Did You Know?
The BarnOwl GRC (Governance, Risk and Compliance) and Audit software solution integrated with Arbutus Data Analytics can greatly assist any audit function in adopting an integrated audit approach.
An integrated audit approach can increase the internal audit activity’s credibility, resulting in increased relevance of its work and a greater opportunity to be seen as an essential participant in major projects from the outset. Other advantages include increased coverage, improved reporting and more effective risk assessments and audit planning.
With reference to IIA Standard 2000 outlined in the IPPF (International Professional Practices Framework): Managing the Internal Audit Activity requires that the CAE effectively manage the internal audit activity to ensure it adds value to the organization. By leveraging a risk-based model, engagement planning performed through an integrated risk assessment lens can afford a smaller audit activity the opportunity for greater efficiency and support effective risk coverage within the audit program and objectives. Additional dimensions to the audit include extended risk identification and risk evaluation and identification of controls over the broader scope area.
For an organisation to embrace integrated auditing, the corporate governance framework should be sufficiently mature. Boards and senior management may require continuous monitoring in the organisation to enable assurance across the organization, and for this assurance to be provided in real time. An integrated audit may be the most efficient and effective approach. Continuous monitoring enables management to determine more quickly and accurately where they should be focusing their attention and resources to improve processes and manage risks that threaten the objectives of the business and to take proactive and preventative action in time
The internal audit activity should consider the use of multiple audit techniques when performing an integrated audit to efficiently and effectively accomplish the desired outcome of the engagement. Examples of these audit techniques can include, but are not limited to, continuous auditing, sampling, surveys, and data analysis. Development of risk-based audit procedure checklists, scoping mechanisms, and common testing methodologies to frame engagements best suited to an integrated model will drive efficient execution. Such material could drive the development of integrated audit work program templates, which will lessen the time needed by staff to effectively complete engagements and meet engagement objectives.
Integrated audit engagements include the consideration of multiple risk areas; any reported findings will likely require a broader audience for socialization and related coordination to secure needed management action plans.
The adoption of an integrated audit strategy does not mean that limited scope audits will no longer be used. Risk assessments may suggest that the audit of high risk in a single element should be the priority. This might result in a more narrow scope audit.
Key questions when using an integrated approach
The following are key questions the CAE should ask to ensure that the internal audit activity is effectively using an integrated audit approach.
- Does the audit plan incorporate coverage of all high risk areas?
- Is each auditable activity defined to ensure it covers areas within its scope?
- Is the risk assessment performed in an integrated manner? For example, do the risk assessment risk factors ensure coverage of high risk areas?
- Do recommendations ensure inclusion of areas or factors that would affect the root cause?
- Does coverage for the audit include an overall framework?
- Do conclusions on specific audit tests address the control framework setup in the audit planning phase?
- Throughout the audit, are team members aware of the interrelationships of various controls to effectively and properly assess the impact of any deficiencies?
- Do management survey responses indicate that the integrated approach provides value-added results?
The audit standards and definitions of audit make it clear that Internal Audit needs to transition from the business of providing subjective opinions on “control effectiveness” on a small fraction of the risk universe to ensuring senior management and the board are aware of the current residual risk status linked to key strategic value creation objectives and potential value erosion objectives.
While the annual risk assessment is the minimum requirement articulated in the Standards, today’s rapidly changing risk landscape demands that internal auditors assess risks frequently, even continuously. Risk-based internal audit plans should be dynamic and nimble. To achieve those qualities, some CAEs update their internal audit plan quarterly (or a similar periodic schedule), and others consider their plans to be “rolling”.
As Norman Marks comments, “Providing assurance after auditing auditable entities is not the same as providing assurance on the more significant enterprise risks. Audit risks to the enterprise, not risks to an auditable entity”. It is also concerning to see how many audit managers / CAE’s still talk about a three year rolling plan or what is often referred to as cyclical auditing. As Norman Marks comments: “This approach has been obsolete for at least 20 years. The idea that you can predict what you should audit in future years is beyond credibility (and contradicted by the first pages of the PG). Over my long career as a CAE, I never predicted with any degree of certainty what we would audit more than 3-6 months out”
Continuous monitoring, provides the ability to monitor controls on a real-time basis, proactively triggering risk assessments, providing early warning alerts of a changing risk environment.
The chief audit executive (CAE) should consider an integrated audit approach as part of the overall methodology used by the internal audit activity. The objective is to achieve a more effective and efficient audit engagement.
An integrated approach enables an organisation to optimise the level of risk being taken to best achieve the organisation’s objectives whilst still operating within the risk appetite of the organisation.
This article was sourced from material from the “Integrated Auditing Practice Guide – July 2012”, published by www.globaliia.org/standards-guidance. The International Professional Practices Framework (IPPF) promulgated by The Institute of Internal Auditors (IIA) includes the Definition of Internal Auditing, Code of Ethics, International Standards for the Professional Practice of Internal Auditing (Standards), and strongly recommended guidance such as this Practice Guide
BarnOwl is a fully integrated governance, risk management, compliance and audit software solution used by close to 200 organisations in Africa, Australasia and the UK. BarnOwl is a locally developed software solution and is the preferred risk management solution for the South African public sector supporting the National Treasury risk framework.
Please see www.barnowl.co.za for more information.
About Arbutus Data Analytics:
Arbutus is arguably the most powerful Data Analytics software on the market, empowering an organisation to transform its data into valuable business insights. Beta Software is appointed as the authorised distributor of Arbutus in Sub-Saharan Africa and is the biggest Arbutus user in South Africa.
Please see www.betasoftware.co.za for more information.
About BarnOwl GRC integrated with Arbutus data analytics
BarnOwl GRC is fully integrated with Arbutus data analytics giving you the ultimate in real-time risk management and continuous monitoring.
BarnOwl GRC, underpinned by real-time metrics from Arbutus provides a strategic early warning system driving preventative and predictive capability with real time insights facilitating effective business decision making and business improvement.