AuditNet Resource List
Audit Programs
AuditNet Virtual Library
AuditNet Newsletter
Ask the Auditor
AuditNet Mailing Lists
Audit Jobs
Travel
Career Links
Partner Discounts
Search
Sign Guestbook
AuditNet Sponsors
Advertising Opportunities
About AuditNet
About Jim Kaplan
AuditNet Seminars
AuditNet Home Page

Two-Tier Audit Plan and Risk Rating

For Smaller Internal Audit Operations

By:  Ron Keister, CIA, CPA

Introduction

The purpose of this article is to discuss a way for smaller internal audit departments to improve their effectiveness and efficiency.  The degree to which this can be done is a function of the quality, attitude, and breath of knowledge of the department’s management and staff, along with the quality of support from the organization’s management. I like to provide this as if it is a Finding, which in essence it is, or was!

Conditions

During my 25 plus years in internal auditing, I had numerous discussions with Internal Audit Directors and staffs about the efficient and effective use of their limited resources.   Most smaller internal audit operations have the problem of insufficient resources.  By smaller, I mean those with one to about ten internal auditors. This lack of resources impacts internal audit department in different ways.  In most instances this resources limitation simply reduces the number of audits they complete. This results in limited audit coverage of the real organizational risks.  That is, I think too many internal audit organizations are auditing low to no risk activities.

Causes

For years I worked in internal audit departments with this limited audit coverage condition.  Yes, we worked hard, watched our time budgets closely, and did all the right things.  However, in the end, we still could only complete a limited number of audits.  I really never thought much about it other than to be more efficient and effective in what was being audited.  Why?  Well, the IIA Standards stated that we should perform risk assessments of operations and activities and then go do audits of them based on the risk assessment results.  And these audits should be “comprehensive” so that an “overall opinion” could be expressed on the operation or activity.  And we, as auditors who wanted to or were required to follow these IIA Standards, simply did this.  Yes, this is good and improves efficiency and effectiveness by focusing on the higher risks.  But!

Impact/Effect

I suspect that many, if not most, smaller internal audit departments still perform fewer audits.  And some organizations probably are questioning the worth of their internal audit departments.  When times got rough in organizations and funding was limited, I found through discussions with other internal auditors and observations of the decreasing size of a number of internal audit departments that one of the first areas to get cut, or gets cut along with most other areas, is internal auditing.  I began to wonder why!  If the internal audit professions’ claim to provide so much to an organization, why is management cutting internal staffs, often early in the downsizing process?  That is, why cut the staff of an organization that was supposedly so beneficial to the recovery of an organization experiencing some difficult times?

Several years ago I was Director of a small internal audit department.  My organization was beginning to experience some difficult funding times.  We were doing comprehensive audits as the IIA Standards directed, turning out few audits per year.  The Audit Committee came to me and directed me to provide more audit coverage.  They did not say, or we will cut the staff or eliminate your operations. However, it was clear they demanded more audit coverage of key operations.  I did not know at that time how to do this.  However, I knew we had to do this to survive!  It took several discussions with other audit directors and much thought to figure out how to save the internal audit department.  In other words, how to do more audit with the same staff and still meet the IIA Standards, which was part of our Internal Audit Department Charter.

Recommendations (Solution!)

Our solution was to do a two-tier risk assessment based Audit Plan.  We actually backed in to this solution. Our first decision was that we no longer could do bigger audits, unless absolutely necessary.  In our smaller department, we defined bigger audit to be audits budgeted for 500 hours up to up to an occasional 1,000 hours audit.   We were, however, directed by the Audit Committee to provide “more” audit coverage.  Thus, our decision was to have audits that were no larger than 300 hours, and try to keep most to 250 hours or less.  This meant we had to have very focused audits that rarely provided comprehensive coverage. However, we initially did not know how we could continue using our computer based, risk assessment process and achieve this.  It was a good risk assessment process that focused our efforts in the right areas, and was strongly supported by management.  It was designed for risk assessment of whole departments and operations, including their various activities.  Under our new Audit Plan we knew that we would rarely audit any whole departments and operations. So how did we solve this?  The following provides our solution.

·        Our first step was to get the Audit Committee’s approval of our solution. They like the solution and approved it.

·        We then had to sale it to executive management, which we achieved with some skepticism by only a few.  Although I must tell you that the management level below executive management did not always buy in to, nor support, our solution.

·        We continued using our computer based, risk assessment process that identified the higher risk departments and operations.

·        With executive managements’ input and help, we continued completing this risk assessment process annually.  It provided a rolling, three-year Audit Plan.

·        Using the results of this risk assessment process we risk ranked our audit universe, composed of departments and operations.  Our audit universe was fairly well established, generally stables, and supported by executive management.

·        Time budgets were assigned to these ranked audits until we had no more staff hours to assign.  We used the guideline of 250 or 300 hours per audit, unless we knew it would take less.

·        The audit assignments were made and the timing of the audits scheduled.

·        Most of our audits were one auditor, one audit, except for IT audit assistance.  This was because we were a small department and that is the only way to get more audit coverage.

·        The assigned auditor would do research to determine if we could, based on our knowledge and experience with the department or operation, break the audit in to its key risk activities.

·        The assigned staff and I then met with the audit department or operations management to confirm and clarify the key risk activities.  As usual, you have to be careful that management does not try to direct you away from known problem activities.  However, this is a problem internal auditors always have to deal with.  So we already had a process in place to help minimize this risk.

·        Once the areas’ key risks were identified, we worked with management to establish the priority and expected results of each risk area.  In other words, what the most important risk areas to audit and what coverage (opinion) did management want.

·        The last step in establishing the audit scope and expected audit results is the most important and, often, the more difficult part of this process.  This involved taking the list of key risk activities and determining how many hours should be assigned to each until you run out of overall assigned hours.  Although I was actively involved and helped this part of the process, the staff usually did a very credible job of doing these hours estimates.  We, however, had a back-up process that worked very well.  It is simple in concept, but sometimes hard to do.  This process was to audit one risk activity at a time from the highest down to the lowest!  For example, you and the department or operation’s management agree there are six clearly definable risk activities, and their priority for audit coverage.  (Well, sometimes you agree to disagree, because you know something is a higher risk than management says, or it is an activity that has “required” audit coverage.)  Additionally, your staff and you agree that only the top four risk activities can be covered with the assigned audit hours.  You begin with top risk activity and work your way down.  Frequently, we ended up doing only the top three risk activities.  Why?  Simply because our estimate of time to cover one or more of these was too low, usually because of the unknown factors that affect all audits.

Our Results

In the first year using this process:

·        We almost doubled our audit report output.

·        We got more positive feedback from middle and executive management than in the previous 3-4 years in total.

·        Several managers began to open up more to us and began requesting internal audits or internal audit help.

By the end of the third year:

·        We were consistently doing twice the number of audits than before this process, providing the breadth of internal audit coverage the Audit Committee required.

·        We got almost universal management active, if not sometimes I think almost enthusiastic participation in the audit process.  Why?  Probably because they were getting to set the audit results they wanted!

·        The Audit Committee directed management to give us another auditor position.

Cautions

·        This is not a process for all internal audit organizations.  I do not know of any large internal audit organization using this process.  It takes the strong support of executive management (especially the Audit Committee, if you have one!), the right internal audit staff (which can be a difficult issue for some internal audit operations!), and the right attitudes by both internal audit and organization management and managers.

·        Internal audit staff turnover can negatively impact the results of this “different” internal audit process.  I can attest to that from my personal experience!

·        It does not always fit or work well for all audits. For example, “hot topic” audits, fraud audits, management special requests, legal issue audits, and regulator audits often do not work well using this approach.

·        Changes in Executive Management and the Audit Committee can result in significantly different views of this internal audit process.

Try it, you might just be surprised at the results!  It may even save your internal audit organization!