How do you define a small audit function?
Watts Typically, small audit functions have fewer than six auditors, limited or no use of technology — such as a GRC tool or data analytics technology — and no full-time or limited specialty skills.
Kastenschmidt While head count is one indicator, a small audit function is more accurately defined relative to the size of its mission. A function is “small” for its organization if it struggles with its ability to identify and adequately address relevant risks. In my mind, the audit function includes all of the resources controlled by the CAE, including both internal staff and external resources.
In light of their size, what are the biggest risks small audit functions face in providing adequate coverage/service to their stakeholders?
Kastenschmidt The biggest risks include:
- Developing audit plans that reflect the internal audit team’s capabilities rather than the organization’s business risks.
- Unintentionally providing a false sense of security by under-auditing relative to the level of comfort that the audit function communicates to stakeholders.
- Failing to clearly articulate the intended role of internal audit within the organization, thus diluting audit’s impact by trying to meet undefined — and often conflicting — stakeholder expectations with very limited resources.
Watts Usually three areas pose the greatest challenge to small internal audit functions. The first area is footprint or capacity. Getting risk coverage with limited resources can create gaps in risk mitigation, or an inability to handle all key risks. There is only so much bandwidth to cover all needs.
The second area is skills and experience. To meet the ever-changing risk landscape, internal auditors must keep their skills and expertise current with training and knowledge of industry best practices. This is not easy to do with limited resources.
Third is being relevant in the organization. Many times, internal auditors are not viewed as having the strategic-thinking ability necessary to be included in key management decisions. As such, internal audit is not included in strategic or major initiative discussions, and often it is relegated to a back-office position.
How can small audit functions use their limited staff resources to be more effective?
Watts The internal audit function needs to work closely with senior management and the audit committee to ensure its mandate is aligned with the organization’s strategy and objectives. Small internal audit functions need to think about how others in the organization can help mitigate risk. For example, the internal audit function should spend time educating process and compliance people in risk identification and mitigation to help fortify risk management. This will help alleviate the pressure on the internal audit function being the last and only line of defense. By helping to spread the risk management burden across the organization, internal audit can balance its resources and skills to higher risks and more value-added risk-focused areas.
Kastenschmidt Internal audit needs to work collaboratively within the organization. Audit doesn’t need to execute the work for it to be valuable to the risk management objectives of an organization. Rather, it needs to understand the various risk management activities happening within the organization and paint a complete picture for stakeholders of how those various efforts work together to adequately manage and monitor risk.
The small internal audit function also needs to spend sufficient time on the risk assessment to ensure it is auditing the right areas, and then spend considerable time up front defining the scope and approach of the audit, itself. It is far better to have a well-planned audit for which the expectations are clear than to prematurely charge into an area only to discover that success hadn’t been defined and thus can’t be achieved.
How can small functions use technology cost effectively?
Kastenschmidt Small audit functions should select tools appropriate for the size and skill of the environment and be purposeful in integrating their capabilities into the risk management approach. Consistently maximizing the use of a less powerful tool is far superior to constantly struggling with unneeded functionality of unnecessarily robust technology.
The auditors should not become frustrated midway through the technology journey — becoming proficient in tool usage is time consuming. Too many small audit departments stop short of fully integrating a tool into their delivery approach and thus incur much of the cost but realize little of the sustainable benefit associated with a technology investment. Small internal audit functions should move forward only with those technology initiatives that they are committed to sustainably transforming their approach. Audit functions should stay away from those that have a high likelihood of becoming a hobby versus a mission.
Watts While automated workpaper solutions and data analysis tools can help improve the efficiency and effectiveness of any size internal audit function, the use of technology should be considered in line with the audit function’s goals and plans. Internal auditors need to look for ways to align technology where they lack skills and experience, but without jeopardizing risk management at the organization. Technology cannot do the thinking for internal audit.
What role does communication play in the success of the small audit function?
Watts Communication to and aligning with all stakeholders is very important. This begins with the organization’s vision and strategic objectives and should flow down to each audit professional. This is the way to ensure that even the smallest audit function stays relevant and valued by the organization. The audit function should proactively initiate risk management updates throughout the organization and follow up to ensure all are doing their share in defending against risk.
Kastenschmidt Without a clear understanding of why an audit is being conducted, what was discovered, how those observations could impact the business, and what choices management has to address them, an audit is of limited value. Even if tremendous audit work was conducted, if it doesn’t have an impact on its intended audience, it was a failure. Auditors should be among the most refined communicators in the entity.
What are some other best practices small audit functions can reasonably adopt?
Kastenschmidt The internal auditors should actively network with industry peers to learn and apply leading practices more quickly. They should actively network within the organization to raise the profile of internal audit, identify potential subject matter experts to integrate into future audits, and stay abreast of changing risks in the organization that may warrant changes to the existing audit plan.
Watts Auditors in these small functions should become involved with The IIA. Not only are The Institute’s professional standards and practice advisories among many resources offered, local chapter meetings offer a great way to connect with other internal audit professionals and gain valuable education.
In addition, small audit functions should leverage continuous control monitoring, use data analytics, lean on business for experts such as guest auditors, and use business partners to supplement specialization.