by Norman D. Marks, CPA, CRMA

USA, New Jersey, Jersey City, Digital tablet on stack of booksIn my last post, I discussed “What Should Auditors Audit?” My answer was that internal audit should address the risks that matter to the organization, its board, and executive management team:

“All risks that could affect the achievement of corporate goals, including unstated objectives such as compliance and safety, are prioritized and the top ones considered for inclusion in the audit plan.”

I also explained that, “When internal auditors provide insight and even foresight on the risks that matter, their work matters to the board and top management. Instead of finding problems and being perceived as an overhead activity that adds to management’s task list, they are helping the board and management deliver value to stakeholders.”

What Not to Do with Your Audit Plan

All too often, internal audit performs audit engagements where even if there were significant issues they would never merit the attention, let alone the action, of the board or top management. Clearly, these audits don’t matter.

All too often, internal audit is not addressing risks that could cause significant problems for the organization and its achievement of organizational objectives. For example, only a very few internal audit departments assess whether decisions made in setting strategies and objectives, and then executing them as part of the daily operation of the business, take risk into sufficient consideration.

This is the heart of risk management. Between 40% and 50% of internal audit departments are starting to assess risk management at their firm, but they are limiting that to their organization’s periodic assessment and review of a list of risks, rather than the consideration of a dynamic risk environment.

Another area that is often overlooked in the audit plan is whether management has reliable information on which to make decisions. Scattered systems that require duct tape (in the form of spreadsheets) to consolidate operational as well as financial information on a monthly or quarterly basis are less than ideal when managers have to make decisions at speed.

We have all seen companies that led the market falter and even fail as they are overtaken by technology and competitors. Few auditors are considering whether their companies are sufficiently agile, in management and in systems, to not only identify threats but act.

What to Consider for Your Audit Plan

But let’s get to the practical. Here are a few steps internal auditors can consider when prioritizing the risk universe (see my previous post about moving from an audit universe to a risk universe).

  1. Confirm that it includes all the risks that matter. If the enterprise risk management system is sufficiently mature, use it to the extent possible. Review the topics on the agendas of the board and executive management meetings – are they risks that should be included in the risk universe?
  2. For each risk, consider the potential effect on the organization and its objectives should there be a failure of related controls. What is the likelihood, in your and in management’s judgment, of that happening?
  3. Ask whether an audit engagement would add value. There is little value in an audit if management is already aware of and working on all the issues.
  4. Identify those risks where there is value in an audit engagement and the risk to objectives is highest should the controls fail. These should be the ones given priority for inclusion in the audit plan.

The selection and prioritization of risks so they can be included in the audit plan is internal audit’s responsibility, with approval after review by the audit committee. Even when there is an enterprise risk management program in place, internal audit should use its judgment about which risks it will audit.

For example, management may assess the likelihood of a failure to bill customers accurately at 5%. But, internal audit may have less confidence than management because the last time the related controls were audited they identified significant issues. In addition, perhaps there have been significant changes in systems and personnel over the last year. Internal audit may decide, because they have less confidence that the controls will manage the risk as desired than management, to adjust the likelihood from 5% to 10%. This will, in turn, raise the (audit-adjusted) risk level and make it more likely that the area will be included in the audit plan.

Audit planning is more of an art than a science. I will continue the discussion of the audit planning process in my next post.