I have been a strong advocate for:
- Building the audit plan so that it focuses on the more significant risks to the organization.
- Providing a formal opinion on management's processes and controls to manage those risks within organizational criteria.
But what if the audit department is too small — just one or two people — to come even close to that vision?
This is what I think I would do, taking into account what I know some CAEs I respect are already doing in this situation:
- Ensure I have a good understanding of the more significant risks and the level of reliance that is being placed on those controls (i.e., inherent risk less residual risk, if you like those terms).
- Understand the value I can bring through an audit of those controls. The audit would be as tiny as possible, focusing only on the controls that matter.
- Consider whether more value can be delivered through facilitating management's self-assessment of those controls, or by providing consulting services to improve the controls.
- Consider where change is happening and risk is being created. Can internal audit provide greater value by serving as a risk and controls consultant in those areas?
- Listen to the audit committee to see if they have specific areas of concern.
- Listen to management to hear if they desire internal audit services in any particular area. I would resist the temptation to become a special projects person for them.
- Develop a proposal and review with the audit committee and then with management (I prefer that order).
- Ensure the internal audit charter is consistent with the plan, and change it (the charter) if needed. I would not be afraid of the IIA Standards if the right thing, with audit committee approval, was to go over the line a little (and I mean a little).
- Maintain a schedule of potential audits of value, ensuring that management and the audit committee understand the opportunity that would be created if I had additional resources.
- Continuously monitor how the plan is going, being ready to change direction if and when needed.
What would you do differently?