I have written extensively over the years of the need to improve the timeliness of internal audit results. Nothing undermines the value of an internal audit more than delivering the results when it is too late for management to correct a problem or too late to avoid further fraud, waste, or mismanagement.
If lengthy untimely audits are one extreme, the other is what I call “drive-by” internal audits. These are so-called internal audits in which either canned internal audit programs or checklists are used to facilitate a quick audit or report. In the financial services and retail industries, branch or store audits are sometimes conducted in this manner.
Don’t get me wrong — drive-by audits can provide important assurance on internal control effectiveness and compliance matters. They also can serve as fraud deterrents. However, their use does not always conform with The IIA’s International Professional Practices Framework, and they rarely provide management in the area subject to audit with real value. I have seen the technique used throughout my career, and I often thought of these engagements as “inspections” rather than true internal audits.
To avoid being guilty of ineffective drive-by auditing, I offer five litmus tests by which you can assess your approach:
Is the engagement the result of an annual or ongoing risk assessment process? Drive-by audits often are cyclical. “We are going to audit you this year whether you need it or not.”
Is the audit program or engagement plan itself developed based on risk? IIA Standard 2201: Planning Considerations mandates that in planning the engagement, internal auditors must consider significant risks to the activity, its objectives, resources, and operations. Drive-by audits often are conducted from canned audit programs with little consideration given to risks in the specific business unit or activity where the audit is being conducted.
Is the same audit program being used at each drive-by location? As indicated above, the audit program should be tailored to the risks of the specific unit. However, there is an even greater risk of using canned programs: Management will quickly ascertain the areas subject to audit and ensure they are ready for the audit. Even if new audit programs are used each year, I have seen instances where management from the first business unit subject to the annual audit cycle signal all of their colleagues subject to subsequent audits on “what the auditors are looking at this year.” Naturally, that undermines the effectiveness of the entire audit process.
Does the final audit report offer recommendations or simply provide findings and/or observations? Although rare, some drive-by internal auditors don’t even attempt to develop customized recommendations for corrective actions in response to findings or noncompliance cited in the audit report. The final report is nothing more than a list of transgressions noted. Then the auditor is off to the next location. This is not only a drive-by internal audit, it also would be classified as a “hit and run.”
Does the audit process and final report add any value for operating management? Sadly, the answer to this question for drive-by audits is often “no.” The reports often are very clinical with no indications of management accomplishments, insight on operations, nor opportunities for improvement beyond “these things are not in compliance — correct them.”
As with all of my blogs, my views on drive-by auditing are my own personal thoughts and do not constitute official IIA guidance. However, I would encourage any internal auditor who might be conducting canned inspection-type audits to reexamine your approach. Use the five questions above to reengineer your internal audits into more risk-based, client-focused engagements.
As always, I welcome your thoughts on this important topic.