This year marks the 20th anniversary of The IIA’s adoption of risk-based audit standards. I chaired The IIA’s Internal Audit Standards Board at the time, and we all recognized what an important milestone the new standards would reflect. Not only were internal audit’s (annual) audit plans to be developed on the basis of enterprise risks (IIA Standard 2010), but individual internal audit engagement plans were to be formulated on the basis of risks in the area, program, or function where the audit was to be undertaken (IIA Standard 2200). Prior to 2002, many internal audit departments undertook cyclical audit plans (e.g., key elements of the organization’s audit universe were to be audited on, perhaps, a three-year cycle).
In the ensuing two decades, the profession has made significant progress in embracing IIA Standard 2010, but from my experience, far fewer routinely undertake a deeper assessment of risks at the outset of an engagement. Instead, they rely on prior engagement programs without seriously evaluating whether/how risks in the area to be audited might have changed. Sadly, this often results in what I call a drive-by audit.
I use the term “drive-by” to describe those instances in which a canned internal audit program and/or checklist are used to facilitate a routine audit or report. In the financial services and retail industries, branch or store audits are sometimes conducted in this manner.
Don’t get me wrong. Drive-by audits can provide important assurance on internal control effectiveness and compliance matters. They also can serve as fraud deterrents. However, their use does not always conform with The IIA’s International Professional Practices Framework (IPPF), and they rarely provide optimum value to management in the area subject to audit. I have seen the technique used throughout my career, and I often referred to these engagements as “hit-and-runs” in reference to how clients often felt after the audit team came and went.
To avoid being guilty of an ineffective drive-by audit, I offer a litmus test of five key questions to assess your approach:
I have written extensively over the years of the need to improve the timeliness of internal audit results. Nothing undermines our value more than delivering results when it is too late for management to correct a problem or avoid further fraud, waste, or mismanagement. While drive-by audits are often much faster, the value they provide is sometimes not worth the effort. I would encourage any internal auditor who might be conducting canned inspection-type audits to reexamine your approach. Use the five questions above to transform your internal audits into more risk-based, client-focused engagements.
As always, I welcome your thoughts on this important topic.