Source:- LinkedIn, Author Tom O’Reilly
October. For most people, this month brings to mind things like pumpkins, apple picking, cider donuts, and candy corn. Magazine covers feature images of hearty fall recipes, microbreweries roll out their spin on pumpkin-spiced beer, and many make additional trips to Starbucks for pumpkin lattes and scones (or is that just my wife and I?).
For CAEs, the focus is a bit different. While we still may frequent Starbucks, October also brings serious thoughts, considerations, and actions to developing the next year’s audit plan.
Simply put, the internal audit plan communicates and highlights what projects and audits the internal audit department will work on and complete in the upcoming year. According to the IIA’s Practice Advisory 2010 – Linking the Audit Plan to Risks and Exposures, the CAE must establish a risk-based plan to determine the priorities of internal audit activity, consistent with the organization’s goals. In addition to increasing the value provided by internal audit, aligning the internal audit plan to the organization’s goals and objectives proves internal audit’s relevancy and the justifies the resources allocated to it.
So if internal audit’s projects are supposed to be aligned with the organization’s goals, why is it that Protiviti’s Knowledge Leader, a repository for audit documentation and information, states that the most commonly sought out audit program topics in 2014 were Procurement, Accounts Payables, Payroll, Inventory and Construction Contracts? Is it because four of these processes are common Finance processes that internal audit has tested from the beginning of time? Or do these processes truly represent the major objectives of many organizations?
One reason many CAEs continue to audit routine processes may stem from the fact that their audit plan may not be driven from a traditional internal audit risk assessment. Perhaps these CAEs are fulfilling multiple management requests, or their lack of experience performing a risk assessment leads them to suggest projects they are comfortable performing.
If their reasoning is the latter, let’s put this bad practice to bed. By using the following six steps, CAEs should be able to propose internal audit projects to be completed in 2016 that are more aligned with the organization’s strategies, goals, and objectives, and remain relevant in the eyes of their management team and audit committee.
A CAE should first start with their organization’s goals and objectives. If they are not publicly communicated within your organization, you should be able to find these in strategy documents or reports for the board of directors or executive management.
Why is this important? If you do not start with organizational strategies and goals as the foundation, you run the risk of proposing irrelevant projects and not providing insight management will truly care about. Hopefully most CAEs find that asking the internal audit standard question “what could go wrong?” to someone responsible for the strategic goals and objectives of your organization immediately identifies new audit projects that may not have been considered.
For example, regardless of industry, one could wager that your organization’s goals and objectives include increasing revenues, innovating new products, and taking care of your employees.
Imagine for a moment if this was the only input for the risk assessment. A CAE would be stuck with having to propose audits of the sales process, research and development or new product development, talent and leadership development, and employee engagement. Do you think identifying improvement opportunities or providing assurance over any of these processes would be more insightful to management and the audit committee? I do too!
Upon contrary belief, senior executives should not be the first individuals you seek to interview when performing a risk assessment. Consider starting with Senior Manager or Director level employees.
When you do meet with these mid-level managers, you should be asking how their roles and responsibilities help the organization achieve its goals and objectives, and to obtain an understanding of how they are spending most of their time. Have they increased headcount or resources, and if so why? If it is because of attrition, that’s one thing. However, other reasons may also include starting new projects, or a new need for specialized knowledge. These reasons may quickly identify a key initiative of senior management that could benefit from independent insight and assurance.
But tread carefully! Some interviewees may attempt to identify projects or responsibilities that are important to the organization, but are not their responsibility. The astute CAE will realize this business manager may be attempting to keep internal audit out of their backyard, and keep the focus on the interviewee’s responsibilities, not their neighbours.
After scheduling and holding interviews with senior managers and directors from all of the major departments, it is time to transform the collected data into useable information.
The first way to do this is by bucketing risk information by risk categories or themes. For example, many interviewees may mention that they may not be able to achieve their goals and objectives if a natural disaster were to occur, a key system or application were to become unavailable, or if critical team members were to leave the organization. These risks can be categorized as a business continuity risk.
Then, after creating a theme or risk category, you can further summarize the responses and information collected for this risk into a two or three sentence description. Since you have not defined and shared likelihood or impact scores, keeping your risk summaries with qualitative information for now is the best approach.
While there is a school of thought that the business manager is the best person to determine likelihood and impact of their identified risk, doing so results in additional time needed to create a scorecard, explaining the risk assessment criteria, and then double checking to verify the interviewee applied your instructions correctly.
Based on your understanding of the business, and the organization’s financial and operating results, the CAE should be able to informally assess likelihood and impact. Since this is something you will be vetting later on, so don’t worry about ensuring this is 100% correct. Use your best judgment. And while I recommend the assessment to be informal, I also recommend it to be documented.
To make sure you don’t miss any big ticket items, it’s a good idea to re-review your reading materials to make sure current and emerging risk topics are reflected in your analysis. Start with your industry trade journals, periodicals, and blogs (I’d start with this one and this one), and end with major news publications like the Wall Street Journal and Financial Times. Mix in some thought leadership from internal audit service providers for relevancy, and your bases should be covered.
And don’t forget your friends (all of your friends are internal auditors, right?)! Do you know the CAEs of your organization’s competitors? If not, why? Most successful CAEs are successful because they can build relationships both internal and external to their company. In my experience, competitor CAEs are usually as open as they can be, and have great stories to share on risks to your industry that you may never have considered. And it is tough to be able to receive more relevant examples of “what could go wrong” from similar organizations that are, or have, experienced them.
If this isn’t enough external data to include in your risk assessment, you can also read this post for some more ideas.
Once you get to this point, your heavy lifting is done. Now all you need to do is to share all of your work with those that know your company the best and have them validate all of your hard work and efforts. And by validate, I mean question your results, change responses, and perhaps even roll their eyes at the information you’ve shared.
But guess what, not only is this ok, it is exactly what is supposed to happen! Your executive management team should be the ones that can best articulate the biggest risks of your organization. And you’ve served them well by providing plenty of information and feedback for them comment and consider, opposed to starting the risk assessment process by interviewing them.
Once you have the key senior executives in a room talking about what they deem to be the highest risk areas of the organization, developing your future internal audit plan should be one of the easier tasks you complete. While there may be valid reasons an executive may push back on a proposed project that aligns to their self-assessed key risks, most would find it difficult to permanently push back on the audit after they, along with their peers, deemed the risk key.
After the proposed audit plan is finalized, be sure to summarize the justification of why each project is on the audit plan for the Audit Committee. If you prove to the Audit Committee that you’ve done your homework, there should be little reason, if any, your entire audit plan is not accepted. And when this happens, hopefully you’ll grab a well-deserved pumpkin-spiced beer to celebrate and look forward to a great 2016.