Home > Risk > Some auditors need to kick bad habits

Some auditors need to kick bad habits

December 12, 2022 Leave a comment Go to comments

The Institute of Internal Auditing is in the process of updating its International Professional Practices Framework (IPPF), which includes the International Standards for the Professional Practice of Internal Auditing.

It is necessary, as some in the profession need a kick.

A friend recently told me that they connected with audit leaders at peer organizations (other mid to large, complex organizations) to understand how long/large their audits typically are. They perform cyclical audits of auditable entities (an audit universe) that last up to 12 weeks. 

So cyclical audits are alive and well, even though the practice should have died off decades ago.

Also alive and well are long audits of an entire process or business unit.

Too few are taking a risk-based approach to internal auditing.

Audit the controls over the risks, not entire business processes!

Don’t waste your or management’s time auditing more than you need to provide the assurance, advice, and insight management and the board need.

I have asked the IIA to use the opportunity of the IPPF update to jolt people out of these poor practices.

They replied, “That is our goal too, business objective-based and risk-based audit”.

Excellent!

Let’s have a quick look at what the IIA currently says about the role of internal audit.

The Definition of Internal Auditing is:

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

The Mission of Internal Audit takes the ideas to a higher and more active level:

The mission of internal audit is to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.

This is supported by the last three of the IIA’s Core Principles for the Profession of Internal Auditing:

  • Provides risk-based assurance.
  • Is insightful, proactive, and future-focused.
  • Promotes organizational improvement.

I don’t think you achieve these through full scope, cyclical audits of business processes or units.

I think you achieve them through audits that focus on the more significant risks to the enterprise: enterprise risk-based auditing.

That is what the current Standards say:

2010 – Planning

The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization’s goals.

Interpretation:

To develop the risk-based plan, the chief audit executive consults with senior management and the board and obtains an understanding of the organization’s strategies, key business objectives, associated risks, and risk management processes. The chief audit executive must review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls.

 

2130.A1 – The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization’s governance, operations, and information systems regarding the:

    • Achievement of the organization’s strategic objectives.
    • Reliability and integrity of financial and operational information.
    • Effectiveness and efficiency of operations and programs.
    • Safeguarding of assets.
    • Compliance with laws, regulations, policies, procedures, and contracts.

Frankly, I don’t understand how an internal audit function passes a Quality Assurance Review when they practice cyclical or full scope auditing.

Moving on, the IIA has shared a draft Purpose statement. I’m not sure how a Purpose statement differs from a Mission statement, and why you need both. But here it is:

Internal auditing enhances the organization’s success by providing the board and management with independent advice and assurance.

Tim Leech doesn’t like it (see here). He prefers:

Ensure the board and CEO are receiving reliable information on the likelihood/risk top value creation and preservation objectives will be achieved with a level of uncertainty acceptable to the board

I prefer something more active, more than providing assurance on risk reporting. Frankly, the draft is weaker than the existing Mission statement.

I would like to see something like:

Provide the risk-based assurance, advice, and insight that leaders of the organization need for success.

Why this?

  • It talks about risk, while the current draft does not. It just talks about advice and assurance, but does not say on what.
  • The current and proposed guidance allows for any level of assurance. Mine requires a more complete level of assurance. An Interpretation statement would explain that the assurance should be on the risks that matter to the achievement of enterprise objectives.
  • I have added “insight”, which is an important source of value to our customers.
  • It makes it clear that we should provide what our customers need, not just what we think is valuable or would contribute to their success.
  • Independence is a given, and anyway objectivity is more important.

What do you think?

  1. How do we persuade CAEs to discard cyclical auditing and full scope auditing, replacing them with risk-based auditing?
  2. How would you modify the Purpose statement?
  1. Oleg
    December 12, 2022 at 9:56 AM
    Reply

    Hi, Norman,

    Thx for the article.

    How would I modify the Purpose statement?

    Check this one please:

    “To engage in goal-driven and risk-based analysis of business processes and systems to produce information to foster effective decision-making process for leaders of the organization on the ways to ensure its success”.

    • Norman Marks
      December 12, 2022 at 9:58 AM
      Reply

      Food for thought. Thanks, Oleg

  2. David Griffiths
    December 12, 2022 at 11:39 AM
    Reply

    There are so many aspects that the IIA needs to change. My views are here : https://www.internalaudit.biz/webresources/page26.html

    In answer to your first question: persuade the governing body that cyclical audits based on questionnaires are wasting their money.

    In answer to your second question: the ‘Purpose’ statement needs to be unique to internal auditing, in particular it should not be possible for it to apply to risk management. I think that the ‘Purpose’ proposed by the IIA, Tim Leech and yourself doesn’t do this. Risk management departments could argue that they provide assurance just by their existence.
    The ‘Purpose’ should reflect what hundreds of thousands of internal auditors are doing throughout the world: checking that controls are in place to bring risks to a level acceptable to the governing body and that these controls are operating properly. The correct selection of the controls to check (i.e. those vital to the achievement of the business’s objectives) should be contained within the Standards. Internal auditors should then provide an opinion (see standard 2410.A1) on whether the controls ensure risks are being properly managed and objectives should therefore be achieved.
    The ‘Purpose’ statement should therefore indicate that IA provides an opinion based on the examination of the effectiveness of controls. My ‘purpose’ statement would therefore be,

    ‘Internal auditing protects and enhances the value of an organisation by examining those processes which manage the opportunities and risks impacting on its objectives and providing an opinion on their effectiveness.’

  3. Norman Marks
    December 12, 2022 at 11:49 AM
    Reply

    Nice

  4. DL
    December 18, 2022 at 10:37 AM
    Reply

    Some food for thought:
    – Risk analysis should be validated based on how it is used.
    – “Expert” estimates of risk do not have superior accuracy.
    – Methods of expert risk estimate combination do not improve validity.
    – Expert risk estimates are currently applied in ways not supported by evidence.

    Source: Forecasts or fortune-telling: When are expert judgements of safety risk valid? by Andrew Rae and Rob Alexander

    https://www.sciencedirect.com/science/article/abs/pii/S0925753517303788

  5. DL
    December 18, 2022 at 11:02 AM
    Reply

    “Ball (2002) suggests that the proliferation of complicated risk
    estimation techniques is a response by the risk estimation community to broader social disputes about risk. Risk estimators are typically mathematicians and engineers – ‘‘those who enjoy quiet, meticulous work” – poorly equipped by training and inclination to engage in social and epistemological debate. Instead of responding to broad challenges to risk estimation validity, they concentrate on refining the technical detail of risk estimation methods.”

    “It is a mistake to believe that expert status acquired through
    authority, experience or job description, carries with it an ability
    to make risk forecasts that are somehow more objectively accurate.”

    “It is also dangerous to suggest that convoluted methods of
    expert estimate elicitation or complicated mechanisms for estimate combination enhance the validity of expert judgements.”

    “The path to improving expert judgement validity is through
    more description and less quantification.”

    The paper is available here: https://research-repository.griffith.edu.au/rest/bitstreams/83f84118-51a4-5060-adf5-29e6b34c0618/retrieve

    What about simple risk estimation methods and simple audit universes?

  1. December 12, 2022 at 10:09 AM
    Some auditors need to kick bad habits - RISK OWNER by RISK-ACADEMY

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.