A less mature governance system may emphasize the requirements for compliance with policies, procedures, plans, laws, regulations, and contracts. It will also address the basic risks to the organization.
Thus, the internal audit activity provides advice about such matters. As the governance process becomes more structured, the internal audit activity’s emphasis shifts to optimizing the governance structure and business process.
One approach to business process is business process reengineering (BPR). It involves process innovation and core process redesign. Instead of improving existing procedures, it finds new ways of doing things.
Internal Auditors may be involved in BPR to offer consulting and advisory services to their organization. The emphasis is on simplification and elimination of nonvalue-adding activities.
Thus, reengineering is not continuous improvement or simply downsizing or modifying an existing system. It should be reserved for the most important processes. In the modern, highly competitive business environment, an organization may need to adapt quickly and radically to change.
Accordingly, reengineering will usually be a cross-departmental process of innovation requiring substantial investment in information technology and retraining.
Advisory & Consulting Role in Business Process Reengineering Successful reengineering may bring dramatic improvements in customer service and the speed of new product introductions.
Reengineering and TQM techniques eliminate many traditional controls. They exploit modern technology to improve productivity and decrease the number of clerical workers. Thus, controls should be automated and self-correcting and require minimal human intervention. Moreover, auditors must be prepared to encounter (and use) new technologies.
Most reengineering and TQM methods also assume that humans will be motivated to work actively in improving operations when they are full participants in the process. However, these methods may be resisted by employees who are insecure because of lack of skills, fear of failure, breakup of work groups, and other factors. Internal auditor must first understand relative business processes before performing consulting engagement of BPR.
Defining the scope of areas to be reviewed with management is the first step in a business process re-engineering project. The next step is Gap Analysis which is reengineering process aims to optimize the IT infrastructure. This would provide the Internal Auditor with an opportunity to gain an understanding of the process under review.
Business process re-engineering often results in increased automation, which results in a greater number of people using technology. Post Implementation review is needed to assess the quality of internal control over time. Whenever business processes have been re-engineered, the Internal auditor should attempt to identify and quantify the impact of any controls that might have been removed, or controls that might not work as effectively after business process changes.
If the controls are key preventive controls, Internal Auditor must ensure that management is aware of the removal of the control and is willing to accept the potential material risk of not having that preventive control.
It is imperative to note that Management considers whether internal control is properly designed and operating as intended and modifies it to reflect changing conditions.
Internal auditor reviews this control to offer insight. Internal Audit success in the BPR involvement can be enhanced by:
▪ Internal audit is part of the annual business strategic planning meetings.
▪ Internal Audit attends executive management confidential sessions.
▪ All auditors are part of the “Trusted Advisor” strategy.