COSO process looks to a review of a business’s objectives, control objectives, meas-
ures to evaluate risk, procedures to monitor those objectives and risks, and reporting
on the effectiveness of those measures and their employment. It also requires an
overview of the effectiveness of the process. In the COSO presentation, managers
and their staff do the evaluation, not internal auditors. The internal auditors actually
spend more time reviewing management’s evaluation. Although a subtle change, we
begin to see a shift to a partnership where the internal auditors help managers assess
their risks.
This process shift also helped auditors from an efficiency aspect. Managers had to
present why they believed they had the appropriate control environment. The inter-
nal auditors assessed the process by which management came to this conclusion.
Much of the detail audit work shifted to the business because they had to provide the
evidence that they had the appropriate control and risk measures and that those meas-
ures were being monitored and reported on to the appropriate supervisory levels.
32.11 FUTURE OF INTERNAL AUDITING. The new internal auditing model fo-
cuses on risk. Instead of viewing a business process within a system of internal con-
trol, today’s auditor views the business process within an environment of risk. This
shift in focus emphasizes the future as opposed to the past and is more likely to ad-
dress the full range of issues that concern management.
An analysis of the way in which organizations are changing suggests ways that in-
ternal audit will have to adapt. Reengineering changes the way in which employees
work. Changing technology alters the way we control work. Virtual organizations are
gaining in importance. Regulatory compliance is here to stay.
What does the future of internal auditing look like?
The current business environment requires a leaner and more flexible approach to
internal control. Many companies have addressed this challenge through reengineer-
ing and new information systems, creating entirely new types of businesses to man-
age and control. Senior managers can no longer impose structured internal control
systems on their organizations; such systems are too costly both in terms of people
and in terms of competitive advantage. Instead, senior executives must manage and
control as an active team member in their organization’s business processes, provid-
ing real-time responses to current business challenges.
How can senior managers gauge how they are changing with their processes? A
good diagnostic is to start by asking a few simple questions. What have we done to
ensure that:
- People in the organization are behaving the way intended?
- We are identifying our real risks and being alerted to critical changes?
- The internal and external data we rely on for critical decisions are accurate?
- Critical information and assets are protected?
- Regulations are followed?
Underlying all of these questions is the ultimate question—are we setting the right
tone at the top?
32.12 SUMMARY. Internal auditing has entered a period of extreme challenge. In-
ternal auditors must involve themselves in things that are happening in a company as
32 • 14 INTERNAL AUDITING