As internal audit leaders work to transform their organization into a next-generation internal audit function, many find that the business is engaging their team more often to provide guidance for a wide range of initiatives — including large transformational or technology projects at the enterprise level. This is a positive trend, as it shows more businesses are seeking to leverage internal audit as a value-adding strategic partner.
Many internal audit functions stepping up to embrace the role of trusted adviser are seeking to establish a formal approach to providing guidance on risks and controls throughout a project’s life cycle. They want to ensure that they can be both efficient and effective when offering input during large enterprise projects and demonstrate to the business why they should be at the table for certain projects. These functions also seek to be more proactive in identifying projects where their perspective and insight can be especially valuable.
One such approach for internal audit that is gaining popularity is the embedded assurance project model, which adds an independent risk and controls audit lens to critical enterprise projects for management, the audit committee, and any applicable external compliance and regulatory entities. The aim of this model is for internal auditors to become true partners throughout a project’s life cycle.
The Role of an Embedded Assurance Team
Under the embedded assurance model, the internal audit function aligns a designated team to a project; this team operates in a different capacity from traditional audit teams that perform core assurance audits. The embedded team serves in a consultative audit role throughout the enterprise initiative, integrating into project teams and providing real-time risk management and controls implementation guidance.
Following is a high-level overview of this team’s mission, outlined through its key activities:
- Identify high-risk or high-impact projects per enterprise mission, financial goals and regulations.
- Assess project governance and documentation.
- Identify and communicate project risk and mitigation solutions.
- Highlight process and system enhancements and efficiencies.
- Provide an enterprisewide view to facilitate collaboration opportunities. (Note: Internal audit, with its wide view across the organization, is uniquely suited to provide this perspective.)
- Participate in all phases of project implementation to ensure effective internal control design.
- Facilitate coordination with external compliance and regulatory entities.
- Perform independent assessments of solution readiness.
The goal of that last activity is for internal audit and management to reach agreement that they are confident the project can be deployed successfully. They consider the solution to be ready for deployment in the enterprise because everything from the design to the completeness and accuracy of data have all undergone robust review and testing.
The projects an embedded assurance team might lend their risk and controls expertise to could be anything from a cloud migration project to the implementation of an enterprise resource planning system to integrations related to a merger or acquisition deal — or even a new product launch. It all depends on whether the project is one where internal audit’s involvement can truly add value.
The Structure of an Integrated Project Team
Developing a successful project team involves bringing together various stakeholders to create a single, integrated unit. This ensures that all the appropriate partners, including internal audit’s embedded assurance team, are at the table to provide necessary input throughout the course of the project.
As the diagram below shows, internal audit’s team sits right alongside the project’s key stakeholders. The shield icon between internal audit and the external stakeholders represents how the embedded assurance team can serve as a buffer or liaison between the project team and stakeholders outside the organization, such as regulators or external auditors.
Even though the embedded assurance team is integrated into the project team, it remains independent from other groups or individuals who are executing and managing the project, such as project specialists and system integrators.
How and Where the Embedded Assurance Team Can Add Value
The embedded assurance team is there to provide a compliance and operational risk lens to projects with a goal of ensuring that risks have been communicated, remedied, mitigated or accepted by management. And if the team identifies any major (aka “showstopper”) risks, internal audit can, in turn, alert the audit committee for further escalation, if needed.
Here’s a closer look at some of the ways an embedded assurance team can add value to a project:
- Risks and controls: Project specialists are focused on implementing the project based on its scope and requirements; they are typically not focused on risks and controls. An embedded assurance team can help ensure that risks are identified early, and relevant controls are designed appropriately to meet existing or new compliance or regulatory requirements.
- Security: The embedded assurance team can help ensure that potential security issues are fully considered and addressed — for example, how segregation of duties will be managed in a new system, or whether least privileged access is in place.
- Reports: The embedded assurance team can confirm that key reports generated from a new system or process will be adequate to support implementation and monitoring of the key controls.
Internal audit can also support the project team through any remaining testing and validation issues prior to go-live, and provide any “hyper-care” (i.e., additional support) post-implementation to ensure that the project progresses back into “steady-state” or “business as usual.”
Another top benefit of using the embedded assurance project model is that it improves the audit committee and board’s visibility into critical projects, especially with regard to understanding expected challenges and how long it will take to see a return on investment — and why.
Selecting the Right Project or Product for an Embedded Assurance Approach
For internal audit functions new to using the embedded assurance project model, internal audit leaders will want to select a project that is highly visible, important to the enterprise, and most important, is an initiative they are confident their team can handle and add value.
The following steps can be used to select an appropriate project for internal audit and gain buy-in for internal auditors’ involvement as part of an integrated project team:
Also, internal auditors must be prepared to step out of their comfort zone when they are working as part of an embedded assurance team, because while they are there at the table to advise on risks and controls, they are also on the front line of project decision-making — and, thus, share in the responsibility for the outcomes of those decisions.
To learn more about the embedded assurance project model for internal audit, including what other benefits it can provide, details on how to develop an approach, what frameworks to consider, and how to manage program and project risks, watch Protiviti’s webinar, “Why Embedded Assurance: A CAE Point of View,” available on demand on our website.