​Prioritizing the Work of a Tiny Audit Department

Comments Views

​I have been a strong advocate for:

  • Building the audit plan so that it focuses on the more significant risks to the organization.
  • Providing a formal opinion on management's processes and controls to manage those risks within organizational criteria.

But what if the audit department is too small — just one or two people — to come even close to that vision?

This is what I think I would do, taking into account what I know some CAEs I respect are already doing in this situation:

  1. Ensure I have a good understanding of the more significant risks and the level of reliance that is being placed on those controls (i.e., inherent risk less residual risk, if you like those terms).
  2. Understand the value I can bring through an audit of those controls. The audit would be as tiny as possible, focusing only on the controls that matter.
  3. Consider whether more value can be delivered through facilitating management's self-assessment of those controls, or by providing consulting services to improve the controls.
  4. Consider where change is happening and risk is being created. Can internal audit provide greater value by serving as a risk and controls consultant in those areas?
  5. Listen to the audit committee to see if they have specific areas of concern.
  6. Listen to management to hear if they desire internal audit services in any particular area. I would resist the temptation to become a special projects person for them.
  7. Develop a proposal and review with the audit committee and then with management (I prefer that order).
  8. Ensure the internal audit charter is consistent with the plan, and change it (the charter) if needed. I would not be afraid of the IIA Standards if the right thing, with audit committee approval, was to go over the line a little (and I mean a little).
  9. Maintain a schedule of potential audits of value, ensuring that management and the audit committee understand the opportunity that would be created if I had additional resources.
  10. Continuously monitor how the plan is going, being ready to change direction if and when needed.

What would you do differently?

​The opinions expressed by Internal Auditor's bloggers may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers' employers or the editors of Internal Auditor. The magazine is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this article

comments powered by Disqus
    • CIA-September-2021-Blog-2
    • Your-Voices-September-2021-Blog-3