Bev Cole’s ‘back to basics’ series of articles is designed to help you understand how to manage an audit department. Steps 1 (audit governance & strategy) and 2 (assurance plan / KPIs) were covered in the previous issue. Here Bev focuses on step 3: audit resource management.
There are six fundamental building blocks in the roadmap for managing an audit department. You can see these building blocks and read about steps 1 and 2 by clicking here to read the article from the previous issue.
Step 3: resource management
Performance Standard** 2030 states: ‘The chief audit executive must ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan’.
The management of audit resources is a very big subject, so I’ll just cover the basics in this article by asking and answering some key questions. Please also read Attribute Standard** 1200 and related standards on proficiency and due professional care.
Ask yourself this key question – do you have the right number of people in the audit team with the right skills for current and anticipated requirements?
The audit universe should be used to identify what audits need to be undertaken, together with an average manday budget and an approximate average frequency. This will give you an estimated overall annual manday requirement.
This figure – together with your target efficiency percentage (audit work charged to actual time at work), average leave (including bank holidays, annual leave and sick leave) and work to be outsourced or co-sourced – should give you your headcount required.
Don’t forget to adjust this figure for the management overhead required, while the specialist knowledge required (IT, treasury, risk etc), business knowledge and level of audit skill required can also be assessed from the audit universe. A current skills assessment should be undertaken covering audit skill level, business knowledge level and specialist knowledge level.
From all of this information you should be able to put together a picture of the size, skill levels and structure of the department and a gap analysis. It is always useful to benchmark the size of the department as a sense check. A succession plan is also a useful tool for planning.
Here’s another key question – are you maximising your team’s performance?
There should be agreed performance targets that are regularly reviewed so everyone knows what is expected of them and how they are performing. These targets should flow from the annual departmental KPIs.
All audit colleagues should have a training plan and ideally a career plan so that they can address weaknesses, learn new skills and acquire knowledge to enable progression. They should also know where they are on their career path.
There should be communication about departmental goals and progress and the team should be consulted about changes within the department to get their ideas and to ensure they feel included. All of us wish to be treated as an individual and not just a resource. Do you know what their aspirations and goals are? Do you know what motivates them and about them as a person? Are you making assumptions about them?
Feedback should be 360 degree, with open and honest discussion encouraged (see also the article on ‘assignment team management’ within ACCA’s Virtual Learning Centre and I also encourage you to look at some of the excellent books on the subject).
Key question – is your budget sufficient to provide the tools and resources you need to provide reasonable assurance and are you managing within it?
If you don’t pay your team appropriately, you risk losing the skills, knowledge and experience you have and being unable to acquire this in the market-place as well. Consider periodic benchmarking of salaries.
In addition you need to ensure you invest in training and with limited resources use it address the issues in the skills and knowledge gap analysis.
It is common these days to use external companies to provide technical resource, either through having a co-sourcing arrangement in place or outsourcing specific assignments. Ensure you have sufficient budget to cover this and re-tender periodically to maintain the best service and price.
Audit automation software is often used nowadays, so ensure you have the budget for software licences and for upgrades.
Travel and subsistence can be a material part of the budget and good planning and flexibility can keep costs down. Encourage video conferencing to reduce visits between offices, and car sharing where unavoidable.
Phase your budget appropriately, particularly if operating a co-sourcing arrangement. If all your technically complex audits fall in the 2nd half of the year, it is all too easy to have spent too much of the budget too soon. Monitor your budget on a monthly basis to identify problems early and address them.
Remember, if you feel that you do not have the budget necessary to provide reasonable assurance, then it is your duty to request the budget you need and justify it. If necessary, escalate the issue to the audit committee.
3rd party management
Key question – are you maximising the benefit of any co-sourcing or outsourcing arrangements whilst minimising the cost? How do you know this?
Periodically return to the market-place to re-tender for specialist work you feel is inappropriate to resource internally. Produce a specification of requirements, review bids and interview prospective partners.
Ensure appropriate partners are approached for tender and that a robust contract is put in place at a negotiated price. Use the expertise of your procurement and legal departments. Be clear on what you don’t expect to pay for, for example relationship management meetings with the supplier. Be clear on dispute resolution, exit terms, confidentiality agreements, data security and ownership of intellectual copyright. Ensure an appropriate level of professional indemnity insurance is in place.
Set and monitor a service level agreement. Hold regular meetings to discuss how the contract is working for both parties.
Agree a specification of work for each assignment. Be clear on what is required and when. Discuss performance after each assignment and follow this up with written feedback.
Address any problems that arise quickly. If you are not happy with the quality of service provided, you should expect this to be addressed at no cost to you. Remember, co-sourcing works best when you work in partnership and where each party is clear on the expectations and deliverables of the other party.
Performance Standard** 2070 states: ‘When an external service provider serves as the internal audit activity, the provider must make the organisation aware that the organization has the responsibility for maintaining an effective internal audit activity’.
Key question – are you working efficiently by making the best use of IT?
For small audit departments, the use of desktops, word processing and spreadsheet applications will probably be sufficient. However, medium to large audit departments and ones with audit colleagues working remotely or with large volumes of data should consider using laptops and evaluate the costs and benefits of investing in audit automation software and audit interrogation tools.
Audit automation software provides a single database for audit working papers and aims to improve efficiency in several ways. It can improve workflow though sending documents automatically for review and then maintaining a record of review comments and responses. It can greatly improve issue tracking and issue analysis. Some software supports audit universe planning, risk assessment and scheduling. But from my experience one of the biggest benefits is in the speed and flexibility of production of MI, both for reporting to the business and for audit performance monitoring. It gives you better control.
Audit automation does come at a cost, not just on licences, but the investment in maintaining the software, the technical knowledge required to run it and revision of procedures and training of colleagues. It may also be advisable to pick and choose which elements within the software to use.
Audit interrogation tools can be used to analyse large volumes of data and can therefore be a very efficient way of working. They can produce intelligence to support audit findings which would have been impossible to generate manually. Bear in mind, however, that findings must be put in context as you ‘seek out’ errors rather than identify them through random selection of transactions to test.
Ideally the data for interrogation should be extracted by the audit department rather than be provided by the business, as this avoids potential amendment of the data.
Key question – are you acquiring the knowledge you need to provide reasonable assurance and are you managing it effectively across the audit department?
Knowledge is a key asset in any audit department, yet little structure is applied to its acquisition and management. In a broad sense such as knowledge of specific regulation or business area, identify the knowledge you require and undertake a gap analysis to knowledge held. Plan to rectify any gaps.
Find out about business targets, performance, changes and acknowledged issues in the business from attendance at key committees and relationship meetings with senior management.
Find out about what is really happening, emerging issues, unreported issues and about ‘internal politics’ by having effective management of relationships at all levels across the business, built up across the entire audit department.
Work effectively and efficiently by managing and sharing this knowledge within and across the various teams in the department and both up and down through the audit hierarchy.
This doesn’t mean writing everything down and sharing every bit of information. It does mean trying to avoid making assumptions about what is known and working together and pooling knowledge on assignments, business areas and subjects. It also means using it for the benefit of the department as a whole and not keeping it to yourself – whatever your level in the team!
So that was a very brief run through of audit resource management. In the next issue Bev’s final article will examine step 4: process management.
** For more information on all the standards, please refer to http://www.iia.org.uk/
Bev Cole is an independent consultant on internal audit and risk management and has worked in these areas within financial services for over 20 years.