Following on the post about a strategic plan for internal audit, I believe that the CAE and her management team should periodically perform a self-examination to ensure every activity is value add.
Why do I say that? It's like asking the doctor to undergo routine health checks.
We get comfortable with our processes. We continue to do the same thing, adhere to the same principles — what we consider to be best practices.
Would we accept our auditees answering the question, "Why do you do that?" with "Because we always do it that way; because that's the way the surveys say is best practice"? Of course not.
So let's tackle two assumptions and test their validity, whether the related activities always add value.
First, let's define "adding value." The only value is to the organization: assurance and consulting services that the board and management would willingly pay for.
Now to the assumptions:
The audit plan should address all the more significant risks to the business.
On the surface, this makes sense. But let's look a little deeper.
What if you had audited the same high risk area six years in a row and found the controls reliable? What if there were no indicators of issues, no turnover of key management or staff? What if there had been no change in systems, no change in significance in the volume of business, type of transactions, etc?
Perhaps we can agree that a seventh audit would not add much value.
What about adding a project that the audit committee or senior manager has asked for, but the risk assessment shows is a lower risk level than others? I think we would normally try to include it, on the principle that our customers see value in it. I would take that approach as well, unless resources were limited and another project would clearly add more value.
Audit documentation is important and must be completed to standards.
Where is the value in audit documentation? When is the last time internal audit was sued?
I believe there is value in most cases, but the level of documentation and the time spent on it should be based on the level of value.
Is the level of audit documentation in your department consistent with its value? Can you safely reduce the time spent, freeing up time for value-add activities?
I see value from:
Enabling manager review of the work performed, as a quality assurance practice. However, only do as much as is needed to demonstrate the scope was covered, the objectives achieved, and the findings and conclusions are appropriate. If management agrees with the findings, you don't have to prove them.
Complying with regulator or examiner requirements. In some industries, the work of internal audit will be reviewed by an external examiner. For those audit projects subject to such a review (not always every project), the level of documentation should comply with applicable requirements.
Enabling external auditor reliance on internal audit work. However, be sure that you are obtaining at least as much of a reduction in external auditor fee reduction as you are spending in additional documentation time.
Supporting the next audit of the area. However, be aware that few audits are repeated and that processes and controls may change by the next time this area is audited.
Does everything you do add value to the organization, contributing to assurance and improvement of governance, risk management, and related controls? What can be cut back or out, freeing up time for activities that add more value?
When is the last time your internal audit department had a health check?
PS — a QAR does not typically address this area. Don't rely on having passed the QAR as evidence that your internal audit department is efficient.