Internal audit plan & the power fault lines
I want to raise a different perspective on looking at the annual internal audit plan of an organisation. We usually look at what internal audit “IA” covered over the past 3 years or so and the risk assessment methodology used. In addition, we look at the long-term high-level 3 to 5-year audit plan.
However, in order to understand the organisation’s power dynamics, one should uncover why certain key risk areas/functions were not included in the plan over the past 5 years.
Did Internal Audit misjudge or miss certain risks areas?
If critical processes and functions, within the risk universe, were not audited over the past 3 to 5 years, we should conduct a root cause analysis.
One should be well aware that there are multiple reasons that certain areas were has not been audited:
- Inaccurate risk assessment
- Lack of qualified/specialised audit staff to cover the specific function
- Major changes like new system implementations impacting the function over the past year
- Missed by not even being part of the annual risk assessment
If the annual risk assessment:
- had proper documentation and reason why a key area/function was not included in the plan then a professional judgment call was made by internal audit
- did not even include the critical function then the risk universe was incomplete, which is a miss by IA
Were certain areas/functions are not covered due to power fault lines
Senior management’s inappropriate influence over IA can easily lead to key functions not making it to the annual plan.
What are the signs and techniques used by senior executives to exclude or remove their function from the annual audit plan?
- try to misdirect internal audits’ attention away from their own areas
- are keen to raise new risks and management concerns pointing to other domains
- are overly critical of IA’s work, quality and value added so play up the hard auditee card
- promote excessive follow-up audits to deplete internal audit’s capabilities to cover their function
- overplay the impact of system or staff changes to delay audits way into the future
Internal Audit should identify undue influence and reassure its independence by reporting any such action to the Audit Committee of the Board or the Board of Directors.
What type of anomalies, if any, have you seen in annual internal audit plans?
If you like my post, Do not forget to give Thumbs Up and post your comments.