The Value of Internal Audit

The value of an internal information Security audit. A few reasons why you should not neglect it.
This week’s blog takes a look at internal audit.  Whilst it is a mandatory requirement of management
systems, internal audit can often be the neglected ‘poor relation’.  This is particularly true in smaller
organisations where the internal audit team consists of ‘volunteers’ who conduct audits as a secondary
role to their day jobs.  Their line manager is often an information security officer who is a technical IT
person with little or no experience of audit themselves.

 

Training staff in audit is frequently seen as an overhead, where time spent conducting audits is perceived as time
spent away from their more ‘productive’ primary roles.  Furthermore, the situation can be exacerbated by the perpetual turnover of
internal audit team members.  Typically, these ‘volunteers’ are often ambitious, seeing internal audit as a way to enhance their skills
and develop their understanding of the business, and, as they progress their primary careers and take on more responsibility their
internal audit role is passed on.

 

A fundamental precept of auditing is that nobody should ever audit their own work and many believe auditors should not be involved
in auditing their own department/area.  A counter view, however, is that there is little value in staff auditing areas in which they are
not specialists themselves.  The latter view is most often expressed by those who don’t understand the nature of modern audit techniques.
Another big misconception surrounding audit, and probably the main reason why it is not fully valued or appreciated, is that audits are
just a ‘box-ticking’ exercise where the auditor simply seeks yes/no answers to questions on a pre-set list.

 

In our experience, we find that there are a number of benefits from internal auditors assessing other areas of the business.  For starters,
they get to establish an understanding of the wider enterprise and often provide ‘cross-fertilisation’ insights and different perspectives
into operations and processes.  We often come across ‘volunteers’ who are hungry to gain a holistic knowledge in order to advance their
own career, and in the process add real value to an internal audit programme.

 

Furthermore, internal auditors can be more flexible than external resource and are able to follow up issues that have been raised in detail
and discuss and contribute to the next stage of the process in conjunction with the auditees and those in charge of planning the audit schedule.

 

So, as you can see, in many organisations internal audit is allocated on a ‘short straw’ basis.  Even when implementing a new management
system, setting up and conducting internal audit is seen as a bit of an afterthought.  Management systems require that when nonconformity
is identified that action is taken to ‘control and correct it’.  It is the internal auditor’s responsibility to check that this has been done effectively.

 

One of the most underutilised elements of the Standard, in our opinion, is the requirement to ‘determine if similar non-conformities exist or
could potentially occur’.  This is an area where the internal auditor, with their holistic view of the organisation, can be of further benefit and
help spot risks before they become issues or incidents.

 

We believe that internal audit can add real value to an organisation.  One of the most common pitfalls we see is organisations devising audit
schedules which are overly ambitious and complicated, requiring significant time and resource to deliver. There is a lot of merit in consolidating
audits (considering a process or departmental approach) and prioritising audits in high-risk areas and reducing the frequency of some of the
‘run of the mill audits’.  Yes, audit requires a resource, but we believe it is an essential tool in helping organisations to achieve continuous
improvement.

 

If you would like to explore how URM’s consultancy and training services can benefit your organisation,

we offer a ‘no obligation’ discussion with a senior member of our consultancy team. Please let us know

the specific challenge you are facing within our areas of expertise e.g. information security (ISO 27001,

PCI DSS), data protection (GDPR, DPA 2018), business continuity (ISO 22301) and risk management so

that we can arrange a discussion.