How important is completing the audit plan? For many audit departments, it is a key performance measurement used to determine the department’s effectiveness. But wait, I thought the goal of internal audit was to evaluate the operating environment to provide stakeholders with “reasonable assurance” that risk are identified and mitigated to an acceptable level. So can this reasonable assurance be provided outside of an audit engagement? I think so.
Years ago, I worked for a man with great soft and negotiation skills. He visited clients regularly and genuinely inquired about their department’s health. Many of the responses to his inquiries were quite amazing. The conversations that occurred were open and honest, you know the type of conversations auditors would love to have with clients.
For example, we visited one client responsible for Treasury operations (i.e. wire transfers, investments). When asking about the health of his department, the client indicated that we did not want to audit him right now because his process were a mess. We were not visiting to announce an audit, although the area was being considering for inclusion in the following years plan. His response, however, did invoke another conversation altogether.
The client indicated that the company’s growth not only increased the volume of transactions his unit needed to process, but it also required his department to take on more responsibilities. He nor his staff knew how to manage some of the investment products, he was not sure if his daily cash position included all of the organizations cash, and he was not sure if cash/investments numbers were accurate.
We offered the client our consultative services. The client and audit worked collaboratively to strengthen the control environment and improve processes. The project was a success to all involved.
In another example, we visited another client and again inquired about a specific process. The area ranked high on the risk assessment and was, at that point, definitely going to be included in the audit plan. This particular client expressed concern about the process, but wanted to “clean it up” themselves. We agreed not to put it on the audit plan as an “audit”, however, we were included in the project sort of as a silent partner. We attended project planning and update meetings and were aware of the general health of project throughout its life. We would interject occasionally when appropriate, but otherwise the department managed its process improvement initiative. The project was a huge success. In this instance, the announcement of a potential audit served as call to action, so to speak.
In both of these examples, processes were improved, controls were strengthened and the auditors were able to provide stakeholders with reasonable assurance that these process were operating effectively and efficiently. And we never did an “audit”. But isn’t this the goal of internal audit anyway (i.e. evaluate and improve processes)? According to the Institute of Internal Auditing, the definition of internal auditing is:
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
What this long winded definition boils down to is that internal auditors are here to help improve processes and controls while providing stakeholders with some comfort that process and controls are effective. This can be accomplished through audits or consulting activities. The auditing part is easy, the consulting comes with truly partnering and communicating with your clients. I have found that sometimes simply “considering” an area for audit results in a massive client initiated cleanup. Which is great because it achieves the ultimate goal.
Two things can happen that preclude performing audits when you are genuine with your clients:
You become the invited consultant
In the examples above, there was trust and honest dialog with clients. The result was a partnership designed to improve operations.
You become the control review catalyst
In one of the examples above, the announcement of a potential audit caused a client to take a critical look at their processes with very little external assistance. Again, this improved operations.
In these examples, I am not stating that traditional internal audits are not valuable. However, there are multiple ways to partner with clients to improve the overall environment.
Photo credit © Hanzl49 | Dreamstime Stock Photos & Stock Free Images
This can be possible if the client (department) is transparent enough to admit that there are problems.
I agree. That means we need to attempt to create and cultivate relationships where clients feel comfortable having open conversations. We may not always be able to do this.
I agree with you Robert. We need to keep in mind the end goal which is assurance and improvement and audits are just one of the means to achieve this. I too have similar stories about how this was achieved without a formal audit. Completing an audit is not the end goal/objective. What you have said and shown in action is very important especially when constrained by a lack of resources. When I was the only auditor in one place I worked, alot of my time was spent visiting our sites and talking to staff at all levels of the organiosation and being an immediately available “business improvement/risk/control consultant” to discuss issues straight away often without any formal “audit work” being performed. This as per your examples produced the desireed objectives and results and gave a greater coverage than just performing traditional audits.
Very good thoughts, Robert. It does become difficult at times, particularly when a client/customer/auditee has a pre-existing negative opinion about auditors. But I have seen similar situations to the cases you described in several of the audit shops I’ve been in. Like your examples, we have come in to do some preliminary reviews as part of the planning process fro a high risk area. Based on what we find and our discussions with management, we may participate in a process improvement effort, or we may continue the review as an advisory engagement rather than an audit, or in some cases we simply defer the audit for a few quarters or a year while tracking their process changes.
I’m not sure if I can agree that it’s a more valuable activity — I think a good audit is one of the best ways to identify gaps and weaknesses in a process — but it is certainly less stressful on all concerned, and that might be the value proposition that sells best of all.
Richard, good insight as always. Thank you for comments.
Very well done! It is always interesting to point out that the definition of internal auditing does not say we perform audits!
Absolutely. I think we sometimes get so buried in the key performance indicators that we miss out on the risks and the true purpose of internal audit. Which also makes me believe we need to revamp the way we measure the effectiveness of the audit function.