Читать книгу Beyond Audit - Robert L. Mainardi - Страница 27

The most important part of marketing the audit department is to deliver an unfiltered account of what the business partner is to expect in the three main phases of an audit – planning, fieldwork, and reporting. It is critical to provide perspective on the internal audit department before diving into the details of the three phases of an audit. Most importantly, explain that every audit department, like other business units, must adhere to standards and methodology requirements. It is not necessary to get into the details of the Institute of Internal Audit (IIA) standards, but it does help in building rapport with the audit client to state the audit department has guidelines to adhere to, just like the business unit, in completing their job. In addition to the standards are the specific audit methodology requirements, and it helps to explain these regarding the three main phases. This type of discussion gives the business partners the background knowledge to help them understand where the audit department is coming from during the review. This information is even more important during a remote audit because the client is only going to be getting requests from the audit department and may not understand why the audit team keeps asking for additional information. However, if the business partner understands the three main phases of an audit, it will make the request and delivery of information during the audit go much more smoothly.

Even before drilling down into the phase details with the client, the auditor can provide perspective of the internal audit department by informing the client of the different types of reviews audit can perform. This not only provides perspective on internal audit, but also plants the seed for future reviews that could be performed at the client's request. Let your business partner know that the audit department offerings include risk-based audits, continuous audits, operational reviews, and partnering on significant business projects or system implementations. The key on any audit is to let the business partner know that audit is a partner to the business and not just a group tasked with examining existing business operations. Again, the auditor should focus on building the relationship with every client on every job. It is even more critical during a remote audit to offer audit assistance to the business operation's team with any challenges they could be facing in this remote operational environment. Additionally, the auditor always wants to focus on internal audit's mission to consistently provide value on each engagement. That value is in process valuation and improvement, independent assessment, the risk and control knowledge sharing, and data-driven recommendations. All of these value points are linked to assisting the business units to meet their objectives consistently.

Another point to share with your business partners to provide insight to the audit operations is to explain how the audit selection process works. Many, if not all, business partners have no idea how their business process has been selected for an audit. Business management can get the wrong impression of an audit if they believe the audit is a result of the business struggling or making mistakes. That could not be further from the truth, and audit selection can explain and relieve that fear. Without getting into the details of the annual risk assessment with your client, the auditor can explain that each business process is evaluated annually to determine the corresponding process risk in an operation. All processes reviewed during the annual risk assessment are given a corresponding risk rating and then compared with other business processes to determine which audits to perform in any given year. Additionally, the frequency since the last audit is considered during the development of the annual audit plan. Obviously, there is more to it than just the rating and audit frequency but there is no need to get into all of the details. The goal of this discussion is to provide insight into how audits are identified and selected each year.

Now that the internal audit background foundation has been discussed, the three main phases of the audit can be described to your business partner to complete the marketing discussion. The first thing I do when explaining the three phases of the audit methodology is to indicate the percentage of time spent on each one. Beginning with planning, the details should include that this is where the highest percentage of time is spent (40–50 percent) in order for the auditor to gather the appropriate level of process knowledge and corresponding data as the testing plan is developed to examine the most critical areas of the business process. The reason the planning phase requires the majority of the budgeted time for the project is because this phase establishes the direction for all subsequent testing to be performed in order to draw the value-based conclusion. The planning phase identifies the most critical processes in the business unit under review. These processes will drive the deliverables linked to the business objectives. Let your business partner know that the audit team is aware of the time and effort required by the business personnel to complete all of their associated tasks but the audit team is only going to focus (perform detailed testing) around the most significant activities as determined during the planning phase through discussions with the client. Remind your client that the audit team will not select the areas to test without verifying the critical role each process plays in the business process achievement of their objectives. Given the enormous amount of time it takes the audit team to understand the business process, review reports, gather data, and hold discussions with the client, especially on a remote assignment, it should be obvious why the planning phase would take up the largest percentage of time in the execution of a risk-based audit.

While every internal audit department recognizes the planning phase should receive the majority of the audit budget, most audit teams do not spend the appropriate amount of time planning, especially if it was an audit that was completed in the past. Why? Usually, it is because of one of two reasons. First, the audit department, having documentation of the last completed audit, believes it would be more beneficial to save time by rolling forward the last approach and getting the current audit done more quickly so as to move on to the next project. And second, audit departments believe they can learn the process “on the fly” and develop a more intimate knowledge of the process requirements through executing the testing (fieldwork) and can thus save the time taken from planning and put it into the fieldwork phase. Neither of these reasons are correct and definitely do not increase the value of the audit results. As a matter of fact, rolling forward the previous testing performed may work, but with the way business processes evolve and adapt to current needs and requests, the details of the process are usually never the same as in previous years. Thus, using the roll-forward planning method may seem smart at the time when in actuality more time will be wasted during testing trying to determine why there are so many deviations from the testing standard. And using the fieldwork phase of audit to understand the process not only results in a slower understanding of the critical process, which requires testing, but also includes support processes that would not have been tested if the required planning had been completed. In the end, the audit team should dedicate the necessary time and effort in the planning phase to identify and understand the critical points of the audit process so that testing can be targeted and streamlined.

From the audit methodologies I develop for my clients, it indicates that the planning phase is complete once the audit program has been drafted, reviewed, and approved by the audit team. That means all the business knowledge, policy reviews, data gathering, flowcharts, and risk assessments have been completed and the most critical business processes have been identified. It is at that point the specific audit steps for validation of the business processes can be drafted. The audit program is created to only test the required steps in the identified critical business processes. That is not to say there aren't other activities occurring in the business unit under review, but the scope of this audit does not include them. This targeted testing approach is why the fieldwork phase of the audit should comprise about 30–40 percent of the budget. That should be sufficient time to execute the program and leave time to clarify the results. There should not be a need for the audit team to spend more time on the fieldwork phase, unless it still includes time dedicated to understanding the business process that should have been handled in the planning phase.

The final phase to explain to your client is going to be the reporting phase. While I recognize that many audit departments seem to spend a significant amount if not a majority of the budget in this phase, that doesn't have to be the case. Most departments overcomplicate the reporting process. If the planning and fieldwork phase are executed in the manner described in the previous paragraphs, I can assure you that your department can reduce the amount of time currently being spent in the reporting phase on every audit, even if it is not a remote review. Depending on how your audit methodology is constructed, the reporting phase of an audit should require about 10–30 percent of the associated budgeted time.

Aside from verifying that your audit methodology adheres to the planning and fieldwork suggestions listed above, here are three tips to help facilitate a smoother report generation phase:

1 Your audit methodology should include a standard audit report template. Included with this template should be instructions on how to effectively document the required fields in the template, along with an example of a well-written, concise, clear, constructive audit report.

2 Keep the partner informed. It is critical that throughout the audit process, especially during a remote audit, the audit team keeps their business partner informed not only of the status of the audit, but also all validated deviations from the processing standard that have been identified during the audit testing that could be included in the final audit report. This consistent and clear communication will ensure there are no surprises for the client when the draft report is created since all potential reporting items have been communicated and explained in advance (via the audit status report).

3 Request business action plans throughout the audit. This will help expedite the audit report generation process.

These three simple actions will provide time-saving opportunities for any audit department to expedite the report phase of their audit methodology.

For complete transparency regarding the audit process, do not forget to communicate to the client that even when the audit is completed, the audit and business teams will stay in contact through the implementation and adoption (Chapter 8) of all agreed-upon action plans detailed in the final audit report. To accomplish this final task of the audit, there will be regular communications to ensure the action plans to address any deviations from the business process standards are appropriately designed and implemented to close any exposures noted. The communication frequency for the business unit's action item follow-up is usually completed on a monthly basis. Most internal audit departments log, track, and report action item follow-up to business unit management and the executive team to ensure these critical items receive the proper attention even after the audit is completed and the final audit report has been distributed. This wrap-up phase of the audit provides the internal audit team an opportunity to continue to foster and maintain the audit and business unit relationship.