Home > Risk > The internal audit survey results

The internal audit survey results

November 17, 2022 Leave a comment Go to comments

I thank the 127 people who answered my survey. I think you will find the results interesting.

As a reminder, I had asked that only internal audit practitioners complete the form.

As with the earlier risk management survey, the results may be a little biased as the respondents are all people who follow me on LinkedIn and/or on my blog.

There are a great many questions I could have asked but limited this survey to 12 questions. If you would like a future survey to address other issues, please add a comment with your suggestions on the blog (i.e., all in one place).

The first two questions were about the length of audit engagements.

X

126 answered the first:

  1. What is the average length of an audit or consulting engagement in hours?
  • 40 hours or less… 5.6%
  • 41-100… 16.7%
  • 101-200… 19.0%
  • 201-300… 21.4%
  • 301-400… 18.3%
  • 401-500… 7.9%
  • Over 500… 11.1%

Over my two decades as CAE, I led teams with two different approaches to assurance engagements.

At Solectron, I would send a team of about 5 people for 2 weeks to one of our global sites (a manufacturing or assembly operation) where they would assess controls over a variety of significant enterprise risks: financial, operational, technology, and compliance. The average length was about 600 hours. However, we also performed audits of corporate functions that focused on a much more limited number of enterprise risks and averaged closer to 150 hours. Overall, the average length of an assurance engagement was probably around 400, about the same as the average consulting engagement.

At my other companies, consulting engagements (such as pre-implementation reviews) could extend over months (the length of the project), but assurance engagements averaged about 150 hours.

The assurance engagements were short because:

  • My team consisted of experienced business-savvy auditors, with no junior staff. They knew what they were doing each time and were able to use their initiative in performing the audit. They were respected by their client.
  • Each audit focused on a few risks of significance to the enterprise rather than to the business unit or process being audited.
  • We only tested and assessed the controls relied on to address those few sources of risk.
  • We were able to stop auditing once we had done sufficient work to form an opinion.
  • We talked with (rather than “to”) management throughout the engagement and we able to agree on the facts and their interpretations without difficulty. The fact that the auditors were business-savvy and practical helped a great deal.

You can read more about my approach to internal auditing in Auditing that Matters.

X

125 people answered the next question:

  1. What is the shortest audit or consulting project your team performs (in hours)?
  • 10 or less… 12.8%
  • 11-50… 40.8%
  • 51-80… 14.4%
  • 81-100… 11.2%
  • 101-150… 8.0%
  • 151-175… 4.8%
  • 176-200… 0%
  • 201-250… 3.2%
  • Over 250… 4.8%

I find this very encouraging. More than 79% of the respondents had engagements of 100 hours or less, with more than half spending 50 hours or less.

I may be wrong, but this tells me that most of the internal audit activities represented here have found a way to focus at least some of their audits on a single enterprise risk.

Very few are spending at least 200 hours on every audit.

Between these two questions, I am encouraged that “full scope” audits of a business unit or process are a dying breed.

The era of audits that extend over months with a team of auditors is starting to end, if not already over for many.

I will skip the third question for a moment and go to #4, which addresses this issue.

X

125 answered:

  1. Do you perform full scope audits or focus on controls over high risks?
  • Full scope audits, all the controls over risks important to the entity being audited… 42%
  • Our audits focus on controls over risks that are important to the enterprise as a whole… 53%
  • Other… 6%

Maybe I spoke too soon! It’s a slim majority in favor of audits that focus on enterprise risks.

X

Coming back to the third question, which was answered by 125 auditors:

  1. When do you discuss control deficiencies with management?
  • The day we find them… 16.0%
  • Within a day or two… 21.6%
  • Within a week… 25.6%
  • Within two weeks… 6.4%
  • At the end of fieldwork… 19.2%
  • After we share the draft report… 11.2%

This is again encouraging.

Nearly 80% discuss issues with management before the end of fieldwork, generally within a week or less.

Moving on.

The next question was answered by 126 people:

X

  1. Do you perform the same audits every year?
  • Never… 38.9%
  • Often… 40.5%
  • Frequently… 20.6%

When you take a risk-based approach, you don’t audit based on a cycle (designed to audit everything over a period such as five years). You include in the audit plan engagements to address the more significant enterprise risks of today and tomorrow.

This should lead to performing the same audit in consecutive years only on those few occasions where both the risk level and the value of an audit remain high, or where the audit is required by the regulators.

I am pleased to see a substantial number answering this, “never”.

X

The next question is about audit reporting, answered by 126 people:

  1. Do your reports include recommendations or agreed action items?
  • Recommendations and management responses are separate… 4.0%
  • Recommendations and management responses are both in the report… 67.5%
  • Agreed action items… 27.8%
  • Other… 0.8%

When I started, in the Stone Age of internal auditing, the audit report would be issued and management asked to provide separate responses. While there are still a few CAEs that haven’t discovered fire, most have moved on.

A significant number have progressed to including agreed action items, but the great majority continue to include both internal audit recommendations and management responses. My view on this is that it fails to demonstrate that internal audit and management are working together, and it leaves the reader to determine whether the two are in agreement, given what may be different language.

The audit committee needs to know whether internal audit and management are, in fact, working together effectively.

I will skip the next question to address another about the audit report. It was answered by 126 auditors.

X

  1. How do you communicate your overall opinion?
  • We don’t include an overall opinion on the adequacy of controls over the risks in scope… 8.7%
  • We use traffic lights, such as red/yellow/green… 19.0%
  • We use language like “the controls are effective, adequate, or ineffective”… 41.3%
  • We construct an opinion statement that reflects not only whether the controls are adequate overall, but which risks might not be at unacceptable levels… 23.0%
  • Other… 7.9%

This is a very important topic for me.

Our objective as internal auditors is to provide “assurance, advice, and insight”.

“Assurance” comes first in that list, as it should.

That requires us to communicate clearly to our customers in top management and on the board whether the risks we addressed are being effectively managed by adequately designed and effectively operating controls.

When there are issues with the controls, our customers need to know what that means – in terms relevant to their running the business. What enterprise objectives, plans, and strategies are at risk, and by how much? Only then can they assess how those issues are being addressed by operating management and whether they need to get involved themselves.

What does “adequate” mean to someone leading the business? They know it’s less than “effective”, but should they be worried?

That is why I told my team to use the full breadth of the English language to communicate our assessment. What risks to what objectives are affected by identified control issues, and does this mean that my business, my strategies, my plans, and my success are at risk?

But I can see that only 23% have followed my example.

X

  1. How long is your Executive Summary in your typical report?
  • We don’t have an Executive Summary… 2.4%
  • One page or less… 65.1%
  • Two pages… 26.2%
  • More than two pages… 5.6%
  • Don’t know… 0.8%

It was answered by 126 people.

65% got it right.

X

Returning to question 7, which was answered by 126 practitioners:

  1. Do you change the scope of an audit after the Opening Meeting?
  • No… 7.1%
  • We listen to management and are open to changing the scope… 23.8%
  • We can change the scope of the audit at any time, depending on what we hear from management and see for ourselves… 68.3%
  • Other… 0.8%

No comment on this, other than it is encouraging.

X

Then we have this, with responses from 126:

  1. How often do you change the audit plan?
  • Our audit plan is for longer than a year and does not change… 0%
  • Our audit plan is for longer than a year, but we can change it annually… 5.6%
  • Our audit plan is for longer than a year, but we can change it more frequently than annually… 8.7%
  • We have an annual plan that doesn’t change… 4.0%
  • We have an annual plan with time for special projects to accommodate change. Otherwise it is a fixed plan… 55.6%
  • Quarterly… 7.9%
  • Monthly… 0%
  • Continuously, as risks and the business change… 18.3%

A number have an audit plan that is longer than a year (even in today’s disruptive climate), and a few still have a rigid annual plan.

The majority allocate a portion of the audit plan to accommodate changes, while a (hopefully) growing number have recognized the need to change the audit plan as the business and risks change.

X

Moving on, we have a question answered by 126:

  1. Does your audit plan only include financial and compliance risks?
  • Yes… 19.0%
  • No… 81.0%

This speaks for itself.

X

The final question was answered by 125 people:

  1. Do you use canned checklists or audit programs?
  • Yes… 5.6%
  • We use them as a basis but modify them as needed… 53.6%
  • We use customized audit programs… 35.2%
  • We don’t have audit programs… 5.6%

This also is encouraging. It tells me that people are thinking about what they are going to do, rather than doing automatically what was done last time or by someone else, somewhere else.

Overall, I can see progress in internal audit practices.

I hope everybody, whether they answered the survey or not, compares their activity to those reflected here – and put appropriate corrective actions in place where needed.

As I said, if you have questions you would like included in a future survey, please let me know in the comments.

Your thoughts on the above are welcome.

Advertisement
  1. No comments yet.
  1. November 17, 2022 at 8:29 AM
    The internal audit survey results - RISK OWNER by RISK-ACADEMY

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: