News
Working Smart Versus Working Hard in Internal Auditing
16-May-2021
Prepared by: Alaa Abdul Aziz Abu Naba’a
Internal Audit and Corporate Governance Expert
MACC, CIA, CPA, CRMA, CICP
After I started my work in the internal auditing I realized how challenging this profession is (“The profession of troubles” as Dr. Jamal El Shahaat called it). I also realized how augment the resistance of most of the departments being audited can be, due to their unacceptance of the internal audit observations and recommendations, although its objective is to enhance the business. The resistance, however, is due to many reasons, some of which are related to the work environment and the organizations’ culture, some on the other hand are related to the nature of the audit work per se, or to the auditor, but low productivity and weak independence of internal audit are the most prominent reasons for the resistance. There is no doubt that organizations (whether public, private, or not- for- profit) need audit that go beyond the auditing obvious things, but usually they are not willing to provide additional resources to internal audit. By time, I came to understand most of these reasons, and I am doing my best to eliminate them along with their implications.
Despite these challenges, the International Standards for the Professional Practice of Internal Auditing (the Standards) and the other mandatory or non-mandatory components of the International Professional Practices Framework (IPPF), issued by the Institute of Internal Auditors (IIA), emphasize the important of internal auditors’ objectivity and efficiency. Efficiency, which is a managerial term, means with respect to internal auditing, the ability to rationalize the use of the auditor’s energy or resources in order to accomplish the objectives. In this article, I will address a range of recommendations that assist in achieving the level of efficiency expected from internal audit by using the minimum amount of resources and inputs to produce the maximum amount of outputs and desired outcomes.
Recommendations to Improve Efficiency
Away from investments in Audit Management Systems, and the tools of data mining and analytics, which in my opinion yield feasible return on investment, I give the following recommendations that don’t need huge amounts of resources:
I: Within the Internal Audit:
(1) Develop the skills of time management and setting priorities among internal auditors;
(2) Adopt the best solutions of “electronic archiving and management of records;” this will speed up the process of storing and restoring of information and will reduce the risks of manual storage and archiving, moreover, this enables the users of keeping different versions of the records. In this context, audit head should be keen on developing the documentation and indexing skills of auditors, along with their ability to handle software applications and use them to save, restore, manage, and exchange documents;
(3) Apply the “Clean Desk Policy”: based on my personal experience; I can say that there is a positive relation between a clean and tidy desk and productivity, yet the person should also have the desire to accomplish her/his work.
II: During the Audit Planning:
Some people believe that the most important step of the audit process is the implementation, however, experiences and researches proved otherwise. There is a prolonged and complicated process that precedes the implementation phase, it is the planning phase. The planning process is the most important process in auditing. Many studies, as well as leading figures in the management field, indicated that each hour of planning saves four hours of implementation. Planning is not a waste of time, because the internal audit process heavily relies on sound planning that starts at the proper identification of the audit universe, the preparation of a strategic and annual plans based on risks (threats and opportunities), and finally the preparation of detailed audit programs. In this context I give the following recommendations:
(1) Exert more effort in the selection of audit engagements, specially consulting ones, and avoid the prominent risks associated with consulting engagements, because such engagements may negatively impact the level and size of assurances needed by stakeholders of the organization (for example, what happened in Toshiba). However, refraining from providing advisory or consultation services will deprive the organization of the competencies of the internal audit team (knowledge, practical experience, and skills); those skills might not be available within the executive management and the rest of the employees;
(2) Coordinate with external assurance providers (e.g., external auditor) and other internal assurance departments (if any) to avoid what’s known as the “audit fatigue” or “over audit” by various control parties. Audit fatigue or over audit occurs where there is a lack of coordination and cooperation between the various assurance providers - whether dependent or independent (e.g., internal audit, compliance, risk management, safety and security, quality, and others). The lack of cooperation and coordination will double the efforts and will not ensure the provision of the needed coverage that is expected from these various assurance providers. Therefore, the chief audit executive should exchange information and coordinate activities with internal and external bodies that provide assurance services and consultations in order to ensure the needed coverage and to avoid the duplicated efforts. Standard 2050 indicated that the chief audit executive shall undertake these tasks as part of the internal audit plan preparation. Moreover, the implementation guidance to this standard referred to one of the methods that can be used to coordinate the coverage needed for the assurances, that is the Assurance Map, through which a link could be established between the major identified risks and the relevant assurance sources, then an assessment to the available level of assurance for each risk category should be conducted. The comprehensiveness of this map will show any defect or duplication in the assurance coverage works, and will enable the chief executive auditor of evaluating the assurance services within each risk category. A discussion of the results of this assessment with the providers of the assurance services should be made to ensure reaching an agreement between the parties about how to coordinate the activities in order to avoid the duplication of efforts and achieve the maximum efficiency and effectiveness in order to ensure the needed coverage for the work. The same implementation guidance referred to another method to coordinate the coverage needed to the assurance process, which is the use of the Combined Assurance Model. According to the Combined Assurance Model, internal auditors should coordinate the work efforts needed for assurances with the departments that undertake the second line tasks, such as the compliance department, "according to the IIA’s three lines of defense model”, in order to reduce the nature and iteration of the internal audit tasks;
(3) The appropriate formulation of the audit objectives will assist the internal auditors in identifying the needed procedures, and assigning priorities to the procedures with higher risks;
(4) Before determining the primary requirements of the audit engagement, it is preferred to hold a meeting with the department that will be audited. In this meeting the primary requirements should be discussed as well as their relevance to the objectives and the scope of the engagement in case the audited department is not convinced of such matters. These discussions also aim at introducing the department that will be audited to any obstacles in order to handle such obstacles and find the suitable alternative as early as possible.
III. During the Implementation of the Audit Engagement:
In this context I give the following recommendations about the implementation phase of the audit engagements (the civil work):
(1) Focus on the most important objectives and use Pareto principle (80% of the results are achieved through 20% of the effort);
(2) Develop the skills of internal auditors regarding the use of computer software which the audit clients use, and teach them to depend on themselves to collect the data and reports they need during the civil work;
(3) Distribute the audit tasks so that each audit team should have two tasks at the same time (a big and a comprehensive task and another small task), and the work hours should be allocated to these tasks, in order to make the best use of the internal auditors’ time;
(4) Assign audit tasks that consume a lot of the resources of the department to an external advisory party, if possible, after conducting a cost-benefit analysis;
(5) Ask the team to introduce a daily report about the accomplished tasks, this will enhance the self-control of the team;
(6) Reflect on an ongoing basis on the report’s value added, and adopt a very important principle; “the number of audit observations is not an indicator of productivity.” Therefore, the time spent in giving unimportant audit observations should be eliminated specially regarding the observations that were resolved during the audit. Moreover, it’s better to regularly update the engagement manager with the audit observations of the audit team, and he should approve or discard such notes, this will help accomplish the work with the highest level of efficiency.
IV - Reporting the Results of the Audit Engagements:
In the context of reporting the results of the audit engagements, I give the following recommendations:
(1) Combine all the unimportant audit observations under one header: “other audit observations.” This method will save a lot of time that could have been spent in drafting complete audit observations (the pillars of complete audit observations are referred to as 5Cs: Criteria, Condition, Cause, Consequence, and Corrective Action);
(2) Develop the skills of the auditors to enable them of understanding the work and activities they audit, and enhance the analytical skills of auditors to enable them of reaching sound and logical conclusions. Develop the auditors’ discussion and negotiation skills, such skills will be necessary if the employees in the departments being audited are not convinced with the importance of the notes and the relevant recommendations;
(3) Avoid the repetition of the notes made by other internal assurance providers, and just refer to these notes if they are repeated and/or not addressed.
Efficiency, hence not working hard, will be achieved through planning, management of time and resources, control, and monitoring; productivity is not about the amount of effort, it is about efficiency.