Lets knock.
The Audit Bin is not your Audit Plan. The Bin is like a box full of apples or spare parts. It is the inventory stockpile of audits that you know meet your coverage target goals. There should be about 20% more audits in your Bin than can be done in a given year.
The Bin is built by looking through the risk analysis you built into your Audit Universe and selecting those areas that scored the highest. In my view, a risk analysis should have at least the following bits of intel (both objective and subjective).
- Financial Exposure – how much money/resource/whatever could this area lose the company of things went horribly wrong -or- (on a more optimistic note) how much could it fail to achieve?
- Rate of Change – How likely is the control environment to remain stable in the coming year -or- how much did it change in the last period?
- Opinion of Management – in our travels, if we look for opportunities to reach out, we encounter all kinds of leaders in our organizations. I think it is valid to include a confidential risk factor based on our opinion of the strength of their leadership. We'd never rely on this for our audit opinion, but I think it is fair game in a risk analysis.
- Operational Complexity – it is simple, paying claims or managing fixed assets isn't usually as complicated and prone to failure as underwriting or application development. I often take a page from the old Total Quality Management (TQM) book here. The more points in the process where someone has to make a judgment, the greater the likelihood error will be introduced.
- Last Audit Result – You can't ignore an area that continually fails in its efforts at establishing controls.
- Time Since Last Audit – If it's been awhile, you may want to go have a look.
- Special Requests – Your risk radar may not be as informed as that Senior VP's when she asked you to do a certain review.
We gave these factors points and weights to approximate their importance.
There are probably others. An interesting one in a multinational audit environment is including something like Country Risk. I can recall pointing out to our CIO that Pakistani bombs had just gone off in a city near where our Indian partners were hurriedly working on a couple of our key systems.
As well, all of us engaged in Audit Planning have to recognize that on some level, we're making subjective assessments about the above. However, that (as my last boss used to say) is why we make the “big buck.”
So, now we have a set of areas (more than we can do) that we are going audit. Again, its time to touch base with our Audit Committee and senior leadership. This contact can be less formal, but it is intended to, step-by-step, build support for what we're doing. No surprises is a major part of credibility.
When that's done, it is time to schedule. We usually allowed six weeks for any audit. The first four weeks were for testing work and the last two were for finalizing the report. Sometimes we'd make a visit at the beginning and sometimes closer to the end. We'd use a Gantt Chart to lay them all out and manage them. Basically, the business of scheduling is not that hard, thought it can be complex with a large team.
The point, though, is that scheduling and risk assessment have very little to do with each other. A lot of audit planning processes I've encountered fail to recognize this, which is why the Audit Bin concept is so valuable. It allows you to disconnect risk from timing, to a large extent. And, it keeps the Audit Committee out of the details of managing your team's resources. Very important in some organizations.
And, with an Audit Bin, you can now reach out to your leadership team and tell them what you intend to audit, very early, probably before the year starts. You can get their input on when would be the best times to conduct the audit, and you haven't wasted any time with the intricate business of vacations, travel, availability of key team members, or the other 50 or so complexities of scheduling people.
Well, now that you've finished Scheduling, you have an Audit Plan... one of 12 you'll have throughout the year.
Flexibility *and* structure are the goals here, remember.
-- Next Time... The Three Month Rolling Plan
Prescott Coleman, CIA, CISA
No comments:
Post a Comment