Why keep internal audit firmly in the ERM frame

Sword GRC Blog

Why keep internal audit firmly in the ERM frame

Many organizations adopt a ‘Three Lines of Defense’ model for risk management and compliance and for this to be effective, operational leadership, compliance, and internal audit functions work in unison to assess risk, manage controls and ensure compliance. But should the three branches not always collaborate effectively, internal audit runs the risk of being side-lined.

Keeping internal audit firmly in the loop brings numerous business advantages, including access to strategic insights that can result in reduced enterprise or project risks and cost savings. In this short blog, we’ve put together some pointers for inhouse audit professionals who are keen to ensure that the all-important third line of defense – internal audit – contributes fully to GRC strategy:

  • Reach out and raise the profile of IA

It may be worth extending your reach beyond the managers who provide the information you need to undertake internal audits and try building relationships with senior personnel to whom you can showcase the audit team’s work. By understanding business objectives, helping to identify risks that can challenge the achievement of goals and by putting the right controls in place, internal audit will become an integral part of enterprise risk management and compliance.

  • Consider the bigger picture – identify and address business-wide trends

Rather than concentrating solely on individual issues arising from internal audits, aggregating audit results can highlight actionable enterprise-wide trends. Are some identified issues recurring, or running across different business locations? The regular review of data will aid your team’s understanding of risks – both known and emerging – and help with planning to mitigate impacts.

  • Remember third-party risks

Establishing policies to safeguard your business from external risks that may impact your organization via its vendors or technology partners may also stand you in good stead. Preferably compliance would be automated to help minimize financial or legal implications arising from third-party suppliers’ activities. After all, internal audit plays a vital role in ensuring that effective controls exist for all business activities.

  • Shift from annual planning to incremental

In the wake of the Covid crisis, it may already be the case that your team or department has upped the frequency of audit plans from annual to more regular plans. If not, it’s worth considering for a better ‘eye on the pulse’.

  • Draw learnings from data

In-depth data analytics and real-time data feeds will inform decision-making around risks. Through leveraging data, audit plans will provide better risk intelligence for leadership and help in the mitigation of new threats.

  • The case for a GRC solution

If your organization doesn’t already use GRC technology there’s a strong case for advocating it. The ability to automate your controls framework, monitor compliance and risk levels enterprise-wide and real-time, with triggers highlighting when control levels are not being met and the ability to drill down into data generated will contribute significantly to a more cohesive Three Lines of Defense strategy.

Discover Sword Audit Manager

Integrated with risk management, Sword Audit Manager supports true risk-based auditing by linking strategic planning, audits, and working papers to the risk register to enhance your audit process and improve efficiency. Click here to learn more.

Case Study:

Read how Sword Audit Manager enabled State Department Federal Credit Union to eliminate the need for paper loose-leaf notebook audit binders and switch to using one central system ensuring accuracy of data.