Here’s a question – is it easier to audit a competent department or a less competent department? [I use department for convenience as the risks assessed will not necessarily be department based – for those risk based auditors who would shout – that’s not risk based auditing.] In a risk-based audit world the audit focus should, rightly, be on both high net risk and high gross risk departments. This will, all things being equal, focus the audit work on those departments that are potentially less competent (high net risk) and the very competent (high gross risk and low net risk). High gross risk departments are usually competent because their control environment has to be better to mitigate significant business risk. In my view an auditor’s annual opinion only runs into trouble where high gross risk departments are also high net risk; thus something important that is badly controlled or poorly managed.
So, back to the original question – is it easier to audit competent departments or not? Well ostensibly it is easier to audit competent departments. Scoping is easier as the management team has a clear view of their operations. Risk assessment is easier as the department may even have its own detailed risk assessment that the auditor can simply audit. Reports should be shorter, less to write and less to agree. Ultimately you are giving good news.
On the other side, the less competent department. It is harder to assess risk. Processes and controls may be disparate and confused. Reports become long and complex, they may even turn into consultancy style reports. To agree points becomes long and torturous as the department feels under the cosh. It is a process of bad news delivery.
But, less competent departments are more interesting. It is easier to add to value. It is more interesting and easier to create an holistic control environment through the audit. These departments are often more engaged in the process of audit and see you as a friend and support. They are often less stuck in processes and how it’s always been done and are more focused on a change and development agenda. It also provides something of interest for audit committee members to discuss and debate and really allow the board to add value through their work and expertise. They are often less worried about the little detail, as the issues are of a macro nature. It is also easier to get senior executive engagement in these macro audit issues.
So I would say, I love a challenge. I love working with high net risk departments. These provide greater interest and a greater chance and opportunity for internal audit to add value. Auditing is always about balance, proportionality and judgement. No audit team can constantly audit all good and all bad, but I would suggest that a focus on high net risk areas does not need to be hard work. It can be rewarding. Some of my greatest management partners and colleagues have been in departments with problems and challenges. Long may it be so.