Paradigm shift from Traditional Auditing
In this age and time, Management System internal auditors face greater challenges in their task. They need to respond effectively to the demands of a rapidly changing and complex business environment, while helping organisations continue comply with growing regulatory mandates and conform to other requirements.
This pressures internal auditors to indirectly change the way how audit should be organised and carried out. The auditing method will not just merely focus on conformity but value-adding that will contribute to sustained success of the organisations maturing systems.
So, shall the audit be assessed based on functional or process approach? At the point of conducting audits, shall the controls be the main audit concern than risks and other requirements? Must internal auditors be trained every time before audits?
First, audits must be business-driven. Internal Auditors must understand the business model and demonstrate their competency and professionalism in the internal audit field.
Audit methodology and strategy must be able to detect control gaps and weaknesses in a ‘real-time’ environment, making it possible to report and rectify any areas for improvement.
Value-add auditing can help validate the adequacy of management's continuous monitoring controls. And, it can also help organisation to focus on high risk or significant areas of exposure to the organisation.
Risk-based auditing requires not only audit knowledge, but also technical knowledge and detailed knowledge of controls built inside of various management systems. Business risks can be classified into internal risks (risks arising from the events taking place within the organisation) and external risks (risks arising from the events taking place outside the organisation). Internal risks arise from factors such as process (lack of monitoring), technology (obsolete technology), machinery (failure of machines) and financial (cash flow status) which can be controlled. Whereas, external risks arise from factors such as market or economic (pricing pressure), natural disaster (floods, earthquakes, volcano eruption), political and legal (compliance and regulations of government).
With this arrangement, organisation can avoid multiple auditing exercises and cost effective. Adopting different auditing techniques will provide the Management with more accurate information on the effectiveness of risk management and internal control system