During his time working for a number of councils Mitchell Morley was often (although not always) underwhelmed at the lack of value many internal audit assignments added to the achievement of the organisation’s objectives. At the time he just accepted this as an inherent limitation from an often under resourced function operating in a complex environment. In this article he discusses how in his current role of providing risk management and internal audit services to a number of local government clients, his understanding of the problem is much clearer.
The root causes of poor internal audits
Poor internal audit outcomes generally stem from poor internal audit planning and a lack of alignment between internal audit functions and the strategic objectives of the organisation and its risk management framework. All too often we encounter audit plans that are not based on an understanding of the potential audit universe nor aligned with organisational objectives. Even though the internal audit standards require a risk based approach to internal audit planning, the link between the organisation’s risk management framework and its internal audit plan is often tenuous or non-existent.
This situation is not always the fault of internal audit, which is often under resourced and/or misunderstood. In many cases the problem stems from management and audit committees not asking the right questions, providing the right support or direction or ensuring that a proper risk management framework is in place.
So what can be done to overcome these problems? We would suggest the following 9 steps:
1. Document internal audit’s objectives and strategic approach in both the internal audit charter and the internal audit plan
Whilst it serves as a good starting point, go beyond just regurgitating the sample internal audit charter attached to the DLG guidelines. Clearly spell out the purpose of internal audit, the resources available, the proposed approach, the linkage between internal audit and the organisation’s objectives and risk management framework
2. Summarise the organisation’s key objectives and strategies
You don’t need to repeat the entire Community Strategic Plan nor the Delivery and Operational Plans in your audit plan but you should summarise the key points. If your organisation is a growth council with huge increases in population projected to occur then this is a relevant point to note. This might lead you to conclude that functions such as strategic land use planning, development assessment and building certification are especially high risk areas that may need more frequent internal audit scrutiny than would be the case in a maintenance council.
3. Identify and document the audit universe
How can you be strategic if you don’t start by defining all of the functions of the
organisation that need to be considered when developing the internal audit plan? Developing the audit universe is not a difficult process, you can pull it together from looking at the Operational Plan, a functional organisation structure or form a well-developed corporate risk register. The key is to get the right level i.e. don’t break it down so far that you end up with hundreds of specific activities and tasks. Keep it at a broad functional level e.g. procurement, investments, development assessment, library services, park maintenance etc.
4. Conduct a high level risk assessment of the audit universe
If your risk management framework contains some well-developed risk assessment criteria (i.e. likelihood and consequence ratings, risk categories) then use these to assess the overall level of risk involved in each of the functions listed in your audit universe. Involve managers in this process or at least get them to review the output. Make sure you assess the inherent risk level (i.e. before considering existing controls) and the residual risk level (after existing controls). This will enable you to prioritise potential audit assignments.
5. Identify audit types
What types of audits do you intend to undertake? Will some be comprehensive and others more of a limited assurance type? Will managers be required to undertake some level of self-assessment in between internal
audits? The proposed audit types and what they involve should be listed in the audit plan.
6. Develop risk based audit work plan
Based on the high level risk assessment, develop a draft internal audit work plan which prioritises proposed audit assignments. Circulate this to senior management and seek input and confirmation. You may have to make adjustments based on issues raised by management and/or other stakeholders.
7. Align to available internal audit resources
Whilst it would be nice to have the resources to audit all higher risk activities on a regular basis, this is unlikely to be the reality. At this stage you need to align the proposed work plan with available resources. Make sure you allow for other internal audit activities like special projects, attendance at audit committee meetings, investigations etc. Putting all of this together in a detailed work plan will clearly show management and the audit committee what is possible given existing resources and allow them to determine whether the proposed coverage is within their risk appetite. Again the detailed work plan should be circulated for input/ confirmation by management.
8. Use risk registers to scope internal audit assignments
Once the audit plan has been approved and you begin scoping specific audit assignments, use the organisational risk register to identify the key risks and auditable controls for the function in question. This will enable you to take a risk based approach to the assignment and demonstrate that the controls you have tested relate to the key risks involved in the function in question. If no risk register exists or the register is inadequate, you may need to commence the audit by conducting a more detailed risk assessment with key personnel. Ideally get your organisation’s risk manager to do this for you or at least with you.
9. Use a risk based scale for prioritising recommendations
Finally, when writing audit reports and making recommendations take a risk based approach. Develop some rating criteria against which you can prioritise recommendations. For example, Critical or High priorities would be those recommendations which are aimed at addressing a fundamental gap in the internal control framework that is exposing Council to significant risk and requires immediate attention. This will help managers and the audit committee prioritise audit resolutions and reduce the chances of them being overwhelmed by a large number of recommendations.
Think strategically in both the internal audit charter and the internal audit plan and show how internal audit is proposing to align its processes to promote the organisation’s objectives and take account of the risk management framework. Make sure your internal audit plan is built on sound fundamentals and clearly demonstrates the linkage with the organisation’s risk profile and available resources.