Robert L. Mainardi - Beyond Audit

Another point to share with your business partners to provide insight to the audit operations is to explain how the audit selection process works. Many, if not all, business partners have no idea how their business process has been selected for an audit. Business management can get the wrong impression of an audit if they believe the audit is a result of the business struggling or making mistakes. That could not be further from the truth, and audit selection can explain and relieve that fear. Without getting into the details of the annual risk assessment with your client, the auditor can explain that each business process is evaluated annually to determine the corresponding process risk in an operation. All processes reviewed during the annual risk assessment are given a corresponding risk rating and then compared with other business processes to determine which audits to perform in any given year. Additionally, the frequency since the last audit is considered during the development of the annual audit plan. Obviously, there is more to it than just the rating and audit frequency but there is no need to get into all of the details. The goal of this discussion is to provide insight into how audits are identified and selected each year.

Now that the internal audit background foundation has been discussed, the three main phases of the audit can be described to your business partner to complete the marketing discussion. The first thing I do when explaining the three phases of the audit methodology is to indicate the percentage of time spent on each one. Beginning with planning, the details should include that this is where the highest percentage of time is spent (40–50 percent) in order for the auditor to gather the appropriate level of process knowledge and corresponding data as the testing plan is developed to examine the most critical areas of the business process. The reason the planning phase requires the majority of the budgeted time for the project is because this phase establishes the direction for all subsequent testing to be performed in order to draw the value-based conclusion. The planning phase identifies the most critical processes in the business unit under review. These processes will drive the deliverables linked to the business objectives. Let your business partner know that the audit team is aware of the time and effort required by the business personnel to complete all of their associated tasks but the audit team is only going to focus (perform detailed testing) around the most significant activities as determined during the planning phase through discussions with the client. Remind your client that the audit team will not select the areas to test without verifying the critical role each process plays in the business process achievement of their objectives. Given the enormous amount of time it takes the audit team to understand the business process, review reports, gather data, and hold discussions with the client, especially on a remote assignment, it should be obvious why the planning phase would take up the largest percentage of time in the execution of a risk-based audit.

While every internal audit department recognizes the planning phase should receive the majority of the audit budget, most audit teams do not spend the appropriate amount of time planning, especially if it was an audit that was completed in the past. Why? Usually, it is because of one of two reasons. First, the audit department, having documentation of the last completed audit, believes it would be more beneficial to save time by rolling forward the last approach and getting the current audit done more quickly so as to move on to the next project. And second, audit departments believe they can learn the process “on the fly” and develop a more intimate knowledge of the process requirements through executing the testing (fieldwork) and can thus save the time taken from planning and put it into the fieldwork phase. Neither of these reasons are correct and definitely do not increase the value of the audit results. As a matter of fact, rolling forward the previous testing performed may work, but with the way business processes evolve and adapt to current needs and requests, the details of the process are usually never the same as in previous years. Thus, using the roll-forward planning method may seem smart at the time when in actuality more time will be wasted during testing trying to determine why there are so many deviations from the testing standard. And using the fieldwork phase of audit to understand the process not only results in a slower understanding of the critical process, which requires testing, but also includes support processes that would not have been tested if the required planning had been completed. In the end, the audit team should dedicate the necessary time and effort in the planning phase to identify and understand the critical points of the audit process so that testing can be targeted and streamlined.

From the audit methodologies I develop for my clients, it indicates that the planning phase is complete once the audit program has been drafted, reviewed, and approved by the audit team. That means all the business knowledge, policy reviews, data gathering, flowcharts, and risk assessments have been completed and the most critical business processes have been identified. It is at that point the specific audit steps for validation of the business processes can be drafted. The audit program is created to only test the required steps in the identified critical business processes. That is not to say there aren't other activities occurring in the business unit under review, but the scope of this audit does not include them. This targeted testing approach is why the fieldwork phase of the audit should comprise about 30–40 percent of the budget. That should be sufficient time to execute the program and leave time to clarify the results. There should not be a need for the audit team to spend more time on the fieldwork phase, unless it still includes time dedicated to understanding the business process that should have been handled in the planning phase.

The final phase to explain to your client is going to be the reporting phase. While I recognize that many audit departments seem to spend a significant amount if not a majority of the budget in this phase, that doesn't have to be the case. Most departments overcomplicate the reporting process. If the planning and fieldwork phase are executed in the manner described in the previous paragraphs, I can assure you that your department can reduce the amount of time currently being spent in the reporting phase on every audit, even if it is not a remote review. Depending on how your audit methodology is constructed, the reporting phase of an audit should require about 10–30 percent of the associated budgeted time.

Aside from verifying that your audit methodology adheres to the planning and fieldwork suggestions listed above, here are three tips to help facilitate a smoother report generation phase:

1 Your audit methodology should include a standard audit report template. Included with this template should be instructions on how to effectively document the required fields in the template, along with an example of a well-written, concise, clear, constructive audit report.

2 Keep the partner informed. It is critical that throughout the audit process, especially during a remote audit, the audit team keeps their business partner informed not only of the status of the audit, but also all validated deviations from the processing standard that have been identified during the audit testing that could be included in the final audit report. This consistent and clear communication will ensure there are no surprises for the client when the draft report is created since all potential reporting items have been communicated and explained in advance (via the audit status report).