Is there a mismatch between where internal audit spends its time auditing and the risks that organizations face? Boards/audit committees should constantly re-evaluate whether internal audit is being used effectively to deliver risk-based assurance. The fundamental questions for boards/audit committees are: are we doing the right audits; and are we doing audits right.
In previous articles I have discussed ‘how to do an audit right’ – namely, the importance of data analytics; how to get more value out of compliance audits; and ways to improve the internal audit function’s efficiency and effectiveness. In this article, I encourage you to ask if your current audits will bring the most value to your organization. In other words, is audit addressing critical risks to the organization’s achievement of strategic goals and objectives?
Many organizations have compliance officers, risk officers, and quality assurance and internal control units. Internal audit must be able to work with these areas and still provide independent and value-added assessments and recommendations. What this means for some internal audit functions is a focus on financial statement audits – an area where audit feels comfortable and has less ‘competition’. While financial audits are important aspects of financial risk they are not always the most critical. In an IBM CFO study1 of over 1,200 CFOs and senior finance professionals, 62 percent of enterprises with revenues over US$5 billion encountered material risk events in the last three years. Of those, 42 percent admitted to not being well prepared for it. Further, the most frequently mentioned risks were not financial but strategic risks involving decisions about markets, customers, products, merger and acquisition activity, and other top-line business decisions.
I realize that every organization has a unique set of risks that it must address. I can’t provide examples the will resonate with everyone, so instead I will provide examples that exemplify the power and flexibility of data analytics using ACL to identify and assess non-financial risks. These are taken from audits for which that I provided analytical support. I hope that in reading these, you will be inspired to find better use for analytics, identify the right audits, and improve the value-add of your internal audit function.
Public safety – are we assisting police officers on the street to be safe; and are we adequately supporting the arrest and successful prosecution of criminals?
- The audit looked at trends and correlations regarding training, use of search warrants, single person vs. two-person police cars, walking the beat vs. only patrol cars, and use of automated policing tools. These were compared with both number of arrests and successful prosecutions.
- The recommendations improved office safety and increased the percentage of successful prosecutions.
Armed forces – are army units ready to be sent to combat missions?
- The audit used ACL to examine current status of mandatory and non-mandatory training, the number of available personnel at each rank compared to the required number of personnel, the availability of support trades (e.g. mechanics, chefs, medics), and the availability and status of required equipment (e.g. tanks, personnel carriers, etc.).
- The recommendations addressed the safety of the soldiers, the completeness and readiness of units, and the ability of the units to achieve operational objectives.
Contracting – are we proactively looking for indicators of fraud and ineffective or compromised contracting practices?
- The audit used ACL driven data analysis to look at trends and known fraud indicators in contracting: contracting office/vendor relationships; use of sole source mechanisms; last-bid-wins; etc.
- The audit identified several frauds and made recommendations that provide a proactive oversight of the contracting process.
Emerging risks – are we looking at emerging areas of risk that could impact the organization (e.g. availability of supply)?
- The audit used ACL to calculate supplier trends over six years and identified are where the number of potential suppliers for critical equipment had declined – in some case down to a single supplier.
- The recommendations asked management to look at various options related to ensuring supply including: ceasing production; finding other suppliers; and entering into a multi-year agreement with existing suppliers.
Food safety – are we providing sufficient and effective testing of the food supply system to ensure the public and farmers are protected from unsafe food?
- The audit used ACL to examine the food sampling and laboratory testing procedures to ensure sufficient samples were selected and testing was performed within acceptable time limits. It identified serious control weaknesses that resulted in samples sent to labs not being tested and insufficient number of samples being taken when outbreaks of disease were noted.
- The recommendation included an audit-developed data supported monitoring program; and improved communications and reporting.
You probably don’t have police officers or army personnel in your organization, but do you have the right people, in sufficient quantity, with the right training and tools to accomplish a new project? You might not be concerned with food safety, but is your quality assessment process up to snuff? In short, are you auditing the right things and doing your audit right?
Internal audit is uniquely positioned and has a mandate that goes beyond compliance, financial statements, and control testing. Boards/Audit committees should perform a yearly assessment of the audit function including the adequacy of its identification and assessment of risk and the development of the audit plan (which identified the audits to be performed). Data analysis should play a key role in both the identification and assessment of risk; and the conduct and reporting of audits. Do the right audits; and do them right!
Dave Coderre, CAATS
- IBM Institute for Business Value; Orchestrating risk-adjusted performance management; http://www-935.ibm.com/services/it/gbs/pdf/cfo_portal_orchestrating_risk.pdf