor performance and audit results. Graphical
executive dashboards and flexible reports with drill-down capability provide statistics on a variety of parameters
such as by audited entities, audit schedule and calendar, finding reports, and corrective and remediation actions
triggered.

• Risk Assessment: The MetricStream solution allows the Audit Management department to integrate with the
Risk Management solution and supports assessment of risks based on parameters such as severity and likelihood
of occurrence for calculating the risk index of a finding. The solution supports risk assessment and computations
based on configurable methodologies and algorithms giving auditors a clear view into organizations risk profile.

• Alerts and Notifications: The MetricStream solution extensively utilizes email as a mechanism for delivering
event-based notifications, assignments, alerts, and escalations to ensure timely completion of tasks.

11
• Security and Access Controls: The solution provides multi-level role-based access controls, essential for
companies with multiple locations, product lines, and business units.

• CAPA/Remediation Management: The MetricStream solution provides seamless integration with CAPA/
Remediation Management solution for observations and findings that require a remedial corrective action plan.
Once issues are identified, documented and prioritized, a systematic mechanism of investigation and remediation
is triggered by the underlying workflow and collaboration engine.

• Reports Wizard: In addition to the standard reports available in the solution, the end-users can build custom
reports using the simple Reports Wizard without any programming. The solution also supports automated
generation of reports in standard file formats.

12
MetricStream, Inc.
2600 E. Bayshore Road
Palo Alto, CA 94303
Phone: 650-620-2955
Fax: 650-565-8542
info@metricstream.com
© 2014 MetricStream Inc. All rights reserved.

For More Information

about MetricStream GRC and Quality
Management Solutions
please visit www.metricstream.com