Getting the Right Balance between Assurance and Advisory Assignments

At many of the workshops I run I carry out a poll concerning the portion of audit time that is allocated to advisory assignments. On rare occasions no advisory work is done (for example, when the audit service is outsourced, or a large portion of mandated assignments dominates the plan). However, more generally – and I have polled many hundreds of auditors – the portion of audit resource spent on advisory assignments typically ranges between 5% and 25%. The reasons for the differences in the proportion of audit resources spent between assurance and advice seems to be linked to a range of factors: historic, cultural, the business context and stakeholder preferences.

However, a common thing I hear is that board members are keen to get the maximum amount of assurance from audit, and as a result CAEs feel they have limited scope to do much advisory work. So, some CAEs do not explicitly state what the balance is between assurance and advisory work in their plan. Moreover, other CAEs do not even explicitly budget for advisory work and instead “squeeze it in” when there is time in between assurance assignments. The reasons for limiting the amount of time spent on advisory work, and not highlighting this can be due to the way some audit functions are expected to charge for their time, or because some CAEs can feel somewhat guilty about the amount of advisory work they are doing (often due to a belief that the board would not be happy to hear about advisory work).

I recall a CAE at one workshop explaining that she spent 50% of her available resource on advisory assignments. The other CAEs at the workshop were visibly stunned by the amount of time being spent on advisory assignments. However, the CAE justified it on the basis that her organization was going through a tremendous amount of change and she felt it was better that audit should be proactively advising on these issues, rather than sitting back and finding fault later on. Of particular note, later on in this workshop, we learned that this CAE was one of only a few who had been able to increase the size of her audit function, with the majority of others having to reduce their resources!

Nicola Rimmer (former President of the IIA UK) offers the following perspective:

“In relation to the provision of advice, I think a lot of audit functions can sometimes be perceived as sitting on the fence and say they don’t want to get involved for reasons of independence. Independence can get used as a shield.”

A further theme from the influencing workshops I run for CAEs is that limitations on the amount of advisory work delivered can lead to a distancing between the audit function and the rest of the organization. This distancing has adverse consequences in two respects:

• The audit function has poorer networks in the organization, being seen as an internal policeman, with less “money in the bank” in terms of goodwill when an audit assignment gets into difficulty; and
• The audit function obtains less intelligence about what is going on in the organization, both in terms of information being forwarded on, as well as fewer informal (coffee room) conversations about what is going on.

However, there is a balance to be struck, as Chris Baker (Technical Manager, IIA UK) notes:

“The worst-case scenario is that organizations don’t get any assurance or get very little assurance from audit because consultancy work is dominating their work. And the opposite can apply with organizations failing to benefit from the auditor’s experience to help them head off an issue.”

A further dimension concerning the provision of advisory support is to recognize that very often requests for advice can come from middle management rather than senior management. Lean principles support advice to both groups if there is going to be a connection with external customer value add. However, limited input from audit to the most senior levels of management, and spending the majority of advisory time on middle management requests may mean audit is not making a value adding contribution to some of the major value related challenges facing the organization.

Core Assurance Work on Compliance and Control Takes Over

I have already discussed some of the problems with audit plans being dominated by work on core assurance areas, such as financial controls and compliance.

One CAE offers an interesting perspective why this is such a common challenge:

“If you’ve got Audit Committee members concerned about compliance and basic controls there might actually be quite a lot of activity going on to manage these risks, but sometimes this work doesn’t always reach them in a clear way.

As a result it’s tempting for them to latch on to audit as the most visible assurance provider.”

Challenges to Rationalize the Plan Against Key Value Related Areas

In the audit planning workshops that I run, we benchmark audit plans, in terms of both content and presentation formats. A common presentation approach is to list out the range of audits planned, with the number of days allocated to each proposed assignment. In some instances, this is supplemented by details of coverage across risk areas (IT, finance and compliance), by business area and also geographical regions.

However, a key question is how does this information help to ensure that the plan is addressing the most important value related areas and the key risks of the organization?

In a number of instances I have heard CAEs confessing that they “retrofit” their audit plan (developed via an audit universe and/or management consultation) to the objectives and key risks of the organization. When this occurs, the danger is that connections between key value issues and the audit plan are not actually that strong, resulting in a disconnect between the plan and what is of most value. This approach is often one of the reasons for a disconnect between the audit plan and key risks, that can be revealed during an EQA (as discussed in Chapter 9).

The Impact of Resources Constraints is Not Always Clear

Another pressure that CAEs can feel is the need to “make do” with the budget and staff headcount they have, since audit is not a front line function. One fairly common practice I have seen to explain the impact of resource limitations is for the audit plan to list the assignments that “nearly made it onto the plan.” I have heard mixed reports about whether listing these assignments is successful in getting the right sort of conversation about the resources that should be allocated to audit. From my discussions with CAEs often all that happens is that the CAE is encouraged to “do their best to squeeze in additional assignments” if they can.

An even more difficult issue for CAEs to raise is the extent to which the skills and capabilities within the audit function have impacted the plan. The most obvious impact is where an assignment is considered for inclusion on the audit plan, but then removed because “that’s an area that can’t be audited.” However, a more insidious problem is that risks are excluded from thought automatically (c.f. the earlier discussion about common shortcomings in most audit universes), so that these limits on audit coverage are not transparent. Imagine an external customer’s perspective to such an approach: “You ignored key areas because they were too difficult for you? But how does this serve my needs?!”

Understand Value Opportunities from Advisory Assignments

Here are some reflections from a senior audit manager in the UK:

“With advisory assignments I always like to make sure it’s not pre-empting an audit. If we’re not planning to audit in that area and it’s important, then it’s a good area to offer advice. But if we were six months away from doing an audit and a manager wants a piece of advisory help, I’m more careful about our role.

The other thing is, people not actually knowing what they want from the advisory work. Let’s bring the auditor in, with an ill-defined concept of what success would look like. In this situation you have a lot of opportunity for upsetting people and disappointing people and actually undermining the role of audit rather than reinforcing it. So when you get a piece of advisory work, have a clear scope, have a clear objective, understand what it is you are trying to achieve.”

Fortunately, there are indications that the value to be gained by doing advisory work is being increasingly recognized. Nancy Haig (CAE, global consulting firm) reflects:

“I think that people are starting to understand that there’s real efficiency and value in internal audit as being there up front as opposed to the back end, when it can sometimes be too late.”

Chris Baker (Technical Manager, IIA UK):

“I’m absolutely certain that advice is fundamental and part of what it means to add value. Not simply because it’s included in the IIA standards but I see it when I do EQAs: stakeholders of internal audit expect it.

I think there’s a higher degree of expectation these days, given the financial climate and constraints that are around. Internal audit needs to make a contribution to how the organization achieves its objectives.

I recommend to CAEs that they should be clear about the amount of advisory work they are doing. For various reasons many CAEs feel a bit apologetic about this. They don’t create this separate section in their audit plan and spell it out.”

An additional benefit from being transparent about the balance between advice and assurance is that it can bring out different stakeholder views about how audit should spend its time, and be a trigger for working through stakeholder differences. Resolving these differences can often require a deeper level of dialogue between the board and senior management, for example revealing that if senior management were more open and honest about issues, the board would be less inclined to want independent assurance!

Actions for Internal Audit to consider:

• Assess the amount of time spent by audit on assurance assignments compared to advisory assignments;
• When developing the audit plan consider whether there are occasions when advisory assignments would offer an opportunity to more quickly deliver added value;
• Make audit time on advisory assignments (past and planned) transparent to stakeholders.

Being Transparent about the Use of Audit Time Across Different Risk Areas

Other key choices in the audit plan that are often implicit can benefit hugely from a more explicit, transparent approach. Clearly setting out the proposed allocation of audit resource in the plan between risk categories can be very powerful.

Table 11.1 illustrates that even though audit is allocating its time equally across key risk areas, this does not align to the actual importance of each area in terms of its contribution to value add and potential value destruction.

Of course, judgements will need to be made about the extent to which each area impacts the value add/loss of the organization, and the extent to which audit coverage should be orientated around these proportions. However, this sort of analysis can prompt a good discussion about why audit may be allocating a relatively small portion of its resource to strategic risks, but more to financial controls and compliance where i) there may be less risk, and ii) there are a range of other compliance and assurance functions that already look at these areas!

Such an analysis can also be accompanied by providing details of the “effective audit coverage”. This measure considers the extent to which the risk areas concerned will be “fully assured” over the course of a number of years. Of course, “fully assured” would need to be defined, based on the relevant risks and controls. However, when this is done, key stakeholders can often find that some areas are being assured considerably more often than others. Table 11.2 builds on the last example:

Table 11.2 highlights:

• Spending 25% of audit resource on financial control risks means that audit covers the relevant processes and controls every three years;
• Likewise, 25% of audit resource on compliance means that audit covers the relevant processes and controls every four years;
• By contrast, because of the greater scale of operational risks, spending 25% of audit resources on these areas means audit will only cover these every five years;
• Finally, this analysis shows that full coverage of strategic risks is around every 10 years, which in practical terms means that there are some strategic risks that audit will never audit (because they will have come and gone within that period of time).

One CAE explains their approach, based on this way of thinking:

“Whilst we use a risk assurance based approach to developing the audit plan, it is important to explain the limitations in audit’s coverage.

To manage expectations we created a risk assurance universe that we use to complement the plan. This is then categorized into three key tiers, based on their respective importance in risk and value terms.

Then when we develop the audit plan, we make sure that we communicate the audit coverage of the three different risk tiers.”

In order to be clear about the trade-off between value and cost, the aim should be to ensure that senior management and the audit committee have no illusions about the amount of auditing that is being done by the audit function against the different levels of risk. As Figure 11.3 illustrates, audit coverage of key units (Tier 1) will typically be greater that coverage of less important locations (Tiers 2 and 3).

Actions for Internal Audit to consider:

• During the audit planning process regularly carry out sanity checks to ensure that the planned allocation of audit resources:
  • matches the key value issues for the organization,
  • covers key risk areas with appropriate frequency;
• Ensure these choices are transparent to stakeholders when presenting the audit plan.

Make the Impact of Resource Limitations Crystal Clear

Implicit with the approach just described is the fact that the audit plan will not address some risk areas. Phil Gerrard (CAE, Rolls-Royce) explains:

“I think it’s important to present the plan showing not only what we are looking at, but what we are not looking at. The aim is to get across the reality of a risk focus, and a better understanding of what effectively amounts to the Audit Committee’s risk appetite.”

One very effective method I have found, which transparently communicates the connection between the proposed audit plan and its value add, is to map out the proposed coverage of key risks and priorities alongside i) other assurances, ii) past audit coverage and iii) stakeholder interest. The aim is to make crystal clear which areas are being fully assured, which will have some assurance, and which are not being assured at all.

Such an analysis typically highlights that some areas receive considerable assurance year in and year out and others have not been independently assured at all.

Some stakeholders may not be entirely happy with a transparent mapping of key areas and assurance or audit coverage, since it may raise questions in relation to limitations of audit resources, and disrupt long established preferences about the areas audit looks at (and does not look at). However, it is important that CAEs lead the way in making assurance and audit coverage transparent, since this is a key way to drive discussions about the effectiveness of the overall assurance picture, whether audit coverage is being optimized towards the areas that matter the most, and whether audit is being appropriately resourced.

Actions for Internal Audit to consider:

• Ensure it is crystal clear in audit planning papers which risks and objectives are and are not being assured or audited;
• Be cautious of saying audit has enough resource without putting it into context;
• Be prepared for some pushback from certain stakeholders who may not want to make audit and assurance coverage so trans-parent.

Core Assurance Is to be Expected and will Add Value if done in the Right Way

Lean principles encourage a strong focus on value adding advice and assurance in relation to key value issues. However, this does not mean that assurance over “core” financial controls and compliance should not be a part of the internal audit plan. Typically lean progressive auditing focuses core assurance work to look at the areas that matter the most and ensures other control and compliance functions are discharging their roles effectively.

Stephen Foster (Senior Vice President Corporate Audit Services, and CAE, Cargotec AB):

“My main learning point over the past few years has been that you can’t have modern auditing without an element, a fundamental element, of traditional auditing. You have to have that as a base. That’s your foundation.

I come from a CFO background and in that environment your position of power is that you know what’s going on, you have the facts.

It’s the same with the modern audit function. They will not maintain or gain that credibility if they don’t have the foundations and the facts. I don’t see the two as being mutually exclusive. I just see it being as an evolution. And if you lose sight of the traditional then you will fail, but you do need to balance it increasingly with services that add value to the business.”

In my experience, key stakeholders often want “core assurance” over and above the strict amount that it contributes to key value issues. However, the trick is to put this work within the context of other compliance and assurance activities, to closely manage the amount of time spent on this work and to optimize the focus of audit’s work in these areas.

Actions for Internal Audit to consider:

• Recognize that despite the fact that “core assurance” may not strictly be as important to key value issues as other work, some work will normally be expected;
• When core assurance work is done, ensure that audit’s work is correctly focused and pay close attention to the effectiveness of compliance monitoring and checking by management and other functions.

The Audit Plan Should Address Capability Issues within the Audit Function

Whilst IIA standards demand that audit must have the skills to do its work, the danger is that this is interpreted as grounds for not auditing some areas, rather than being used as a trigger for getting additional capabilities into audit. For example, it can be tempting to ignore certain risk and value areas in the planning process on the basis that: i) audit does not have the capability to audit these and ii) additional resources are not going to be made available. However, though it may be tempting to “short-circuit” the correct logic, it can create a self-fulfilling prophecy of keeping resources static, because staffing shortcomings are not identified.

A progressive approach to auditing is to transparently spell out the need for either additional internal resources or co-source resources in order to provide assurance over areas of value, or to make it clear that capability constraints are limiting what can be covered. Norman Marks (GRC thought leader) offers the following encouragement in relation to audit capability gaps:

“A long time ago internal auditors said we can’t audit procurement or human resources because we’re accountants. We don’t say that any more, do we? So why should we use that kind of excuse for new risk areas nowadays?  ”

Actions for Internal Audit to consider:

• Ensure risks are not excluded from consideration in the planning process because of audit capability limitations;
• Ensure there is a clear statement about any capability gaps in the audit plan that are limiting coverage;
• Is there a clear enough discussion in the plan about the opportunities or barriers to getting additional internal resources or external co-source support?

Think Through How the Plan will Deliver any Overall Opinions Required

Phil Gerrard (CAE Rolls-Royce) offers the following observation:

“Too many internal auditors look at the micro end of the audit plan, rather than how the whole programme fits together, and how that will help them form an opinion and help the audit committee with their annual governance statement. I would like to see more CAEs think about that.”

For several years now I have run sessions with CAEs and audit committee members entitled “How assured am I?” in which we examine whether the audit plan, alongside other assurances, provides enough assurance to deliver a robust overall assessment of the GRC and assurance framework of the organization. In a number of instances our discussions have highlighted that assumptions are being made about the breadth of assurance coverage, the quality of the assurances provided, and the rigour of remediation tracking.

As a result, many audit functions find they need to recommend strengthening the assurances that are being obtained from management and compliance functions in relation to certain areas, as well as stepping up audit coverage of key risk areas. Once a better assurance framework is in place, internal audit can then more confidently engage in additional value adding assignments. Nancy Haig (CAE, global consulting firm) explains her approach:

“If we have come up with a good plan where people are comfortable with the amount of assurance work we’re doing, and recognize the work of others, then most of the time I’ve found key internal stakeholders will be happy with whatever extra work that we take on. And normally they see that it’s adding real value for us to be involved in the design of a new process, or to provide input in due diligence work.”

Actions for Internal Audit to consider:

• Be explicit in the audit plan how the assurance coverage contributes towards any overall governance and risk opinions;
• If there are gaps consider recommending strengthening assurances from management or other compliance functions, not just doing additional audits;
• Ask for audit planning to be explicitly probed in relation to the link with overall assurance messages during an External Quality Assessment (EQA).

CONCLUDING REMARKS

The dilemma facing most audit functions is how to approach the audit plan afresh when there is likely to be a considerable amount of inertia in past ways of thinking about the role of audit and what constitutes a sensible plan. A lean audit approach provides constructive way of overcoming this inertia by asking: How do we achieve the most value adding audit plan possible, and validate whether the allocation of resources is optimal?

Lean, progressive ways of working encourage audit to be transparent about key value drivers, risks, the overall assurance picture and the choices and constraints that affect what should be done.

Of course, CAEs should take a clear lead in proposing what they believe is the right audit plan, based on value, but no matter how confident they are about the proposed audit plan, CAEs should be a role model for transparency about what is being proposed and why. My CAE coaching work suggests that whilst some stakeholders find this transparency challenging (since it may reveal resource and capability shortcomings) it normally stimulates important debates about the most value adding role for audit and the importance of strengthening the overall assurance framework.