In all walks of life, complexity is part of our world. The human body is a great example of this. In the winter, it's not uncommon for me to come down with a cough or cold while my wife remains annoyingly healthy. For doctors to identify the root causes of an illness, they need to know more than just the biology of the human body — they also understand other factors. For example, our lifestyle, environment, genetics, upbringing, and a host of other variables.
In the same way that doctors must understand complexity to diagnose illness and provide us with treatments, internal auditors also must understand the complex organizations within which they work. A modern corporation might comprise of different operating units, business units, or divisions. Global operations are common with different legal entities, regulators, and sometimes even audit committees in each geography. Business processes and enterprise risks can cross divisional and regional boundaries.
Despite an organization’s complexity, it’s the role of internal audit to provide assurance to audit committees and executive stakeholders. To do that, internal audit needs a view of the business that allows them to assess risks, prioritize audits, understand how much coverage the audit plan provides, and what parts of the organization have high-risk audit findings.
Typically, however, internal audit frequently represents their organization using a simplified, flat, two-dimensional hierarchy. While this approach makes it manageable for resource-constrained audit teams using tools like Excel, it can make it challenging to answer questions from executives and other stakeholders. For example, how would a divestment impact the risk profile of the organization? How many critical audit findings are related to a specific legal entity, brand, or product line? Are there internal control weaknesses in a specific geographic location or business unit?
To answer these questions, internal audit needs a multi-dimensional view of their organization.
So, in practice, how do you approach this?
Instead of trying to include all aspects of an organization in a single hierarchical structure, start by thinking about the different aspects of the organization or methodology that you want to report against. What questions are you being asked by your stakeholders? What reports are you being asked to create either regularly or on an ad-hoc basis?
Based on this analysis, create separate hierarchies that represent the different aspects of your organization that are important to your stakeholders. This list will be very different between organizations depending upon on the industry, geographic region, etc.; but the following are some common examples.
- Business unit
- Business process and sub-processes
- Product lines/brands or brand families
- IT system
- Legal entity
- Financial statement accounts
- Enterprise risk
Having identified and defined the different hierarchical views of your organization, the final step is to associate audit work to elements within the relevant hierarchies.
For example, a transversal audit might focus on one business process but would also include a scope of multiple business units or locations. To show the audit committee or other stakeholders the coverage this audit provides to the organization, you need first to identify these relationships. A second example might be an audit finding that directly relates to a specific control within a sub-process, but which also impacts an IT system and the organization's financial statements (if it is internal control over financial reporting). Again, these relationships need to be established to ensure that the impact of the finding is well understood by all stakeholders.
Once these relationships have been created, the complex becomes simple and it becomes very easy to answer stakeholder questions. If your CIO needs to know how many audit findings are related to an IT system, rather than looking at the entire audit universe, instead look at your audit universe through the IT system lens. If a process owner wanted to understand how effective controls are across global operations, simply apply a business process lens to your data. If the audit committee needs to understand what coverage the plan provides for a specific legal entity, simply view the audit plan through the lens of legal entities.
As doctors need specialist tools to perform tests and analyze results while they diagnose illness or provide preventative advice, so do internal auditors. Many departments still rely on spreadsheets and similar tools to try and capture and analyze information. While it’s possible to use generic tools, to view your organization through different lenses, consider instead a modern commercial audit management system. Tools like TeamMate+ allow you to create multiple hierarchies, create relationships between any types of data, and most importantly, report on data through any of these organizational lenses.
By making the complex simple, you can help your stakeholders to better understand the organization, the scope of assurance that you provide, awareness of risk across the business, areas of process improvement, and the root cause of organizational problems.