Let's just jump straight into it... do we really need a rolling schedule for Internal Audits? Don't get me wrong, I certainly believe we need to have a schedule of audits, but are the days of having a rolling expenses review every 2 years actually still necessary?
Since the Chartered Institute of Internal Auditors released their proposed Code of Practice in July (which you can access here), and since I have been developing an Audit Universe template for this site, the thought has been on my mind as to whether or not a rolling schedule is required for internal audits. My thoughts were further amplified after seeing a tweet from the team at ISO Update bringing to my attention an article from last year. The article; "Internal Audit Frequency: How often should you be having Internal Audits for compliance", makes some really good points and takes an extremely logical approach when answering the question, however there are probably a few things we need to break down.
Firstly, the proposed Code of Practice states in paragraph B4:
... Internal audit should make a risk-based decision as to which areas within its scope should be included in the audit plan – it does not necessarily have to cover all of the scope areas every year. Its judgement on which areas should be covered in the audit plan, and on the frequency and method of audit cycle coverage, should be subject to approval by the audit committee.
The proposed code is closely aligned to the International Standards for the Professional Practice of Internal Auditing (Standards), with Standard 2010 – Planning stating that "The chief audit executive must establish a risk-based plan to determine the priorities of the internal
audit activity, consistent with the organisation’s goals". The IIA's Standards do not provide any commentary on cyclical audits.
Similarly, as pointed out by the team at ISO Update, management systems such as ISO 9001, ISO 14001 and OHSAS 18001 mention that internal audits should be planned at intervals however the ISO requirements do not detail a specific frequency nor do they establish that all processes need to have an annual internal audit.
So far, so good. The Code, IIA's Standards and the ISO agree on a general approach to audits, but why is it that audit teams become bogged down in reviewing core processes every set number of years even if there is not much change, or the previous audit reports do not identify any large control issues?
One of the more obvious reasons is the assistance it provides in preparation for the financial statement audit.
Establishing regular audits over core financial, IT and HR processes can help to provide assurance that controls are operating as designed, therefore providing with the financial statement auditor with a level of comfort. Whilst the financial statement auditor will still need to perform their own testing, these reviews performed by internal audit may reduce the amount of testing that needs to be performed.
The financial statement auditor can also place reliance on the work of internal audit for a maximum of three years, however other procedures will still need to be performed by them.
Personally, whilst I see merit in performing a cyclical audit of process directly impacting the financial statement audit, I do question the value of it. Unless there are obvious risks or a history of poor controls, the need for audit to dedicate resources to these topics is not beneficial to the wider organisation. Your external auditor is likely to perform their own testing regardless, meaning internal audit resources could be better directed to more risky, or strategic areas.
Should management wish to gain some level of internal audit assurance over this, development of various data analytics could be performed to identify instances where a control may have potentially broken down. This information can be fed back to management who perform a detailed review and provide the evidence to audit to demonstrate whether or not there has in fact been a control breakdown. Such activities can be performed from the desktop and over a short period of time. Whilst they will not provide management with absolute assurance, it will provide a level of insight for them, whilst allowing internal audit to better direct its resources.
This is where proper planning processes need to be employed. An Audit Universe, mapping each of the audit topics within each business area, the level of resources required, and the results of any previous audit activity, provides a great starting point. Whilst I am a believer that audits in the Universe should have a cyclical year applied to them, it does not need to be followed. For instance, applying a cycle of 3 years to expenses may be a good indicator, however as you progress through the planning process, the following items should be considered:
Are the risks to the business and this process still consistent, or have they changed?
Has there been significant change in this business area over the past 6-12 months?
What were the results from the most recent external audit or other Internal Audit activity?
What are the emerging risks or trends identified by thought leadership pieces?
What are our own internal audit resources and capabilities over the next year?
What are managements thoughts on the expenses process and what are their concerns?
What is the strategy of the business?
This is only a preliminary list, however considering some of the above questions when preparing the annual plan and reviewing the audit universe, may determine whether or not the process should be included on the current year plan, or its cycle push back a further year. The initial 3 years we had marked against this topic is only a guide and as such, if we do not consider expenses to be a risky area and therefore not relevant for the current year audit plan, it should be dropped. Our reasons should be documented accordingly, but ultimately, our annual plan should be risk based and not dictated by audit cycles.
I personally believe there are risks associated with adopting a plan where majority of audits are done on a cyclical audit. There is a risk that the audit team become reliant on the work performed by the previous auditor, simply rolling forward workpapers and employing the exact same audit approach. An audit should not be predictable, and simply repeating a prior year audit work program is less likely to identify new risks, errors, or opportunities for improvement.
In summary, I believe that applying a cycle to audit topics is appropriate to use as a guide only, however should be reviewed annually as part of the planning process and development of a risk based plan to ensure internal audit resources are used appropriately and the objectives of the audit team and business are met.