The Absurd Notion of a Balanced Audit Plan
OK, it’s time for a rant. And this one is sure to upset some people.
For some time, thought leaders (such as PwC and certain individuals within our profession) have been talking about the need for "balance" in the audit plan. For example, I just read this from an IIA paper: “Internal audit plans are reflecting much more balanced coverage among operational, financial, and compliance risks than was in evidence for much of the past decade.”
"Balance" implies that you need some percentage of your audit plan dedicated to this area, another percentage to that area, and so on. But I believe that the audit plan should be designed to address the more significant risks, whether that results in "balance" or not.
For example, several years ago my company had an environment where not a single individual in financial reporting held a CPA or equivalent, the prior year SOX assessment included three material weaknesses and a variety of significant deficiencies, we had restated prior year annual and quarterly financial statements, and we had a revolving door among leadership and staff at our European shared services center. Did we seek a balanced audit plan? No, it was tilted way over to financial reporting and related risks.
At another company, I joined at a time when we had just self-reported to the federal government — for the second time — non-compliance with export regulations. The audit coverage was, again and rightly so, unbalanced.
Then, there was the situation when Business Objects was going to be acquired by SAP. In addition to the risks involved in migrating to a new ERP and consolidating some business processes, a significant number of key people involved in those processes were leaving the company. The audit plan gave scant attention to financial reporting, but a lot to risks related to the integration.
My opinion is that seeking a balance among financial, operational, IT, compliance, and strategic risks is not only misguided but high risk.
Instead, all these areas of risk should be understood and considered for inclusion in the audit plan based on their significance to the business, and not some theoretical need to have one from column A, one from column B, and so on. Take the top risks regardless of how they are categorized. If that means that the audit plan has nothing around strategic risks and 80% of the plan is directed at operational risks, that’s not just OK it is right. If that means that 80% of the plan is on strategic risks, then that’s OK.
Focus on what matters most.
When the ground is unsteady, you naturally lean to one side so you can keep going. Internal audit should do the same — leaning towards the more significant risks.
OK. So who is going to take the first shot at me?
Posted on Apr 10, 2012 by Norman Marks
Share This Article: