During a recent lecture on internal audit’s enduring timeliness challenge, I was once again preaching of the dangers of audit engagements that take too long. A survey of participants disclosed that many took 60-90 days to finish a typical engagement. Most agreed that lengthy audits yield less value than those where the results can be delivered quickly.

But one seminar participant shared a different view. He was quick to point out that assurance engagements conducted too quickly are also fraught with danger – especially if the auditors don’t focus on the real risks. I agreed and have written about the dangers of what I call “drive-by audits” in the past. I promised the seminar participants that I would reshare my views on this topic. So here goes.

In the last two decades, the internal audit profession has made significant progress in embracing risk-based engagement planning. But there are still a lot of internal audit teams who rely on prior engagement programs without seriously evaluating whether/how risks in the area to be audited might have changed. Sadly, this is often a key factor in so-called drive-by audits.

​I use the term “drive-by” to describe those instances in which a canned internal audit program and/or checklist are used to facilitate a routine audit or report. In the financial services and retail industries, branch or store audits are sometimes conducted in this manner.

Don’t get me wrong. Drive-by audits can provide important assurance on internal control effectiveness and compliance matters. They also can serve as fraud deterrents. However, their use does not always conform with The IIA’s International Professional Practices Framework (IPPF), and they rarely provide optimum value to management in the area subject to audit. I have seen the technique used throughout my career, and clients who received these drive-by reports often felt they were victims of internal audit  “hit-and-runs.”

To avoid being guilty of reckless auditing, I offer a litmus test of five key questions to assess your approach:

1. Is the engagement the result of an annual or ongoing risk assessment process? Drive-by audits often are cyclical. “We are going to audit you this year, whether you need it or not.”
2. Is the audit program or engagement plan itself developed based on risk? IIA Standard 2201: Planning Considerations mandates that, in planning an engagement, internal auditors must consider significant risks to the activity, its objectives, resources, and operations. Drive-by audits often are conducted from canned audit programs with little consideration given to the risks in the specific business unit or activity where the audit is being conducted.
3. Is the same audit program being used at each drive-by location? As I indicated, the audit program should be tailored to the risks of the specific unit. However, there is an even greater risk of using canned programs: Management will quickly ascertain the areas subject to audit and ensure they are ready for the audit. Even when new audit programs were used each year, I saw instances of management from the first business unit subject to the annual audit cycle signaling their colleagues subject to subsequent audits on “what the auditors are looking at this year.” While it is good the problems were corrected in advance of the audit, it undermines the ability of the auditors to provide assurance about the ongoing state of operations or control effectiveness.​
4. Does the final audit report offer recommendations, or does it simply provide findings and/or observations? Although rare, some drive-by internal auditors don’t attempt to develop customized recommendations for corrective actions in response to findings or noncompliance cited in the audit report. The final report is nothing more than a list of transgressions. Then, the auditor is off to the next location leaving the report’s recipients feeling like the victims of a hit-and-run audit.
5. Does the audit process and final report add any value for operating management? Sadly, the answer to this question for drive-by audits is often “no.” The reports are frequently very clinical, with no indication of management accomplishments, insight on operations, or opportunities for improvement beyond “these things are not in compliance — fix them.”

As I said at the beginning of this blog, I have written extensively over the years of the need to improve the timeliness of internal audit results. Nothing undermines our value more than delivering results when it is too late for management to correct a problem or avoid further fraud, waste, or mismanagement. While drive-by audits are often much faster, the value they provide is sometimes not worth the effort. I would encourage any internal auditor who might be conducting canned inspection-type audits to reexamine your approach. Use the five questions above to transform your internal audits into more risk-based, client-focused engagements.

As always, I welcome your thoughts on this important topic via LinkedIn or Twitter. You can also email me at blogs@richardchambers.com.​​