If the constant pace of change isn’t motivation enough for chief audit executives to keep their audit plans up-to-date, fresh guidance from the profession is expected this summer to push the internal audit function further into action.
The Institute of Internal Auditors will unveil its International Professional Practices Framework at an international conference in July to update guidance on what an effective internal audit function looks like. As part of the enhancements, the IIA will call on internal audit to adhere to new core principles that should compel the savvy CAE to take a fresh look at audit planning.
For example, the framework is expected to tell audit executives to align strategically with the aims and goals of the enterprise and to become more insightful, active, and focused on the future. “It should be another nail in the coffin” for a static, annual audit plan, says Robert Hirth, chairman of COSO and a member of the task force that reworked the guidance. “Change is now the constant, and it’s accelerated to the point where you can’t ignore it. The CAE has got to keep asking: Does the plan need to change in the year?”
Many CAEs already believe the answer to that question is “yes,” based on the results of the IIA’s latest polling of internal auditors. In its 2015 report, the IIA says 60 percent of the 311 top audit executives who answered its survey said they have a formal process for updating their internal audit risk assessment and audit plans during the year. Roughly the same percentage also perform informal updates, suggesting some departments update their plans both formally and informally, the IIA says.
Less clear, however, is how a CAE can best go about updating an annual audit plan. Internal audit experts offer plenty of ideas on how that is done in some organizations and how it could be done by the most forward-looking CAEs. Richard Chambers, president and CEO of the IIA, says he sees organizations using some combination of three primary methods to keep abreast of the risks that suggest the annual audit plan needs a refresh.
First, companies might identify what they consider to be key risk indicators that merit monitoring, Chambers says. Cyber-security intrusions or attempted intrusions, for example, might be an emerging risk to monitor. “If that number starts to increase, maybe you know that the risk is increasing, so you move that up on the audit plan, or start coverage if maybe it was not on the audit plan at all,” he says.
A less formal method, he says, is to perform updated risk assessments simply by walking around in the business. “Build relationships throughout the organization, and maintain continuous contact with key management leaders throughout the enterprise,” Chambers says. “Sit down with them periodically and talk to them about what risks they are facing and how they are addressing them.”
Finally, companies might monitor risks in the broader environment, looking for concerns that might apply to specific industry sectors or business in general. “You would have to be in a cave not to know that retail is highly prone to cyber-security attacks,” he says.
“Build relationships throughout the organization, and maintain continuous contact with key management leaders throughout the enterprise. Sit down with them periodically and talk to them about what risks they are facing and how they are addressing them.”
Richard Chambers, Chairman & CEO, IIA
Some companies leave themselves room to change course by developing an annual plan that is only 70 to 80 percent allocated to specific projects, giving themselves a contingency that can target emerging issues. “If they leave 20 percent for overruns or new things that come up, they have the budget to get into it,” Hirth says.
Roll With It
Norman Marks, an independent internal audit consultant formerly with SAP, says he favors the rolling audit plan, much the way some organizations use rolling forecasts or rolling budgets. The CAE would have a 12-month plan continuously in place, with the first quarter more firm than the fourth quarter. “You would present the audit committee with a list of risks you plan to audit in the next quarter and beyond, up to 12 months,” he says. “But you would tell them that the plan is only somewhat fixed. You still have flexibility for the next quarter and will revisit the plan to determine what makes sense to do as you go through each quarter.”
Below are the Institute of Internal Auditors’ proposed “Core Principles” for the professional practice of internal auditing.
Demonstrates uncompromised integrity.
Displays objectivity in mindset and approach.
Demonstrates commitment to competence.
Is appropriately positioned within the organization with sufficient organizational authority.
Aligns strategically with the aims and goals of the enterprise.
Has adequate resources to effectively address significant risks.
Demonstrates quality and continuous improvement.
Achieves efficiency and effectiveness in delivery.
Provides reliable assurance to those charged with governance.
Is insightful, proactive, and future-focused.
Promotes positive change.
Consistent with the pending framework from the IIA, a rolling approach is more forward-looking, Marks says. “We need to help the organization move forward, not always looking backward,” he says. “You know with a fair degree of clarity what are the most significant issues to address in the next quarter, but beyond the next quarter, visibility is more limited.”
Paul Sobel, vice president and CAE for Georgia-Pacific, says he has experimented with the rolling audit plan in recent years “with some success.” It works well in his private company setting, he says, but might be more challenging for public companies that must comply with internal control reporting and auditing requirements under the Sarbanes-Oxley Act. “In that situation, the annual plan that is adjusted quarterly is probably more common, he says.
Public companies, where Sobel also has some experience, have a certain rhythm about them with quarterly and annual reporting requirements, he says. “Audit committees and management might be less willing to hear about changes to the third and fourth quarter,” he says. “They really want that comfort that everything is going to be covered with respect to internal controls. A rolling plan can still work, but maybe with less flexibility in the later quarters.”
Daniel Roberts, head of risk for U.K. insurer First Central Group, says he’s not as wedded to the idea of a rolling audit plan. He favors instead a longer-term view of internal audit with a three-year plan. “There are areas you are going to audit every year, but there are others that if you do not plug them into a program, they will never reach the top 10 or 20 in a year,” he says. “Therefore, they effectively get a free pass forever.”
Another independent consultant, Dan Swanson, says any audit plan should be backed by a two- to three-year strategic plan that drives change or evolution of the internal audit function. He sees that quarterly planning is gaining popularity in internal audit circles, but “I disagree with trying to do an annual plan four times a year,” he says.
The best approach for any given organization might also be tied to the needs of a particular industry sector, says Jason Pett, U.S. internal audit services leader for PwC. Companies in financial services, for example, probably have less flexibility because they are more highly regulated.
Regardless of sector concerns, however, the best internal audit functions are the ones that best align themselves to the strategic direction of the organization, however swiftly or significantly that changes, he says. “You need to have enough flexibility in the risk assessment and audit planning processes to ebb and flow with the business as it moves,” he says.