Internal audit

Expectations placed on the role and value delivered by Internal Audit (IA) functions continues to evolve and intensify. No longer is it sufficient for assurance delivery focused only on internal controls surrounding financial reporting and fraud. Boards are increasingly demanding a more comprehensive and advisory-led approach that encompasses both value protection and strategic execution, covering a wide range of business units, functions and risk areas.

MERC & CO fully endorse such an evolution, seeing significant benefits in having an independent and robust, yet collaborative and agile IA function. We see IA teams as uniquely placed to be a neutral observer of the organisation’s strategy, performance and day-to-day activities, complementing and challenging the often more emotive opinions and views of front-line management. Progressive IA functions offer those charged with governance an independent reflection and objective evaluation of organisational status, providing an insightful source of cross-divisional knowledge that can detect patterns and opportunities which more traditional, silo-based teams may miss.

Realisation of these benefits is not always straightforward in practice however, with common challenges we frequently see organisations grapple with including:

​

• A broadening of IA’s scope to deliver additional insights and recommendations will often be expected in addition to what the function already provides, without a corresponding increase in headcount. For example, an internal control testing framework, upon which key compliance declarations are made (e.g. SOX / JSOX) cannot be sacrificed. IA teams must therefore seek more efficient ways to deliver their ‘business as usual’ activities (e.g. adopting an out-source / co-source model; better use of technology; more prioritised risk focus; costs review and re-basing etc.) to help create the capacity to meet new expectations.

• A reluctance by IA functions to adapt and innovate outside of their traditional comfort zones. Innovation can take a wide variety of forms, such as adopting a more dynamic, risk focused auditing approach with shorter, sharper reviews, greater reliance being placed on automated data analytics etc. Our experience is that a slow pace of innovation can be tied to a fear of potentially making an error or omission, something that is seen as unacceptable for an IA function which can be expected to be ‘perfect’ and ‘whiter than white’. There may also be a mindset from leadership to not fix that which is not broken. This can be surmounted with strong sponsorship from senior stakeholders, a clear vision, and evolved risk appetite, with an overall reframing of the need for change as an exciting challenge for both functional and personal development, coupled with hiring / training of staff to develop the requisite skill sets and expertise.

• The difficulty in providing assurance and advice over many strategic, operational and compliance / ethical risk areas which typically offer no pre-defined benchmark / yardstick. Unlike with accounting and auditing standards, there may be no agreed parameters or measures determining what is acceptable or not for many potential areas of focus, requiring IA teams to adopt a level of tolerance for ambiguity and often more qualitative based reporting. This again does not always come naturally to IA functions who are used to delivering more binary answers. Leveraging internal and external subject matter experts to help develop the audit strategy / protocol, as well as with the subsequent audit execution and reporting, can lead to advice which might be more subjective, yet highly relevant and insightful to users.

​

How do we help?

​

MERC & CO’s senior team has decades of experience successfully delivering internal audits across a broad range of risk domains and business areas, as well as in IA functional leadership, programme coordination and oversight. When engaged tactically we have supported clients deliver audits with terms of reference spanning, for example, supply chain and procurement (including contract compliance and vendor management capabilities), technology and sustainability, as well as systems of risk, resilience and compliance management. Our specialists also offer an array of niche assurance capabilities e.g. Anti-bribery and Corruption (for FCPA and UKBA compliance), Fraud, JSOX, Oil & Gas EHS, Pharmaceutical Third Parties etc. In addition to deploying our team to deliver focused audits and support, our services also include:

​

• IA effectiveness reviews and maturity benchmarking, including support with resultant Quality and Assurance Improvement programmes (this can also be offered as a standalone engagement)

• IA function design, development, set-up and roll-out support, covering aspects such as methodology framework, IA Charter, function KPIs, audit reporting templates etc.

• Head of IA training (including both technical and ‘soft’ skills) and team development coaching, training and advice

• Facilitating IA risk assessments and support in crafting appropriate internal audit plans in response

• IA functional cost reviews / efficiency finders

• Development of integrated assurance frameworks with other second, third and fourth line functions / domain areas e.g. Enterprise Risk Management, Compliance, Business Continuity Management (BCM), Information Security, Health and Safety, External Audit etc.

• Enhanced Audit Committee reporting design and population

• IA software selection and configuration

​

In addition to our technical advisory support we also provide a range of transactional services to provide interim solutions, capacity and good practice, cost-effective execution of IA activities. These include:

​

• Managing / overseeing / challenging co-source and out-source partners to ensure optimal value delivery (we also support the running of IA RFPs)

• Interim Head of IA secondment e.g. on a contractual basis to cover for leave of absences, and provision of high-quality, closely vetted, experienced internal auditors to augment your existing teams