Danny M. Goldberg, CISA, CGEIT, CCSA, CIA, CPA
The assessment of an audit risk is important from a tangible and intangible standpoint. Obviously, assessing risk is a major part of the internal audit function. Intangibly, the face time and exposure to upper management cannot be quantified as to the innate value this can provide to any department.
Over and above the need to assess risk, how can internal audit continue to show value and prove worth? This is a frequent conversation during training sessions when the same question always comes up: “With all of the risk that we have to cover, how do we build operational audits into our audit plan? There is not enough time!” This is a quandary that every department faces; however in all actuality, this is not as much of a quandary as one might think.
Many departments base the audit plan not only on the risk identified in the audit risk assessment (ARA), but also on the number of hours they have available and the “must-do” projects. A good audit plan is not based on availability, it is based on risk. It is not the responsibility of the chief audit executives (CAE) to determine which projects should or should not be undertaken based on man power; that is the role of the audit committee. The question is: Is the audit committee willing to accept the risk and/or add more resources?
All departments also have their priority projects. If these projects are compliance-related, many departments will get stuck in the rut of being a compliance shop. If you are a compliance shop, you will be viewed as a compliance shop all the time. These shops are rarely viewed as value-added. Thus all audit departments should build operational and cost/efficiency steps into all projects, regardless of objectives. Every year during the risk assessment process, the audit team should ask auditees if there are any areas in which costs could be cut (objectives audit can assist the drive) and the audit team should brain storm ideas to cut costs internally and from last year’s audit results.
Being an effective auditor is about adding value and knowing that value can be added in many ways. In today’s world, compliance is value, but this consistently declines every year. Having cost/efficiency programs built into all audits is one way to meet everyone’s objectives and keep the compliance value up.