Risk Based Internal Audits

Internal Controls – Thinking Inside the Box (COSO Cube)
As the financial year 2015-16 crosses the midway, many companies would still be in the process of coming to terms with the new ICFR (Internal Controls over Financial Reporting) in the Indian scenario.
Any new thing that comes up for implementation generally has some teething issues, simply because change management as a process is frictional and for any successful implementation; a well-defined and well managed project plan is a must.
Business as we see through the lens of Internal Audit, starts off with a vision (mostly emanating from ideas) translates into a mission with a strategy defined to achieve that mission, and strategy further rolls down to objectives (Strategic, Operational, Financial, Compliance) for each of the business processes, which are managed by people; duly supported with technology & resources to ensure that they are in compliance to the policies, laws & regulations while achieving their strategy and mission.
Simply put: Vision & Mission --> Strategy --> Goals & Objectives --> Mapped to business processes --> which are managed by people --> For ensuring achievement of Goals & Objectives --> resulting into Implementation of strategy --> resulting into achieving the mission.
The COSO framework has been used globally and is time tested and has a very rational approach for implementation. Where most companies struggle to achieve a proper implementation of internal controls is they think of Internal Audit as a value adding function / activity and are almost asking for an “Out of the box approach / thinking” and that is where some of those organizations completely miss the point. Internal Audit is not only about value creation but equally about Value Protection, and in today’s scenario, more about risk management, that is where Risk Based Internal Audits have become the fad.
The need today is not to have number of controls but to have right quality of controls, simply because there is a cost to every control you implement in the organization (in terms of time and resources involved).
Where most organizations would do well is, while doing their Enterprise Risk Management exercise, they should define their goals and objectives (which should be enablers for implementation of the strategy and for achievement of objectives) and further map each of those goals & objectives to the business processes and identify risk champions to ensure that those goals and objectives are met within the timelines, keeping in view the overall timeline for fully implementing the strategy.
Once this is done, the role of internal audit function would be enhanced qualitatively and that is where the internal auditor will have to think constructively inside the box (COSO cube), because all 5 parameters of the cube will be inextricably linked to strategic, operational, financial and compliance objectives and that is where the organizations would begin to appreciate the right set of controls being implemented for their business.
Disclaimer: The views expressed in this post are personal views