Educating and auditing. Helping an organisation learn about risk and controls during an audit.

How Internal Audit teams can strike the right balance when helping businesses develop control maturity Helping ‘immature’ businesses learn about…

How Internal Audit teams can strike the right balance when helping businesses develop control maturity

Helping ‘immature’ businesses learn about the concept of risk and control is not easy, particularly when the audit team has been charged with the responsibility of providing independent assurance to the audit committee. The audit committee can benefit from an honest report detailing the control failures within the business, but the business does not benefit at all. Instead, they are burdened by recommendations they may see as counter productive, and as such, are never effectively implemented, nor do they achieve the desired benefits.

So how, as an Internal Audit department do we strike the right balance? We discuss a few options here.

Auditor Proud Day / Lunch and Learn

It might surprise you, but some people are actually interested in audit; who we are, what we do, how we do it, and why? Use events such as Audit Awareness Week or Auditor Proud Day to highlight what we do. By explaining our methodology, approach and purpose, people may being to understand our very important role and why we say and do, what we do.

You can learn more about Auditor Proud Day, please click here.

Audit Planning

Audit Planning is one of the most critical times in an audit. Poor planning can result in poor performance and as such, it’s critical that you correctly engage with the business at the start of the audit.

As part of Planning, audit teams should dedicate time to educate the business on not only the audit process, but also what are controls, what are risks, and the expectations of the business when it comes to risk and controls. It’s important to use this time to differentiate between the role of audit and the role of the business, and expectations of who’s responsible for managing risk on a day to day basis and implementing controls.

We have built an ‘Intro to Audit’ template which can help when kick starting planning for an audit and introducing audit to some first timers. View our ‘Intro to Audit’ template here.


Although the most time intensive option, it’s probably the most valuable. By allowing people in the business to join the audit team on a short term basis, we’re showing them to learn first hand the concepts of risk and control, but also ‘what good looks like’ and why audit is important.

When considering the options of secondment, why not consider it as a ‘swap’. For instance, audit team members could really benefit from joining a finance team as part of a reciprocal secondment. Auditors will learn the day to day operations and challenges faced by the finance team whilst also brushing up on some of their technical accounting slills.

Intranet and Training

The intranet ( as auditors should know), is an invaluable place which contains an abundance of resources and information. Internal Audit should ensure that it has a place on the Intranet and provide an overview of the audit function and some keep concepts. To help with this, our Internal Audit Training Compete Set, can really help.

During the audit…

You may be tempted to just give the business the answer and helping them implement the solution to address an identified issue, but this helps nobody. The business becomes dependant on audit as the solution fixers and we lose our independence; particularly when we have to go back and audit the recommendations which were effectively implemented.

Audit teams should stay strong and continue to rate audit reports and observations, however consider including a maturity model into your audit report appendix; showing where the business is now and where we want them to be. This also allows us to have ‘bite sized’ recommendations which won’t overwhelm the business, but will give them time to address the issue correctly yet still learn about risk and controls.

Audit teams should not be afraid to offer help, but should remember the Code of Ethics and consequences if we start acting as consultants rather than auditors.