This is an area that has been perturbing me for a while. What is scoping? What does it mean? What does / should it add?
Well, we know we should do it. International IIA auditing standards require that work should be planned at each level, including review level. Also common sense says whenever you undertake any discrete, project-based, level of work some form of plan makes sense.
There are obvious benefits to scoping. It enables thinking and planning to occur for the auditor and forces some sense of what is the itch? where is it? how can I best scratch it? In my experience thinking meaningfully prior to undertaking action is always good.
But (you knew there was going to be one) it always, in practical reality, gets bound up in discussions of permission, access, what is in, what is out. It gets used, quite unhelpfully in my view, to judge the success of the outcomes of the audit. I have interviewed auditors who have said that success of the audit is related to how closely the outcomes of the review have met the ‘agreed’ or ‘approved’ (hmm) scope. When they were asked what they would do if they found an issue or risk outside of the scope, they quite cheerfully reported that it would not be included or considered. ‘It was outside of the scope’ (!) Whither risk based audit?
For me scoping should be, therefore, not a commissioning of an audit process, not a final word on the scope of work or remit of the audit, but an intelligent meeting of two independent minds to think about adding value and also a mature consideration of risk. The outcomes can be negotiated through dialogue and discussion afterwards, which may require different reports, more work, or a range of possible audit outcomes.
I can see why professional services firms use scoping as a contract. It manages their risk. Audit departments in firms generally specify the work (often at a granular level) underpinning any subsequent opinion they issue. They will then report ‘based upon those agreed procedures’. No matter that they may not be the right procedures, or they may not be sufficient or enough to underpin the risk based opinion really needed. It also assumes they know in advance what work is required. Fine for cash and banking audits, less so for strategic risk reviews. Thus scoping for them is critical in this process, as it is a contract and buying process. The balancing factor is, therefore, the opinion not the work. If you wanted a risk-based opinion would this be sufficient for your assurance?
This is not generally so for advisory work from professional firms, their scopes are wide ranging and focus on the opinion. The work is often not specified. Opinions really are qualitative and not as structured, documented and systematically evidence based as you might expect from an audit-trained perspective. If you like, this is the exact opposite of their audit sections. Okay of you get a good consultant, not so good if not.
The other point of scoping in my view is to resource audits. Again in a firm this is a contractual point. For in-house audit it is a mature discussion about the scale of the task and relative priorities.
So what is good scoping? Well I would suggest it is seen as a kick off meeting. What is the itch? how to scratch it? what are the formal and informal issues, processes, structures, people and other points that need to be considered?
I have felt that I have known my clients well during my career. I never fail, however, to be surprised by how different my view of an issue at the commencement of an audit, compared to my view at the end, is. I learn every day and benefit from working with my helpful, bright, challenging and many times supportive and highly pleasant to work with, clients.
It is for this learning curve reason that a scope is the beginning and first, not the final, word. It is a process of opening engagement, not closing it down or restricting it. That is not to say that I cannot predict, or have some sense, of the outcome of the audit. Any good CAE should be able to do that. I have a rule that my intuition is, generally, right nine times out of ten. It is for that one out of ten, however, and for the promotion of a risk-based and independent audit, that I like to have a framework, not a cage, to work within when auditing.
So I exhort my fellow CAEs to embrace co-produced; non-litigious; flexible but thoughtful; assurance scoping. Make it ‘meaningful’, not audit-process myopic!