Prioritizing the Work of a Tiny Audit Department

Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years.


I have been a strong advocate for:

  • Building the audit plan so that it focuses on the more significant risks to the organization.
  • Providing a formal opinion on management's processes and controls to manage those risks within organizational criteria.

But what if the audit department is too small — just one or two people — to come even close to that vision?

This is what I think I would do, taking into account what I know some CAEs I respect are already doing in this situation:

  1. Ensure I have a good understanding of the more significant risks and the level of reliance that is being placed on those controls (i.e., inherent risk less residual risk, if you like those terms).
  2. Understand the value I can bring through an audit of those controls. The audit would be as tiny as possible, focusing only on the controls that matter.
  3. Consider whether more value can be delivered through facilitating management's self-assessment of those controls, or by providing consulting services to improve the controls.
  4. Consider where change is happening and risk is being created. Can internal audit provide greater value by serving as a risk and controls consultant in those areas?
  5. Listen to the audit committee to see if they have specific areas of concern.
  6. Listen to management to hear if they desire internal audit services in any particular area. I would resist the temptation to become a special projects person for them.
  7. Develop a proposal and review with the audit committee and then with management (I prefer that order).
  8. Ensure the internal audit charter is consistent with the plan, and change it (the charter) if needed. I would not be afraid of the IIA Standards if the right thing, with audit committee approval, was to go over the line a little (and I mean a little).
  9. Maintain a schedule of potential audits of value, ensuring that management and the audit committee understand the opportunity that would be created if I had additional resources.
  10. Continuously monitor how the plan is going, being ready to change direction if and when needed.

What would you do differently?

Posted on Jun 4, 2012 by Norman Marks

Share This Article:    

  1.  Norman,

    Your point #3 seems to be more of the responsibility of a RM than a CAE.  Am I off-base in my opinion?

  1.  Good point! When there is only a tiny internal audit department, there generally is no risk management function. So internal audit can extend its wings

  1.  I agree with what you've listed. I suspect there's a difference between a properly staffed small audit shop in a small organization (in which Audit is part of the overall management team) and a small (under-staffed) audit shop in a mid-size organization. Most of what you mention is equally applicable -- in fact they are good ideas for all audit shops. However, in a smaller organization there is probably a little less formality and more cooperation among the various areas to accomplish organizational goals. Your items 3 & 4 especially come to mind where these things are often handled easily and informally in small entrepreneurial organizations but undoubtedly require a more formal handling for a mid-size organization. 

  1. I think that it is important to make sure the Audit Committee knows the risks that are not addressed in the plan. Sometimes the Audit Comittee does not know its concerns they until they hear what is not being covered. And if too many risks are unaddressed, this can lead to discussions about more resources for the Internal Audit function.

  1.  You make some great points and I agree with them. One other consideration also comes to mind. Small audit shops, be they under-sized or right-sized in proportion to the size of the firm there should also be some level of reliance on continuous auditing and/or monitoring technology. Reliance of course depends upon many factors such as the control environment and the firm's resources. Nonetheless, relying on either methodology could help a small shop extend its coverage and allow the department to focus actual "man-hours" on the most significant risks and any areas that cannot be automated. The reality of this suggestion depends on many factors but it should, nevertheless, be considered. Any thoughts on that?

  1. You have mentioned that some CAE's you respect does this and does that to ensure maintenance of adequate auditing standards. Smal audit department CAE's are present face to face with audit committee and performing all the functions mentioned in your writing. External audit firm or consulting firm were not hired to perform above functions. Risk profile and business risk are prirotized along with audit plan etc., etc., combined with execution of the audit plan fully.  

Leave a Reply