Institute welcome | Liz Sandwith, Chief Professional Practices Advisor, Chartered IIA UK and Ireland Comprehensive risk-based planning enables the internal audit activity to properly align and focus its limited resources to produce insightful, proactive, and future-focused assurance and advice on the organisation’s most pressing issues. Yet today’s rapidly changing risk landscape demands that internal auditors assess risks more frequently than annually, perhaps even continuously. Risk-based internal audit plans therefore need to be dynamic and nimble. To achieve this some HIAs update their internal audit plan quarterly (or a similar periodic schedule), and others consider their plans to be “rolling.” |
Chair opening comments | Piyush Fatania, Head of Audit, Risk, Assurance and Insurance at Gloucestershire County Council and Chartered IIA Council member For a long time, the annual risk-based internal plan has been dovetailed with the annual risk review - practical for the audit committee and section 151 officers. The nature of risks now means that this is no longer relevant. HIAs need to ask themselves if they are being too formulaic causing knee-jerk reactions to unplanned risks. And all this against a backdrop where our key audience can be reluctant to change. |
Click here for the slides.
Challenges with annual plan
Alternative approaches
A flexible plan shifts internal audit behaviors in three key areas
Encourages being present, engaging monthly rather than once a year with regular (quarterly or even ongoing) risk assessments rather than a once-a-year formal plan meeting.
Outcome, value focused rather than counting the number of audits produced.
A detailed plan with outline scopes takes time to read, combined with annual review of charter and strategy. Shorter timely dialogue about audit work is more relevant.
Some questions for HIAs to think about
Chair closing comments There is a clear desire for change from internal auditors for a more flexible way of working as seen in new proposed Standards. A big barrier is moving on from the comfortable, dealing with inertia and the capacity of teams. It’s all too easy to get caught up in defining and measuring days rather than the value of the work undertaken. |
Institute close | Liz Sandwith, Chief Professional Practices Advisor, Chartered IIA Our next session is 29th March 2023 when the topic is 2023 from an internal audit perspective. Join us for a conversation/debate on your priorities and innovations for this year. Please read our insightful new thought leadership report – Navigating geopolitical risk Dates for your diary
|
Chat comments including Q&A
Answers from speakers, anonymised comments from attendees
Comment | We have an annual plan. I have made suggestions to our audit committee to move towards a quarterly plan given the changing nature of risk, I have so far struggled to convince members of the benefits as an annual plan is something that has been in place for a long time. I will continue with the dialogue as we do have changes to the plan for emerging risks already.
Comment | Currently working to an agile/rolling plan, have certainty for a period of up to 3 months, a pipeline of work for a further 6 months. Report 5 or 6 times a year to Audit Committee - they are not entirely convinced yet, but I’m not going to waste my time planning for 15-18 months in advance.
Comment We previously had a yearly audit plan but found that some audits ran over from one year to the next owing to factors like a lack of resources. In recent years we have taken on a more limited programme in order to complete it within a calendar year and leave more scope for taking on additional audits as they arise.
Comment | Now entering seventh year of not having a plan - comments –
Question | I provide a fully outsourced IA function of x days to a council and some KPIs are based on delivery of plan - in terms of cost and number of days and managing performance - will flexible planning work? or is this just a culture shift?
Answer | Yes it can work, discuss the KPIs, what’s an audit day – paid to deliver a service not the number of days for instance – need to break the whole methodology not just the plan – we’re the professionals not the Audit Committee or management – sometimes need to push back.
Comment | I think it is the balance of the period you plan ahead for and getting the approval for the plan so you are not seeking retrospective approval for changes too often.
Answer | In a more flexible approach it’s important to gain approval for the process not the plan itself (risk based, priority, resourced) – then the HIA needs to be trusted to deliver.
Comment | I use a flexible plan and have an agreed planning process shared with my audit committee. I am continually building up an assurance picture from audits and risk mitigation conversations my small team has ongoing with management. I always have a plan of the audits we want to do next but allow them to be gazumped if something higher priority comes along. Being flexible can have its flaws but generally we are welcomed starting engagements as it’s bought into across the council.
Comment | We do something similar using an assurance map.
Comment | The highest risk areas do not always have to be assured by internal audit, other assurance providers might be doing something relevant e.g., scrutiny, but we wouldn’t necessarily know that at start of year so end up duplicating activity without a more flexible plan.
Question | I’ve also have had some raised eyebrows from External Audit.... expecting to see an annual plan.
Answer | To be honest, it doesn’t matter what they think as they are not the experts. There is no requirement for annual plan. It’s up to internal audit to demonstrate the relevance of their work (planning approach) through process. Recommend you push back. There is also work for us to do with regulators too as they also want to see an annual or sometimes a three-year plan.
Comment | When I have asked my EA if they want to comment on my plan which I share with a view to coordinating work they always say it is not their place to comment.
Question | My fear with totally flexible/rolling programme is that you end up firefighting all the time, and don't look at the some of the basics.
Answer | It’s about relentless prioritisation so as not to compromise what’s needed for your opinion. It’s okay to have a backlog of low priority requests/audits that never reach the top of pile. It’s not about reacting to a director’s whim today that they will have moved on from when you land the report.
Question We still have an annual plan. However, we include contingency time for new risks and take out audits with committee approval if no longer appropriate. We do carry out a fair number of unplanned assignments.
Answer | Annual plans typically include the ability to react to management requests but there can be an element of ‘perceived inconvenience’ to overcome – leaving contingency time is a good approach – but the behavioural mindset that goes with it is important.
Question |How have you adapted the audit software you use to allow for more flexible approaches. Are there any new products on the market that are not geared to annual planning?
Answer | We use AuditBoard which has allowed integrated dashboards and rolling plans. Happy to discuss with anyone (David Hill).
Comment | Some still seem to be pushing for multi-year reoccurring cycles.
Comment| We use Galileo - provider has helped us adapt the software to fit our needs.
Question | I would like to know Rupert and David's thoughts on how much of the IA plan (as a percentage) should be IT audit?
Answer | Important to understand the organisations risks and also broader IT risks. Audit committee need to understand where all assurance is coming from across the three lines, it might be that there is a skill shortage in internal audit which impacts what can be done. Need to be honest and have the resource discussion.
Comment | As we have to buy in resource I agree with David - the ideal will probably be more than we can afford so it ends up being what we can resource.