Internal audit, reframed.

Five years that changed how an audit committee should brief its internal auditor.

Internal audit has changed more in the last five years than in the previous fifty. The audit committee is no longer asking only whether the controls work. It is asking whether the process itself is fit for the business that the company has become — whether revenue recognition still matches the way the company sells, whether procurement controls still match the way the company buys, whether the IT environment still matches the way the company operates.

A risk-register that is reviewed once a year is no longer enough; the risks themselves are changing inside the year. In that environment, an internal audit that simply tests controls against a documented framework is doing the easy half of the job. The harder half — and the half that creates value — is to step back, study the process end-to-end, ask what the process is for, and propose the structural change that closes the gap.

What this looks like in practice

For a closely held manufacturing group we worked with, the audit programme moved from "test 40 controls in procurement" to "study the procurement process end-to-end and ask why the same vendor is on two payment cycles". The finding was small. The fix — a single approval-matrix change and a quarterly vendor-rationalisation cycle — saved meaningful cost.

What the audit committee should ask

Three questions are worth putting on the audit committee agenda this quarter. First — are the processes we audit actually the processes the business runs today, or are they last year's processes? Second — when an audit finding closes, does it close because the process changed or because the control was tightened around an unchanged process? Third — is the audit report being read by the audit committee, or just received?

None of these questions is rhetorical. The answers shape what value internal audit creates over the next year.