A Better Objective for an Audit
Over the years as a CAE, I learned that there was a better way to steer the audit team. Instead of asking them to assess the system of internal control over a process or business unit (an approach that is disconnected from enterprise objectives), or whether the controls provide reasonable assurance that specified risks are at desired levels (a far better approach), I ask them to answer this question:
Do the processes and controls meet the needs of the business?
This makes the members of the audit team think!
What is management trying to achieve with this business unit, activity, process, etc.?
Does the way they are operating, which includes the controls they are relying on, provide reasonable assurance that they will be successful?
That means that not only do they need to take the right risks but seize the right opportunities. Are they doing that?
How well are they leading the organization and its people, obtaining optimal performance from both?
Is there a better way? What can and should be improved?
Answering my question enabled my auditors to assess the management of risks and opportunities and the related controls.
What do you think?
Try it for yourselves.
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
Norman, you make a very good point. This approach implies:
> The audit team is briefed as to why the audit is considered necessary – this will include your points about what management is trying to achieve
> The audit team has been challenged (before the audit starts) to identify the opportunities that management should have identified. I include this because the audit team is probably better at identifying risks than opportunities
> The audit includes examining the induction, training, target setting and appraisals of staff – this takes into account your point about optimising performance.
You are spot on Mr. Marks, keeping the big picture in focus (when communicating with the audit committee and management) makes internal audit, not only relevant but capable of creating a venue to discuss what is important to the organization at that specific time.
The only addition i would like to make is coupled with agility of internal audit planning and execution and its capability to change and redirect its efforts when needed to remain on top of areas of concern and interest as they emerge.
You are absolutely right. It’s a sound approach that every auditor should learn. Instead of designing an audit plan around risks or controls (as the logical focal point), why not focus on your organization’s strategic objectives? First off, these are usually easier to identify and gain consensus about from executive leadership and the Audit Committee.
That done, it’s easy to implement an audit approach that considers those key objectives, who is responsible for each, and how they are going about meeting their responsibilities. It’s a natural entry point to look at strategies, best practices, controls, resilience, execution, and quality of reporting.