Do All Your Audit Activities Add Value?

Following on the post about a strategic plan for internal audit, I believe that the CAE and her management team should periodically perform a self-examination to ensure every activity is value add.

Why do I say that? It’s like asking the doctor to undergo routine health checks.

We get comfortable with our processes. We continue to do the same thing, adhere to the same principles — what we consider to be best practices.

Would we accept our auditees answering the question “Why do you do that?” with “Because we always do it that way; because that’s the way the surveys say is best practice?” Of course not.

So let’s tackle two assumptions and test their validity, whether the related activities always add value.

First, let’s define ‘adding value’. The only value is to the organization: assurance and consulting services that the board and management would willingly pay for.

Now to the assumptions:

1.       The audit plan should address all the more significant risks to the business.
On the surface, this makes sense. But let’s look a little deeper.
What if you had audited the same high risk area six years in a row and found the controls reliable? What if there were no indicators of issues, no turnover of key management or staff? What if there had been no change in systems, no change in significance in the volume of business, type of transactions, etc?
Perhaps we can agree that a seventh audit would not add much value.
What about adding a project that the audit committee or senior manager has asked for, but the risk assessment shows is a lower risk level than others? I think we would normally try to include it, on the principle that our customers see value in it. I would take that approach as well, unless resources were limited and another project would clearly add more value.
2.       Audit documentation is important and must be completed to standards.
Where is the value in audit documentation? When is the last time internal audit was sued?
I believe there is value in most cases, but the level of documentation and the time spent on it should be based on the level of value.
Is the level of audit documentation in your department consistent with its value? Can you safely reduce the time spent, freeing up time for value-add activities?
I see value from:
·         Enabling manager review of the work performed, as a quality assurance practice. However, only do as much as is needed to demonstrate the scope was covered, the objectives achieved, and the findings and conclusions are appropriate. If management agrees with the findings, you don’t have to prove them.
·         Complying with regulator or examiner requirements. In some industries, the work of internal audit will be reviewed by an external examiner. For those audit projects subject to such a review (not always every project), the level of documentation should comply with applicable requirements.
·         Enabling external auditor reliance on internal audit work. However, be sure that you are obtaining at least as much of a reduction in external auditor fee reduction as you are spending in additional documentation time.
·         Supporting the next audit of the area. However, be aware that few audits are repeated and that processes and controls may change by the next time this area is audited.

Does everything you do add value to the organization, contributing to assurance and improvement of governance, risk management, and related controls? What can be cut back or out, freeing up time for activities that add more value?

When is the last time your internal audit department had a health check?

PS — a QAR does not typically address this area. Don’t rely on having passed the QAR as evidence that your internal audit department is efficient.

 

Posted on Nov 16, 2010 by Norman Marks

Share This Article:    

  1. Norman:

    The statement is correct that the audit plan should address the more significant risks to the business. But the audit plan should not address other inconsequential issues and in most cases it does, does it not?

    For example, If specific risks related to procurement are identified in the risk assessment, then the internal audit plan should address those risks and not the entire purchases, accounts payable and payments process. Many companies probably still audit this way which is reminiscent of how we audited in the 1980's. That's because the mindset is still geared to "what can go wrong" from a process perspective instead of "what are the events that could create risk to our achieving the strategic objectives" Here is an example:

    Company A has a business/strategic objective of achieving an across the board reduction of 20% in cost structure across all businesses from procurement activity.

    In interviews during the risk identification process, the internal auditor and rest of team learn that purchases are being made from thousands of vendors with no attempt to consolidate the vendor base. Furthermore, they note that there is no attempt to identify sources of supply from emerging markets. Finally, there are no efforts to centralize purchase activity procurement from the disparate locations.

    The risk is that the financial results will not be achieved. In constructing the internal audit plan for the  year, the auditor should be focused on the specific areas identified and not the entire process unless other issues have been raised throughout the risk identification process.In  all likelihood, the root cause of this problem may be that the skills of the procurement personnel are lacking and also there is an absence of concrete policies and procedures.

    Is my thinking correct?

    Regards,

    Arnold

     

  1. Arnold, you point out another source of "waste" or "muda", which I have posted on before. See http://www.theiia.org/blogs/marks/index.cfm/post/What%20is

    I don't believe it is appropriate, in my opinion, to identify higher risk locations or processes in the audit universe, then audit the risks relevant to that location or process. That leads to auditing areas that are not significant to the organization as a whole.

    I believe this is what you are saying. Correct?

Leave a Reply