Auditing Known or Suspected Issues

In the last two chapters I have explored issues around the role of internal audit and also the risk factors that should be considered when developing the audit plan (and specifically whether to focus on gross or net risks). In addition, there is an assurance perspective to consider. Here are the reflections of an experienced senior audit manager:

“If it’s transparent that the right people are making the right decisions on a problem area and there’s an action plan with a clear target date, what value are you going to add by doing an audit? They know it’s a problem!”

One CAE commented:

“If everybody acknowledges there are issues, and these are being worked on, what’s the point of going to do an audit? It would be borrowing their watch to tell them the time, to confirm what they already know and are addressing, with zero added value.”

I recall a conversation with a regional finance director about the possibility of auditing an overseas unit where there were some questions over what was going on. It was a location that was borderline for audit attention and there was no hard evidence of a problem (in fact there was no problem as far as we can tell several years on).

Wanting to be helpful, but being mindful of resources, I suggested that audit do some work jointly with a member of his finance team, leveraging their knowledge and reducing the resource from audit, and providing an assurance message together. However, the regional finance director’s response was not as appreciative as I had hoped. In fact, he said: “No, let’s leave it, it’s not important enough for me to allocate one of my staff members to look at it, they are too busy on business issues!”

This was a wake up call for me, raising the question: how often is audit doing work because it is seen to be a free resource, rather than because what it does is felt to be really valuable?!

Uncertainty about Risk Assurance Roles

In my experience many audit plans implicitly take into account the fact that there may be other compliance or assurance functions covering key risks when they are doing their audit planning. Thus, if there is a health and safety function, many internal audit functions will not cover this area in their audit plan. This may be a sensible judgment; however, a relatively informal approach to taking other assurances into account runs the risk of making assumptions about coverage by other functions that could lead to gaps or overlaps.

Considering the Motivations behind Assurance Requests

One CAE shared the following story with me:

“A few years ago we were asked to carry out a learning review of a big systems project. Several functions were involved, the business, IT and a third party outsource provider. The request came from a senior business manager who was responsible for the business end of the project. We knew he was not happy with what had happened, cost overruns and the like, which he felt was due to failings by the IT function and the third party provider.

So we did the learning review and we found that whilst there were lessons to be taken on board on the IT side of the project, there were just as many lessons for business management, including the way they had not made their expectations known, as well as the way they had not delivered what was needed to IT on time. Our report set this out, highlighting lessons for all sides, in a very measured and balanced way – we thought.

And then in the audit closing meeting and subsequent feedback process we got terrible feedback from the business manager, which I then followed up. I said: ‘What’s the problem? You wanted this review!’, and the response was: ‘Yes, I requested the review, but I was expecting you to focus on the weaknesses of the IT function, not my department!’

It struck me that we knew that there was a political angle to this assignment, using audit to ‘hit’ another department. This was the value the manager was really looking for. However, we had naively assumed that doing a balanced review, in accordance with the IIA standards, would be sufficient to make him happy.”

On hearing this story at a lean auditing workshop in Europe, one CAE confided to me that they suspected that many of the audit assignments they had recently been given by their new Chief Executive were, effectively, assignments targeted at senior leaders the Chief Executive did not rate, to see if there was anything that could be found to hasten their departure!

Again we have a dilemma for audit – at face value meeting the needs and expectations of stakeholders might be seen to add value, but if these needs and expectations are grounded on a political agenda, or some other irrational view of added value, audit will find itself in difficulty.

Have a Clear Process for Working through What to Do in Relation to Known or Suspected Issues

One CAE explains:

“If there is a known issue, it is better to require that management should put mitigating plans in place first, and then audit the area when the remediation is supposed to have been implemented.”

A fundamental mindset in progressive, value-adding auditing is to be interested in management concerns and issues, but not to volunteer an assignment without being clear what value, specifically, is going to be added.

Rania Bejjani (CAE, Colt Group) explains:

“I aim for conversation and dialogue with the business about their needs. I want to know why do they want audit to do an assignment? How come this is so important for them? How does this link to the strategic objectives and key risks of the business? What are their concerns? What is already being done? What can they do themselves? What is the impact to the business? How will this assignment add value to them and to the business as a whole?

The aim is to really understand what is going on, the linkage to the bigger picture and what is needed. As you have these conversations you can uncover the wider context and interdependencies, a root cause or explanation or rationale for either doing or not doing an assignment. You might even uncover an alternative course of action.

When you adopt this sort of approach you avoid assignments that don’t really matter or serve the business. In addition, the assignments you do take on should come up with some very interesting findings. Unless we are able to add value, there is no point in doing the work.”

Thus, if there is a known issue, audit can ask: “Given you know there is an issue, what should we really do? If you are unsure about what remediation is needed, perhaps we can offer some advice about what should be done, but we won’t audit the issue, because you know it’s a problem already.”

Of course, sometimes audit can add value by looking into known issues, perhaps by looking into root causes, the possibility of other spin off issues, or the quality of action plans underway. However audit should always be asking why management cannot do this for themselves, and be very clear what the purpose of audit’s involvement actually is.

If management suspect something might be a problem, but are not certain, then a joint audit approach can be a good option since it makes the most of management expertise and also reduces the resource audit needs to commit. Another argument for this approach was given to me by a CAE who said: “Sometimes you need to ask management to put some ‘skin in the game’ to make sure you are not being given unimportant work to do.”

If there is a general belief from management that internal audit should audit known issues, or investigate suspected issues, the CAE should consider what this signifies in cultural terms. One perspective I hear from some auditors is: “Management value us getting involved in things,” but lean encourages us to probe what sort of value this is delivering. If it is about getting a free resource, or doing their job for them, that may not increase the value add from audit in the eyes of the external customer. In addition, the greatest risk is that internal audit involvement in these sorts of issues perpetuates a culture in which internal audit takes over the monitoring role to check controls and propose improvement actions, not management.

To illustrate the importance of thinking from an assurance perspective when developing the audit plan, here is another story. One of my clients was being asked to carry out a lot of anti-fraud work in their audit plan. As we discussed this, the CAE realized that underlying this interest in lots of anti-fraud work by audit was a senior management mindset that regarded the audit function as having the prime responsibility for fraud prevention. I offered some support around the three lines of defence model and the CAE then carried out an exercise in accountability mapping for fraud, and thereafter a series of education workshops for managers.

A year later a major fraud arose and the CAE remarked to me that he was very pleased we had done what we had done the year before:

“If we hadn’t done anything to re-educate management around what it really takes to prevent frauds, I am sure that we would have got the blame for what went wrong. As it was, there was a much better debate about processes in finance and purchasing, and the lessons for them. The realization was that it has to be these first and second line functions with the prime fraud prevention role. After all, they are the ones who are most likely to be able to stop a fraudulent or duplicate payment being made, not internal audit.”

I have also heard CAEs explain that senior management or the board sometimes want them to look at an issue because: “they don’t think the manager is capable of checking this thoroughly” (either because of resource constraints or capability shortcomings) or “they don’t trust the manager of that area”. However, if any of these points is true, it reveals a much deeper problem in the overall control environment than the specific issue that was of original concern!

I hope that these stories illustrate the power of approaching the audit plan with a lean perspective, namely:

• The need to deliver value to the customer;
• Having a clear and appropriate audit role;
• Avoiding waste.

Adopting a value add, assurance mindset when developing the audit plan may rapidly result in audit having a range of challenging conversations with stakeholders. However, these conversations need to take place if audit is to start to change old-fashioned stakeholder mindsets about the role of audit. In my experience step-by-step change may be all that is possible from year to year. But by clearly communicating a desire to add value and eliminate waste, alongside an understanding of key stakeholder concerns and needs, a shift in the mindset of senior stakeholders can be achieved over a period of time, and in turn a reappraisal of the optimal role for audit.

Actions for Internal Audit to consider:

• When discussing potential assignments always explore the question of the value that audit’s work will provide;
• Seek to ensure that the root causes for assignment requests are clear and address any misunderstandings about the role of audit;
• Pay close attention to clues about motivations and deeper political and cultural issues that may be driving requests for audit to carry out particular assignments.

Explicitly Address Risk Assurance in the Audit Plan

I first started working on risk assurance mapping as a CAE at AstraZeneca in 2003, so by the time we started working on lean auditing in 2005–6, we were already very mindful of the power of these techniques and integrated them into our ways of working.

In both the lean auditing and assurance mapping workshops that I run, I emphasize the benefits that can be obtained by adopting a risk assurance approach to audit planning. Indeed, this is one of the reasons my company has the name “Risk & Assurance Insights.” In 2012 the book Combined Assurance by Gerrit Sarens et al. makes the suggestion that “Combined assurance should drive the audit plan.” I fully agree with their analysis and, fortunately, there is already a growing body of practice in this field. Here are some of the advocates.

Leigh Flanigan, (CAE, CSIRO, Australia):

“I always emphasize to management that internal audit is not the only provider of assurance; there are many other parts of the organization and possible sources of assurance. I highlight that to them, but also work with management to help them better understand their role in providing assurance.”

Ivan Butler (CAE, Denbighshire County Council):

“In the past we developed a plan using the audit universe. Now our assurance framework is the number one ingredient.”

Nancy Haig (CAE, global consulting firm):

“If we are talking about lean and adding value, make sure that you’re looking at things holistically. Where are the key risks? Are they IT? Are they compliance? Are they financial? Are they environmental or health and safety?

Then consider who’s covering these risks. We may find, for example, that assurance over stock levels has been covered by external auditors. Or the IT department or tax department are performing monitoring functions. So it’s always a matter of looking at where risks are and determining if somebody else is already validating that those controls are working and if so, moving to the risks where there is no or limited coverage from elsewhere.

A big part of being lean is making sure you don’t do repetitive or redundant work without being clear as to why.”

(See Figure 10.1).

The “Taking it on trust” report by the UK Audit Commission has some excellent guidance on the attributes of robust assurance, so that over-optimistic assurances are not assumed. A case study based on work by the Plymouth Hospitals NHS Trust considers factors such as:

• The reporting lines of any reviewer;
• The frequency and timeliness of reviews;
• The scope of any reviews (considering depth and breadth);
• The skills of reviewers;
• The robustness of action plans and whether remediation is tracked.

Other attributes of importance in my experience include the quality of planning assurance assignments, the need to focus assignments on a risk basis, the robustness of onward reporting and issue escalation and the extent of coverage compared to the relevant risk universe.

Actions for Internal Audit to consider:

• Read the IIA practice guidance 2050–2 on assurance mapping;
• Always be explicit about other assurances when developing the internal audit plan;
• Read “Taking it on trust”, alongside the case studies featured so that a balanced assessment of the amount of assurance that is being provided by others can be considered.

Recognize the Power of Direct Assurance or Other Sources of Independent Assurance

Bringing together the earlier discussions about roles alongside assurance mapping, two other progressive practices are worthy of note: direct assurance or other independent assurance.

Thus, if cloud computing is raised as an issue that could be audited, a more traditional approach is simply to carry out an audit assignment to look into this area. However, a more progressive, assurance-based way of addressing the question could be to agree that the Chief Information Officer (CIO), or equivalent, should update senior management and the board on what is being done in relation to cloud computing. This can be achieved by requesting a report from the CIO, or by agreeing that the CIO should make a presentation to senior stakeholders about what is being done. Internal audit could even offer to help the CIO consider the likely risk areas and assurance questions that are likely to be of most concern to key stakeholders.

The benefits of the direct assurance approach are:

• Senior stakeholders obtain direct assurance from the person accountable for the risk on a timely basis;
• The person accountable for the risk recognizes this is an important area because of the senior management and/or board interest;
• Any improvements needed may be identified and put in place very quickly, sometimes even during the process of preparing for the senior management and board update;
• Limited audit resource is needed;
• Any follow-up or follow-on work required to be done by audit in that area has a much better chance of being focused on areas of most importance, taking into account what has been presented, as well as the risk appetite of key stakeholders.

Other direct assurance alternatives include getting direct input from purchasing in relation to the screening of third party suppliers, or direct input from compliance functions in industries such as utilities, financial services and pharmaceuticals.

I have also seen third parties being brought in to provide an assurance perspective on technical and emerging risk areas where audit would have limited skill capability to look at the area.

Nancy Haig (CAE, global consulting firm) sums up the approach I am advocating:

“I think that internal audit can be the catalyst for ensuring that the appropriate amount of assurance work is being done by different functions.”

Actions for Internal Audit to consider:

• During the audit planning process consider instances where direct assurance might be a preferable first step, rather than just an audit assignment;
• Be prepared to help the person accountable for providing the direct assurance with advice on the key areas that must be addressed;
• Consider follow-up or follow-on assignments by audit to test key areas of concern after any direct assurance inputs.