Reinventing the wheel, recreating every audit process, objective, and control? Best practices for reusing your stuff!

In internal audit departments today, the need for greater efficiency reigns supreme. So much so, in fact, that audit teams are constantly fighting the battle to hit audit plan targets, meet deadlines, and stay within budget. While these are all important objectives in the grand scheme of things, finding additional time to hit Director-level targets is only part of the battle. Understanding the logic that drives decisions relating to WHAT to audit is critical. Risk-based auditing is becoming a more widely adopted principle as best practice for Risk Assessments. However, for better or for worse, repetition and historical patterns are still present in today’s audit plans.

As repetitive as it may be, audit coverage and risk mitigation can often still be (and sometimes must be) cyclical in nature. “We audited this location/region/process last year and my audit plan is telling me to go audit this same thing again,” says Mr. or Ms. Audit Director. If this is the case, what can we do to eliminate arduous administration and manual work around tasks that should be well defined and automated?

Perhaps there is a new efficiency model here, involving a decrease in planning and fieldwork with historical audit projects, while at the same time leveraging our risk-based audit plan. This frees up time to target new processes and functions that may warrant more coverage and resonate better with executives.

Let us explore where we can stop reinventing the wheel and utilize technology to standardize best practices.


A template for success

Audit programs come in many different shapes and sizes, based on how technology shapes the format and how team members interact with the data. Many times these audit files are stored in a pre-determined folder system and then stacked on top of each other. The end result: integrity issues and multiple versions that represent different truths. If we submit to the notion that multiple versions and edits can increase the risk of poor-quality working papers, then there has to be a better answer.

A common convention must be followed by the entire team to ensure standard practices are upheld. This represents the top level of audit files, broken into Planning, Fieldwork, Results, Reviews, Issues and Follow-up, to name a few variations. Underneath—at the Process, Objective and Procedure/Control level—is where modifications tend to cause problems with integrity and version control.

One of the great advantages of using an audit management system like ACL GRC is that the software allows for protected storage of Standard Audit Templates that reflect the master copy of that financial or operational process. This flows the previously identified Process, Risks and Control data into the latest and most effective template for the team. ACL GRC simplifies the next step by performing a “rollforward” to activate a copy of that template. In fact, anytime an audit is closed and stored in the Library, ACL GRC immediately provides the opportunity to create a template off that version.

Segregate access


Now that we have a system in place for creating a template, let’s ensure that this content is adequately protected. Appropriate access should be restricted to the location where these programs are stored. This is easily achieved in ACL GRC, where the Library is restricted to Administrators who own the rights to those audit programs and the ability to roll forward to the appropriate resources for that engagement. Further segregation can be determined by tagging these Templates by entity, department, location or key initiative. With those mechanisms in place, it becomes even easier to ensure valuable audit content and working papers are not being viewed and accessed by non-essential staff.
Clone away

Having standard business processes (P2P, O2C, PCARD, T&E, GL) in template form now gives us an entire library of Risks and Controls linked to those processes. In the case where a location audit is being performed and multiple processes are being reviewed, it would be helpful to have instant drag and drop capability for sharing those risks and controls.

“I have some controls around the processing of POs in my P2P cycle and it would be great if I can point and click share those controls over to a similar audit being performed at a different location!” Cutting and pasting can be a big pain. Period. With ACL GRC, users can perform a simple CLONE to send common processes, risks and controls of one active audit over to another.

Small wins go a long way

In closing, these small changes to audit content management and organization can create measurable results. By locking down and creating a disciplined approach, you may find added time to pursue enterprise-level opportunities and strategy.

What would a 10-25% increase in audit efficiency do for your department?


(Source: ACL Blog)

Friday, August 1, 2014 In: Hot Topics Comments (None)

Contact us

3 Appleton Court, Calder Park
Wakefield, WF2 7AR

+44 (0) 1924 254 101

Mailing List

Subscribe to our newsletter.