[ORA] Internal vs External Auditing of Operational Resilience: Roles, Responsibilities and Ethics
Internal vs External OR Auditing: Roles, Responsibilities and Ethics
While internal and external auditors contribute to assessing and strengthening operational resilience, their roles, responsibilities, and ethical considerations differ significantly.
Hence, it is helpful to understand the differences in roles, responsibilities and ethical considerations between IA and EA.
Internal Auditors (IA)
Roles of IA
- Independent assurance provider. Evaluating the effectiveness of existing resilience programs and controls within the organization.
- Risk consultant. Collaborating with business units to identify and mitigate operational risks impacting resilience.
- Process improvement advocate. Proposing recommendations to enhance OR posture and optimize processes.
- Change agent. Driving improvements in risk management culture and awareness across the organization.
Responsibilities of IA
- Conducting risk assessments and audits focused on operational resilience.
Testing controls and processes designed to mitigate identified risks. - Evaluating the adequacy and effectiveness of resilience plans and preparedness.
- Reporting findings and recommendations to management and relevant stakeholders.
- Monitoring and measuring the effectiveness of implemented improvements.
Ethical Considerations of IA
- Maintaining independence and objectivity: Avoiding undue influence from management or bias towards specific outcomes.
- Confidentiality: Protecting sensitive information obtained during audits while ensuring adequate reporting for oversight purposes.
- Competence and professional diligence: Continuously updating knowledge and skills to perform audits effectively and adhere to professional standards.
- Acting in the organisation's best interests: Balancing adherence to regulations with supporting the organization's long-term sustainability and ethical conduct.
External Auditors (EA)
Roles of EA
- Independent opinion provider: Offering an external perspective on the organization's overall risk management and resilience posture.
- Regulatory compliance assurer: Verifying adherence to relevant regulations and standards impacting operational resilience.
- Stakeholder assurance provider: Building confidence for investors, creditors, and other stakeholders regarding the organization's resilience capabilities.
Responsibilities of EA
- Conducting audits focused on specific regulatory requirements or contractual obligations related to operational resilience.
- Assessing the design and effectiveness of controls based on agreed-upon procedures.
- Reporting findings and opinions to relevant stakeholders, potentially including public disclosure.
- May not delve as deeply into operational details as internal auditors.
Ethical Considerations of EA
- Maintaining independence and objectivity. Avoiding conflicts of interest and undue influence from clients or regulators.
- Professional scepticism. Maintaining a critical questioning stance ensures audit conclusions are based on accurate and sufficient evidence.
- Confidentiality. Protecting sensitive information obtained during audits while fulfilling reporting requirements to designated parties.
- Communication and transparency. Communicating limitations and uncertainties associated with their audit findings and opinions.
Key Differences
- Focus. Internal auditors focus on broader operational resilience within the organisation, while external auditors may have a narrower scope dictated by regulations or contracts.
- Reporting. Internal auditors report primarily to management and internal stakeholders, while external auditors report to their clients and potentially publicly.
- Depth of engagement. Internal auditors typically understand the organisation's internal workings and may conduct more in-depth assessments.
- Impact. Internal auditors directly impact internal change and improvement within the organisation, while external auditors provide assurance and may trigger regulatory consequences.
Collaboration and Coordination
While their roles and responsibilities differ, effective operational resilience relies on collaboration and coordination between internal and external auditors.
- Sharing information and insights. Internal auditors can provide external auditors valuable context and understanding of the organisation's operations and risk landscape.
- Joint assessments. In some cases, collaborative audits can leverage the strengths of both parties for a more comprehensive evaluation.
- Mutual respect and understanding. Recognising the value each type of auditor brings to building a robust operational resilience framework.
By understanding internal and external auditors' different roles, responsibilities, and ethical considerations, organisations can effectively leverage their combined expertise to assess and strengthen their operational resilience posture.