The pace of change has intensified over the past several years, and that change can intensify risk exposures in a business. This means more areas likely need internal audit coverage, often with the same or fewer resources.
As businesses move faster, they implement systems more rapidly, develop and roll out new products or services quicker, and execute organizational changes more swiftly. Add more consultative requests and increased training on new technology to an already busy internal audit plan, and auditors can be overwhelmed.
One way internal audit departments can provide additional risk coverage of new areas is through exploratory audits. These audits enable practitioners to assess risk quickly and give stakeholders timely information when a new product or service is rolled out, if there is an unexpected system implementation or organizational change, or when there is an emerging risk.
Exploring New Areas
An exploratory audit is an initial audit over anything that hasn't been audited previously in the organization or something that is new to the organization. Exploratory audits are smaller in scope than a typical audit, so they can be completed faster to provide critical, timely information to management and the board.
The goal of an exploratory audit is to better understand the objectives, risks, and controls in a new area — even if the controls aren't tested for operating effectiveness. Internal auditors who have a military background can think of exploratory audits as "reconnaissance missions" but with full disclosure to the client of the objective to discover and learn about risk. Exploratory audits can be either broad or specific and targeted.
Benefits and Limitations
Performing an exploratory audit has multiple benefits, including:
- Helping internal audit better understand risk so that future audits are more focused on material risk.
- Helping internal audit assess risk more effectively during its annual assessment process.
- Completing audits faster than traditional audits, while still gaining risk coverage.
- Helping management of the new area understand the audit process, if it has not been through the process previously.
In exploratory audits, auditors do not issue a standard audit report with an opinion and control assurance, but they may provide additional deliverables to management, such as a governance structure, framework analysis, or a gap analysis. These can position internal audit as a partner to management.
Besides these benefits, audit departments should be aware of some limitations of exploratory audits. Because this is a different type of engagement than what audit clients may be familiar with, they could be confused about engagement objectives. Auditors should explain differences between the exploratory audit and a full-scope audit. Early communication on expectations is important to avoid misunderstandings.
Exploratory audits also have smaller budgets, with fewer staff resources and specialists than a traditional audit. Moreover, internal auditors performing these audits will have minimal previous experience in the area, no prior workpapers, and limited documentation.
Additionally, auditors may not perform enough testing to provide an opinion, if audit reports typically contain an opinion. Finally, there may be risks that were not covered nor tested, which could give stakeholders a false sense of assurance.
Exploratory audits can be added to an audit plan when there is advanced knowledge that something new may impact the organization during the next audit period. These audits also can be conducted using unassigned special project time.
Planning for exploratory audits often involves heavier focus on governance and frameworks and less focus on operational best practices or audit testing. Discussing the objectives and limitations with the process owner can help ensure clarity on the final outcome. If these audits are not currently on the plan, early communication with the audit committee can ensure there are clear expectations.
The best initial step to fieldwork is to identify the objectives of the new area being reviewed. Auditors can obtain this information through discussions with management as well as by reviewing project plans, board minutes, or strategic plans. Like a full-scope audit, understanding objectives helps business owners and auditors identify and analyze risk to achieving the objectives. Auditors can then identify corresponding controls to mitigate those risks with clear linkage back to objectives.
Often in exploratory audits, the links among objectives, risks, and controls are not yet fully developed. Construction of this alignment can be another benefit of exploratory audits.
Depending on prior experience and the time available for the audit, the remaining approach can be determined. The highest risk areas are typically known, and the auditor may focus on tests of control design — and possibly effectiveness — for those areas. A broader approach may include tests of design for all identified controls but no tests of operating effectiveness.
Because governance controls are a heavy focus in exploratory audits, internal auditors should ensure there is an adequate governance structure in place to design and execute sound controls. This is especially relevant if the process is still being developed or is new enough that change is anticipated.
It also is helpful to identify any applicable frameworks that may be relevant for the area. For example, when internal audit departments first reviewed enterprise risk management (ERM), they often used The Committee of Sponsoring Organizations of the Treadway Commission's ERM–Integrated Framework as a guiding foundation for the audit. These departments tied existing processes to the ERM framework, or identified gaps, and provided this as a deliverable to the business. This type of approach can be done in almost any area.
Internal auditors should consider the reporting for an exploratory audit. Audit departments that use ratings in reports should consider not rating exploratory audits or developing ratings specific to such audits.
These types of audits should be clearly labeled as exploratory and note the limitations and scope in the report body. The content of the report should provide management and the board with indicators of inherent risk in the area, along with any control gaps or framework disparities that should be addressed as the area or process develops.
A Reference for Future Audits
Exploratory audits can add value to internal audit's understanding of risk in new areas of the business, while providing valuable insight and deliverables to the organization and its board. Internal audit can structure these types of audits to fit its prior experiences and time resources, and leverage them in the future to perform more robust audits in those areas.