The first blog post of this series discussed the structure of an internal audit (IA) department within an organization. Whether internal or external, Quality Assessment (QA) will focus on six areas, the second of which is Risk Assessment and Audit Planning. Does IA determine a complete audit universe or scope of auditable areas? Is a formal risk assessment performed to determine which auditable areas should be addressed in the internal audit plans? Do the audit plans focus on significant risks in each auditable area selected for audit? If staffing does not allow for completion of all audits identified in the risk assessment, is the process to defer or reschedule audits reasonable and has it been communicated?
The Institute of Internal Auditors (IIA) guidelines focus on the idea of a “risk-based” approach to ensure activities focus on the most critical risk areas and allow IA activity to add value. While there are as many theories and approaches to conducting a risk assessment as there are auditors, the objective is to measure individual risks and develop an annual audit plan, regardless of the approach.
One of the biggest concerns in this area is that available staffing actually drives the audit plan, rather than a true risk assessment. Too often, an IA activity “backs into” an audit plan based on available staffing. A risk assessment should be completed first, and then consideration should be given to whether staffing levels are adequate to address the major risks identified. If audits identified as needed during the risk assessment process are deferred or rescheduled due to inadequate staffing levels, this must be communicated to management, and management must accept these risks during the current plan year or agree to additional hired or contracted staffing to complete the plan.
Part One of our series looks at how to structure the internal audit function.
How BKD CPAs & Advisors Can Help
BKD’s Enterprise Risk Solutions (ERS) practice provides specialized resources that deliver the right combination of expertise and skills to achieve integrated results. Our ERS division features experienced professionals who provide Quality Assessment services to organizations seeking to improve their IA activity’s effectiveness and value. Contact us to learn more.
Latest posts by Cynthia Bosotin (see all)
- Six Ways a Quality Assessment Adds Value to Internal Audit: Part 6 - October 29, 2014
- Six Ways a Quality Assessment Adds Value to Internal Audit: Part 5 - October 27, 2014
- Six Ways a Quality Assessment Adds Value to Internal Audit – Part 4 - October 21, 2014