As an assessor, the basic level requires that I look at the Internal Audit Activity of the company and evaluate their conformance per the IIA Standards. Besides basic compliance, I also look at areas of success and areas of potential performance enhancement. Going above and beyond basic compliance sets companies up for success in the future (and garners your foothold in the auditing world, setting you up for strong relationships within your organization).
Over the next five weeks, I will be discussing my process as an assessor, which I call “The 5 P’s of QARs: Planning, Performance, People, Processes, and Procedures.” This week’s blog will focus on the first P: Planning.
The First P: Planning
There are three top observations that are noteworthy to optimizing your organizations success: incorporating risk analysis into the annual planning efforts, incorporating the results of the annual planning to the engagement planning efforts, and realizing that engagement planning does not include all of the required elements. All of these observations, of course, come with common pitfalls I have noticed within organizations.
While management has expectations that the Internal Audit Activity’s (IAA) will execute its annual plan and will continue to operate at a level consistent with “best in class,” this begets the question: how do you create a plan that ensures operations are best in class?
Incorporating risk analysis into the annual planning efforts
Priorities of the IAA
First and foremost, the annual plan needs to be risk based to determine the priorities of the IAA. While this aspect may seem straightforward, it is actually frequently missed and often includes last years’ plan with a few tweaks.
Senior Management and Key Stakeholders
The input of the senior management and key stakeholders must also be considered in the risk assessment process; however, this input is often performed in a vacuum, without any feedback from others.
Chief Audit Executive
In response to changes in the organization’s business, risks, operations, programs, systems, and controls, the CAE reviews and adjusts the plan as necessary. Often, the plan is never looked at again. Due to today’s everchanging world, especially now amidst a pandemic, this is unrealistic.
Requirement of Annual Assessments
The IIA plan must be based on a documented risk assessment undertaken at least annually. These assessments are often not documented or conducted annually with some being seen every three years.
Hours Spent on IT
I often see a great annual plan and associated risks; however, when I look at the audit plan in detail, it is a reflection of the number of FTEs multiplied by a utilization percentage and looks like the plan before, with less than 10% of the hours being spent on IT.
Incorporating the results of the annual planning to the engagement planning efforts
So many times, there is a great risk based annual plan, but when looking at the engagement plan, there is a missing link between the two. The teams are unaware of the risks and concerns that were identified by the key stakeholders, all because of a common problem: engagement done in a vacuum.
Because the Plan Said So
Too many times I hear that the engagement is being conducted because it is on the annual plan, but it is important to consider these questions: Why is it on the plan? For the area you’re looking at, what are the risks associated with it? Remember, a concern that existed 10 months ago may no longer be present, and a new risk may have emerged. By hyper-focusing on the past, you may miss out on present risks.
Engagement planning does not include all the required elements
Missing Documented Plans
Too frequently, documented plans for each engagement are missing. There is an audit program and results of testing, but the initial plan to demonstrate that all relevant areas are covered is absent.
The relevant risks to the engagement need to be seen. These, too, are often not documented and not tied to the engagement program steps.
You’re Out of Your Element
Often, one or more required elements are missing in the documented engagement plan, which includes scope, timing, and resource allocations. In order to give a full picture, each are important in their own rights.
Scope is what is included, and more importantly, what is excluded and why.
Timingis key if a major change in the organization may be better to wait for the changes to be established before performing the review. Considerations around system changes or upgrades are often ignored.
Resource allocations, which are often missing, assess whether or not you have the right skillsets and experience to assess the review. If every review takes 200 hours of time, I am not always convinced that the allocations have been evaluated.
Key Takeaway: It is all about doing and documenting what you SHOULD and not what you CAN.