How much of a say should they really have?.

Determining how much input the auditee should have in the audit scope At the start of each audit, it is…

Determining how much input the auditee should have in the audit scope

At the start of each audit, it is important that we undertake detailed and thorough planning to ensure that we identify all risks and controls. As part of planning, we should perform a range of walkthroughs, stakeholder discussions and background / external research. All of this combined will help us to correctly scope the audit, ensuring that we not only provide a level of assurance to management and the audit committee, but also add value.

For many audit teams, before we finalise the audit scope and objectives, we will often confirm with key stakeholders that the audit scope and objectives meets expectations; that it appropriately addresses the risks and concerns which they may have.

But with the introduction of the updated Institute of Internal Auditors (IIA) Three Lines Model, how much say should we give stakeholders when confirming the audit scope and objectives? As the Three Lines Model encourages better and more direct communication between audit and the business, audit teams should be actively engaging more with stakeholders to ensure the audit is appropriately addressing risks. But is there a risk that some business areas and key stakeholders take this encouraged engagement, too far?

Its worthwhile to note, this issue is not a new one, and not something which has just arisen because of the new Three Lines Model. Some audit stakeholders already pushed the boundaries with audit and saw us more as consultants, rather than auditors.

In what situations and why would stakeholders want to influence the audit scope and objective?

Some audit stakeholders see internal audit as an opportunity for free advice, or free consultancy services. Under the Internal Audit Standards, we are allowed to do this, but when it comes to performing an audit, we should not have our independence and judgement compromised through providing consultancy services.

In other situations, audit stakeholders may wish to direct audit away from known issues. Alternatively, the stakeholder may not see the value of audit as “they already know what the problems are”, and as such, attempt to redirect or influence audit’s scope and objectives.

What to do when stakeholders start attempting to influence scope?

Firstly, stakeholders are well within their right to influence the scope, however they should also be reminded that we report to the audit committee and need to provide a level of assurance, and therefore, whilst their comments are noted, they may not always be addressed.

But where the audit stakeholder requests Internal Audit to turn the audit scope into a more ‘consultancy’ piece of work, rather then denying the request or rejecting the comments, Internal Audit should consider:

  • Is there a way for the ‘consultancy’ services to be built into the scope, but adjusted to reflect on the risk. For example, in a finance audit where the stakeholder wants to know which accounting software they should purchase, the request could be turned so that we analyse and evaluate finance’s assessment of accounting software. Whilst we fall short of recommending a system, we can help validate that their assessment process is appropriate and does not have any gaps.
  • Is there an opportunity for audit to perform consultancy services separate to the audit?
  • Is the audit necessary? If the stakeholder does not see the value in the audit, and this can be reaffirmed by your planning, are we better diverting our audit resources to more high risk areas of the business?
  • Have we educated the audit stakeholder on the role and purpose of audit? Their desire to push and change the audit scope may be reflective of a lack of understanding about audit.

In all instances, Internal Audit owns the scope and objectives of every review. Whilst it is important we have good working relationships with management, its also important the our objectivity and independence is not compromised.