By their nature, small internal audit functions face some unique challenges. With limited resources, and a tight budget, these functions are constantly tested to take on critical risks in often-less mature organizations. Too frequently, though, the size of the audit function is perceived as a limiting factor rather than being leveraged as a possible strength.
The truth, The IIA's data often shows, is that certain limitations are more frequently related to audit function maturity rather than size. In other words, there are very small audit functions that are highly mature and effective, and there are very large audit functions that struggle to add value. Here are five common misconceptions about small audit functions with my thoughts on turning these negatives into strategic advantages:
Small audit functions can't have ambitious audit plans. With limited resources comes a limited capacity to perform a large number of audits. Because of this, small audit functions must have a laser focus on the critical risks to the organization including alignment with the areas of focus for your governing body. In the private sector, data shows that smaller audit functions spend more of their audit plan on U.S. Sarbanes-Oxley Act of 2002 work. This could be a limiting factor, or it could be right where you are needed right now to help your organization reach the next level. The point is that the chief audit executive must make the determination, in alignment with the audit committee, of where internal audit resources are the most effective and then align the audit plan accordingly.
Small audit functions can't leverage technology. Small audit functions
must leverage technology. That doesn't mean spending tons of money investing in the latest technology. It's about investing in the technology you already have. For example, your organization may already have enterprise software for something like SharePoint. While it isn't designed as a workpaper management system, it can serve as one if set up correctly.
In my experience, it's worth pulling back on audits in the plan to accommodate the right level of investment in developing innovative ways to leverage what is available. The key is to define what you want to achieve with technology, develop a plan for how to get there, and invest the time and resources to do it right.
The final step is to make it part of your new "normal" to avoid the "one and done" scenario that too often happens with technology investment. So many data analytics software implementations fail not because of software or other technical limitations, but because the audit department lacked the imagination and discipline to use them effectively.
Small audit functions can't be innovative. In The IIA's 2018 North American Pulse of Internal Audit survey, small audit functions were likely to say they can't be innovative due to a lack of resources. I don't agree. Small audit functions must be innovative. The real limitations to innovation are moving forward without taking the time to stop and think, not challenging your own status quo, and not thinking creatively about becoming more efficient and effective.
Innovation is more about a state of mind than anything else. You just have to carve out the time to get there. How about adding some hours on the audit plan for "strategy and innovation"?
Small audit functions can't be a trusted advisor. Small audit functions that align their efforts with management and board priorities will become indispensable. This can be as simple as documenting your alignment as part of your audit plan. Your stakeholders will only know if you are in alignment if you are clear and direct in messaging it to them. Developing a communication strategy that understands your audience and speaks to their needs is critical.
Additionally, if we assume that many small audit functions are sitting in smaller organizations with limited resources across the organization, it is likely that leaders won't have access to consultants or dedicated process improvement personnel in the organization. This results in more opportunity for internal audit to fulfill those roles.
Small audit functions can't conform to standards. Having led both small- and medium-size audit functions, this is baloney. It's never about whether you can conform with The IIA's
International Standards for the Professional Practice of Internal Auditing, it's about whether it is a priority for you. The
Standards set forth the minimum requirements necessary to perform internal audit work effectively. If you are not in conformance with the
Standards, what are you doing? Ask yourself, can stakeholders have the same level of confidence in your work as an audit function that is following the
Standards? The simple answer is "no."
I'd be remiss if I didn't acknowledge that the most common source of nonconformance reported, particularly for small audit functions, is the ability to meet the five-year requirement for an
external quality assessment. Find a way. Lay out a business case for the audit committee (instead of simply asking for money), find others like you and build a peer review network, or complete a self-assessment and obtain independent validation. It is incredibly hypocritical to do what we do as an internal audit function and not have ourselves evaluated at least once every five years.
Small internal audit functions are the bread and butter of the profession. Many add extraordinary value to their organizations. Don't allow yours to get caught up in these common misconceptions.
That's my point of view, I'd be happy to hear yours. For a great tool to help you measure and raise the maturity of your internal audit function, check out the
Internal Audit Ambition Model from IIA–Netherlands.