After I started working in the internal audit profession, I realized how difficult it is (“the profession of trouble” as Dr. Gamal Mohamed Shehat coined it), I also realized the great resistance of most departments that are being audited and not accept many of the internal audit’s observations and recommendations, although they seek to improve the work. This is due to a number of reasons, including those related to the work environment and the culture of the organization, or related to the nature of the auditee, or the auditor, but primarily the main reasons are the lack of independence of the internal audit department and poor productivity. No doubt, organizations (public, private and not-for-profit) are in need to large-scale audits, overstepping the normal auditing procedures , and often without additional resources for internal audit departments. Over time, I understood most of those reasons and started working hard to minimize their causes and effects. Despite these difficulties, IIA’s Internal Audit Standards and other, mandatory and non-mandatory, components of the International Professional Practices Framework (IPPF) have emphasized the need of internal auditors to maintain their objectivity and to work efficiently. Efficiency in the internal audit profession, which is originally an administrative term, means the ability to optimize the use of available resources or the energy the auditors have to achieve the objectives. In this article, I will touch upon a set of recommendations that will help to achieve the expected efficiency of the Internal Audit department by using as few resources and inputs as possible to produce as many desired outputs and outcomes as possible.
Tips for raising efficiency
Apart from investing in audit management systems, data extraction and analysis tools, which I think are highly rewarding, I recommend the following, which do not require many resources:
I. Within the Internal Audit Department:
Audit department should:
- Develop internal auditors skills in scheduling priorities and optimizing time management .
- Adopt the best solutions “archiving and management of records electronically”, as it increases the speed of storage and retrieval of information and documents, and reduces the risk of storage and archiving manually and enables the retention of multiple versions. In this context, the Head of an Internal Audit department must be keen to develop the skills of auditors in the field of documentation & indexing, and in dealing with the software and their uses in the field of preservation, retrieval, management and circulation of documents.
- Adopting the Clean Desk Policy. From my personal experience, I can say that there is a positive correlation between an organized office and productivity, under the condition of the auditor’s desire to complete his/her work.
II. During audit planning :
Many people think that the most important step in internal auditing is execution, yet research and experiments have proven otherwise because of the long and difficult process that precedes the execution of an audit tasks. The most important step in the audit process is planning. Many studies and management leaders have pointed out that for every hour spent planning, we save four hours in execution. Planning is not a waste of time, so an internal audit tasks relies heavily on sound planning, starting from proper identification of an Audit Universe, then preparing the risk-based strategic and annual plan (Threats and Opportunities), then ending with preparing detailed audit programs. Among the steps I recommend in this context are the following:
- Greater effort in selecting the audit tasks, particularly in consultancy, and taking into account the avoidance of the most significant risks associated with this type of tasks. As the increase in risks may adversely affect the level and magnitude of the assurances required by the stakeholders of an organization. (At the same time, refraining from providing advisory services will deny the organization utilizing the Internal Audit team’s benefits such as scientific knowledge, practical experience and skills’ that may not be available to members of executive management and other staff).
- Coordinate with external controls (i.e. an external auditor) and other internal control departments (if any) to avoid the occurrence of the so-called “Assurance Stress” or “Audit Stress” by these departments. This occurs when different assurance activities – independent and non-independent are not coordinated (such as internal audit departments, compliance, risk management, security, safety, quality, etc.) and do not cooperate sufficiently, which may lead to a duplication of effort and failure to ensure the necessary and expected coverage of such departments. Therefore, the Head of an Internal Audit Department must share information and coordinate activities with internal and external assurance and advisory service providers, to ensure the necessary process is completed and avoid duplication of effort. Standard 2050 referred to the need for the Chief Audit Executive (CAE) to perform this process of preparing the Internal Audit plan. In addition, the Standard’s advisory guide indicates a way to coordinate the coverage required for the assurance task: which is to develop an Assurance Map. By linking the identified large Risk Categories and relevant Assurance sources, then assessing the level of assurances available for each category of Risk since the comprehensiveness of this Map can show deficiencies and overlaps in coverage of assurance tasks, enabling the CAE to assess assurance services in each Risk area. The results of this assessment are then discussed with other assurance providers so that an agreement is reached between the parties on how to coordinate activities that would avoid duplication of efforts and maximize efficiency and effectiveness to ensure necessary business coverage. The same advisory guide referred to another way to coordinate an assurance processes, namely by using a Combined Assurance Model, where internal auditors coordinate assurance activities with the departments performing Second Line of defense functions (according to the “Three lines of Defense Model” by the IIA), such as compliance management. All this in order to minimize the nature and repetitiveness of internal audit tasks.
- Improve the formulation of audit tasks objectives that greatly assist internal auditors in identifying the actions taken and prioritizing high-risk actions.
- Prior to determining the initial requirements for an audit task, a meeting with the auditee’s management is preferred. To discuss these requirements and clarify their relevance to the objectives and scope of task in case there is a lack of management’s conviction and for early identification of any constraints in providing them, and working to overcome them or finding the appropriate alternative.
III. During execution of audit tasks:
I recommend the following during the execution of the audit tasks (fieldwork) are:
- Focus on the most important goals and benefits from the Pareto Principle (80% of the results achieved by 20% of effort).
- Develop internal auditors’ skills in using computer applications used by audit clients, and rely on their skills to extract the data and reports needed in the fieldwork.
- Distribute audit tasks so that each audit team has two tasks at the same time (one large, comprehensive, one smaller), and distribute work-hours among them, in order to best exploit the time of the internal auditors.
- Assign audit tasks that consume most of management resources to an external consultancy provider if possible, after a cost-benefit analysis.
- Ask staff to provide a daily report of tasks performed, as this will improve their awareness of self-assessment.
- Think Continuously about the “Added Value” of the report and Adopt a very important principle which is “The number of observations is not an indicator of productivity“. Therefore, it is preferable to avoid wasting time and effort on non-important notes, especially the ones addressed during the audit task. It is also advisable for the team leader to keep an eye on the audit team’s observations, to approve or drop as necessary, as this helps to complete the work as efficiently as possible.
IV .Report audit results:
I recommend the following when reporting the results of audit tasks:
- write all non-critical notes under the heading “Other Notes“. This way, a lot of time is saved in the formulation of full-featured notes (Criteria, Condition, Cause, and Corrective Action).
- Develop auditors’ abilities to understand the work and activities they are auditing, develop analytical skills and logical conclusions, and develop their skills in discussion and persuasion, especially when the employees of the audited activity are not convinced of the importance of observations and recommendations.
- Do not repeat observations of other internal control departments and only refer to them in case they reappear and/or have not been addressed.
We achieve efficiency –and therefore, effortlessness- when there is planning, organization, and management of time, resources, control and follow-up. Productivity is not just how hard work is done, rather, it is how smart done.