Home > Risk > A Better Objective for an Audit

A Better Objective for an Audit

Over the years as a CAE, I learned that there was a better way to steer the audit team. Instead of asking them to assess the system of internal control over a process or business unit (an approach that is disconnected from enterprise objectives), or whether the controls provide reasonable assurance that specified risks are at desired levels (a far better approach), I ask them to answer this question:

Do the processes and controls meet the needs of the business?

This makes the members of the audit team think!

What is management trying to achieve with this business unit, activity, process, etc.?

Does the way they are operating, which includes the controls they are relying on, provide reasonable assurance that they will be successful?

That means that not only do they need to take the right risks but seize the right opportunities. Are they doing that?

How well are they leading the organization and its people, obtaining optimal performance from both?

Is there a better way? What can and should be improved?

Answering my question enabled my auditors to assess the management of risks and opportunities and the related controls.

What do you think?

Try it for yourselves.

  1. May 16, 2022 at 11:53 AM

    Norman, you make a very good point. This approach implies:
    > The audit team is briefed as to why the audit is considered necessary – this will include your points about what management is trying to achieve
    > The audit team has been challenged (before the audit starts) to identify the opportunities that management should have identified. I include this because the audit team is probably better at identifying risks than opportunities
    > The audit includes examining the induction, training, target setting and appraisals of staff – this takes into account your point about optimising performance.

  2. Manar Sayed Basel Othman Alnazer
    May 16, 2022 at 10:24 PM

    You are spot on Mr. Marks, keeping the big picture in focus (when communicating with the audit committee and management) makes internal audit, not only relevant but capable of creating a venue to discuss what is important to the organization at that specific time.
    The only addition i would like to make is coupled with agility of internal audit planning and execution and its capability to change and redirect its efforts when needed to remain on top of areas of concern and interest as they emerge.

  3. May 17, 2022 at 12:19 PM

    You are absolutely right. It’s a sound approach that every auditor should learn. Instead of designing an audit plan around risks or controls (as the logical focal point), why not focus on your organization’s strategic objectives? First off, these are usually easier to identify and gain consensus about from executive leadership and the Audit Committee.

    That done, it’s easy to implement an audit approach that considers those key objectives, who is responsible for each, and how they are going about meeting their responsibilities. It’s a natural entry point to look at strategies, best practices, controls, resilience, execution, and quality of reporting.

  1. May 16, 2022 at 8:12 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: