Going Beyond Compliance Audit
“This is a non-compliance with the Instruction Manual.”
Internal auditors in the public sector would be familiar with this statement. You may even have used this quote yourself or mentioned this in audit reports. Instruction Manuals or IM are centrally-issued instructions and prescriptive guidelines that apply to all government agencies and are mandatory for compliance. Today, IM covers different functional areas, such as finance, HR, procurement, office admin and IT. There is an IM that governs the work of everyone in the organisation, and hence there is always an IM that everyone must comply with at work.
While there is no doubt that IMs (along with company policies and other regulatory requirements) are authoritative, we always go beyond this statement to articulate the risk impacts when surfacing an audit finding. In other words, instead of merely highlighting a non-compliance, it is important to explain clearly to the business owner, the implications of such non-compliance. By addressing the ‘so-what’ of the issue, they better understand the risks and impacts, and will allocate the right amount of effort to improve processes.
Similarly, when planning an audit and designing audit procedures, we should really go beyond focusing on regulatory compliance. Do not stop at checking for compliance with the IMs or your company policies, go a step further to review other areas your stakeholders may be concerned with. For instance, are they concerned about performance issues? What about operational inefficiency?
In a recent Audit Committee meeting, one of the members shared her observation that some organisations lose their operational agility and efficiency due to an over-emphasis on compliance risks. While she was not suggesting that we turn our attention away from compliance issues, it was a good reminder that checking for compliance alone is not sufficient. Auditors need to provide assurance on the organisation’s ability to implement internal controls (to ensure good governance and compliance) while preserving its competitive advantage to deliver the intended business outcomes. During an audit, we should identify controls that are redundant or obsolete and not cost-effective. For example, while a maker-checker control over key transactions would tick the box in the compliance checklist, don’t stop there. See whether there are ways to improve efficiency, say, by embedding these checks into the IT system.
When we think and go beyond compliance audit, we can be more assured that business owners won’t walk away with the impression that auditors are merely ‘law enforcement officers’.
Norman Kuik is an internal auditor at the Economic Development Board and a Governor of The Institute of Internal Auditors Singapore.