by Norman D. Marks, CPA, CRMA

USA, New Jersey, Jersey City, Architect working on digital tabletEarlier blogs addressed  “What Should Auditors Audit?“, “The Risks to Include in the Audit Plan”,and “The Effective Audit Engagement“.  We identified the risks that matter, the ones that we’ll include in the risk universe, and prioritized them. We established what I called in the last post the “risks where there is value in an audit engagement and the risk to objectives is highest should the controls fail.

Now we have to decide what work is appropriate for each risk.

First, Decide Between an Assurance Engagement and a Consulting Engagement

There are two basic types of audit engagement: the traditional ‘audit’ where the objective to assess whether the controls over the risk provide reasonable assurance that it’s managed at acceptable levels. This is an assurance engagement.

Note that these days, the objective of the modern audit is to provide assurance over the management of the risk, not just that the controls are designed and operating as intended. We’re moving from “controls assurance” to “risk assurance.” This is a very important distinction. Controls exist to manage risk to objectives, so assurance on controls without reference to the risks they are relied upon to address is of limited value.

The other type of audit engagement is a consulting or advisory engagement. In contrast to the assurance engagement, a consulting engagement is intended to assist management in developing and maintaining efficient and effective governance, risk, and control processes. The customer for a consulting engagement is usually management; the customer for an assurance engagement is generally the audit committee and executive management.

In its 2006 Position Paper on Organizational Governance, the IIA included useful insights on when internal audit might consider performing a consulting instead of an assurance engagement. What they suggested was that when the process is relatively immature, an assurance engagement has less value. Management probably knows that there’s room for improvement – our value is when we can help them make those improvements in the management of risk.

Second, Decide How to Perform the Assurance Engagements

So, when I develop an audit plan, one of the first things I do is determine whether I want to perform an assurance or consulting engagement for each risk.

Then I have to determine how I will perform the assurance engagements. I know the objective: to provide a professional assessment of the adequacy of controls in managing the risk. But what is the scope of work I will perform?

For example, if the controls relied upon to manage the risk are predominantly at the corporate HQ, that is where I might focus the audit.

But, if this is a risk where I’m relying on controls that operate within business units across the globe, I have to decide whether to audit related controls at a selection of those business units and, if so, which ones.

As an example, when I was CAE at Solectron, one of our most significant risks was that we would fail to acquire the quality materials we needed in our manufacturing and assembly operations at the best price.

  • Our operating margins were very thin and a failure to manage this risk could result in the failure to achieve desired operating results.
  • We relied upon controls at each site. Although a corporate procurement function negotiated global contracts for many of the more critical parts, in practice each business location made its own procurement decisions. Often, they were able to negotiate a better price with a local authorized reseller.
  • I decided to put together a ‘dream team’ that would visit our major sites in Malaysia, China, the US, and France. This would enable them to not only assess management of procurement risk but spread best practices from one site to another.

On another occasion, I decided that my teams based in Paris, Singapore, and the US would all assess the controls over sales contracting risks at approximately the same time. They reviewed how these risks were managed in their locations and came together by phone to compare notes.

It’s Critical to Perform Several Audits Focused on the Correct Risks

Many risks are managed by a combination of controls that include automated controls which, in turn, rely on IT general controls. I take this into consideration as well. My typical audit plan will include separate audits of the business and the IT-related processes, making sure I include in the scope of my IT audits the applications I rely upon to manage business risks.

As the CAE of global corporations, I had to consider what risks to include in audits performed at business units around the world. I made sure that the audits we performed at each location were focused on the risks that mattered to the company as a whole rather than risks that were local in significance. I would take the risks that matter and determine, for each location, which would be included within the scope of that audit.

For example, I might have an audit in Malaysia look at risks related to manufacturing quality, logistics costs, and FCPA compliance. The audit in France might also focus on logistics and quality, but include personnel-related issues.

The goal was to obtain sufficient evidence from these various audits to provide an assessment of how well the risks that mattered were being managed.

A large part of my audit plan is always focused on consulting activities.

The risk is almost always greatest when there is change. I believe strongly that the greatest value we can provide is assurance that the risks of today and tomorrow will be managed through effective controls and security. Looking at the past provides hindsight. Helping management ensure that new systems, processes, and ventures will be managed effectively is helping them protect and create value for our stakeholders.

So whenever there is a major new technology project, you are likely to find a team of my auditors.

What’s Next?

So, let’s go back to our steps to follow for an effective audit plan. We now have a list of audit engagements we would like to do.

But there are two more essential aspects of audit planning.

  • The first is recognizing that no internal audit department has the resources to do everything. So, after prioritizing the list of audits, I then compare it to the resources I have available. How much can I do with the current budget and resources? How much could I do if I add incremental budge? I discuss both questions with management and then the audit committee.

I also have to decide whether I need to supplement my staff with external sources, i.e., from a co-sourcing partner. If so, that may affect the budget and limit the work I can perform. It’s not that I won’t perform an audit where I don’t have the skills and experience on staff. No. If the audit is of a high risk area it still needs to get done. It’s that I probably have to pay more to obtain that specialized resource and that will limit the resources available.

  • The other remaining issue is that my list of risks is a list of today’s risks. Ours is a dynamic world and risks change all the time. I need to develop a method to identify changes in risks (both new risks and changes in previously-identified risks) and modify the plan.

I no longer have an annual audit plan. I believe that concept is or should be obsolete. It leads you to audit what used to be a risk that mattered and can prevent you from auditing a risk that matters now or in the very soon future.

Instead, I have a rolling, three-month audit plan. It identifies the projects I fully expect to do in the next three months together with a list of the projects that I will select from after that. (There are exceptions where it’s necessary to lock down dates further out and I’m certain the risk will remain high.)