Internal audit has historically been a traditional assurance function, oftentimes reactive in nature with an emphasis on back-testing processes, systems and related controls that have previously been implemented by an organization. The focus typically has been on the past, on assessing and reacting to what has already taken place within an organization – and senior leaders and audit committees have agreed with this mindset. But that old-school perspective is changing.
A growing trend in the internal audit industry is an increase in advisory projects that focus on strategic, organizational change events, emerging risks introduced by shifts in the external landscape or sometimes in working with the business to help enhance the control environment. These advisory projects, also known as proactive assurance engagements, are opportunities to utilize forward-looking techniques when the organization is planning to implement a new system, outsource core functions or resources, execute a merger, acquisition or divestiture, or develop and implement engines for future growth.
To explain a bit further, proactive assurance involves applying an internal audit lens to an organization’s key relationships, products, processes and functions to help determine whether they are achieving the necessary objectives and delivering the expected capabilities. This is accomplished by using a proactive mindset at the early or mid-level stages of an engagement, rather than waiting until the end and then examining achievements and failures in retrospect.
And to be clear, proactive assurance isn’t a trend in its infancy. This movement has been coming for years. It’s already making a major impact in the world of internal audit, spanning virtually every industry, and it’s likely here to stay. Many organizations are shifting their internal audit programs to a higher volume of forward-looking procedures, so much so that many internal audit functions are allocating more of their resources to proactive assurance these days than to traditional assurance.
Through proactive assurance, internal audit can add immediate and tangible value to an organization, be an agent of change, provide stakeholders with differentiated perspectives, improve relationships across the organization, elevate the internal audit brand, and increase the profile of the internal audit function.
When considering these benefits collectively, internal auditors can use a proactive assurance mindset to differentiate their approach in the eyes of an organization. In essence, they can make it clear that they’re not here to be the police, but rather they’re here to enhance an organization – and to do it from the onset. These days, internal auditors need to think about risks before they materialize. That outlook gives organizations a much better chance of success since the internal audit process has been active since the beginning, looking forward toward milestones and goals the entire time.
Proactive assurance also gives internal audit a seat at the table when an organization is making some of its most important decisions. In the past, that table featured corporate executives, project teams, steering committees, and other high-ranking organization leaders. With proactive assurance, the forward focus on strategic organizational changes and the organization’s response to external changes that impact the business allows internal auditors to showcase their value as trusted advisors and subject matter specialists.
In essence, that may be the biggest benefit of proactive assurance – that the internal audit process can be tied directly to future growth and ultimately the long-term success of an organization. Among all the benefits of proactive assurance, ultimately that close connection between internal audit and organizational growth may be one of the biggest wins.
Baker Tilly’s approach to proactive assurance starts with an evaluation of the organization’s business case for change. We work with management to understand and provide feedback on its change objectives, the capabilities it wants to bring to bear through this change and the resources required to support it. We also take a deep dive into the success criteria that management has established. Internal audit is then able to share a point of view on the risks associated with the change event and work with management to determine controls that will or should be implemented to (a) mitigate risks that, if realized, could cause the change event to fail, and (b) identify and test the design of controls that should be in place as of day one of the change being implemented, to support sustained success.
One of the underpinnings of a proactive assurance approach is real-time feedback. For this approach to be successful, it is critical to communicate insights to management in real-time so that potential course corrections can be considered. As a result, reporting generated from proactive insurance is less focused on findings and more focused on providing independent, objective feedback on the progress and success of a change event, as well as recommendations that can be addressed before the strategic project has been completed.