CPD article: Outcomes-based auditing is the next step change for the profession, believes Sarah Pumfrett.
Reading this article and answering these related questions can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD. We suggest you use this as a guide when allocating yourself CPD units.
Early in 2017, ACCA UK ran a number of focus groups around the country for members working in internal audit. One of the issues identified was that when external auditors move into internal audit, they do not necessarily realise that they need a different approach and some new skill sets to perform what is a very different role. This article aims to highlight some of those differences and can be used to help members moving from external audit into internal audit.
‘Surely an auditor is an auditor?’ is a phrase I’ve heard more than once during my career. I often find myself explaining that I don’t give opinions on financial statements and while I’m sure the turnover and ratios are really important, the numbers don’t actually interest me that much.
Instead, my fascination lies with effective enterprise risk management and the assurance that goes with it – a discipline I call ‘outcomes-based auditing’. I believe this is the next step change the internal audit profession is making following on from ‘risk based auditing’.
While the different disciplines within auditing – internal, external/statutory, quality, HSE etc – have overlaps in skill sets, each has a distinct focus that changes how and what they are auditing. Let’s keep it simple and consider those involved in financial audits for a moment.
internal auditors had no interest in what the numbers were, providing they were calculated correctly according to the specified process. Their focus was on whether or not management consistently followed logical processes to generate the results. They reported to the chair of the audit committee and have no power to affect the sign off of the financial statements
external/statutory auditors had no interest in risks and controls; they didn’t care how the numbers got into the financial statement providing that those numbers were ‘ball-park correct within a specified tolerance’. After all, their role was to provide assurance that the financial statements were not materially wrong. Statutory auditors have to hold a practising certificate and professional indemnity insurance in case they get their opinion wrong.
Individually, there was little overlap, but there was a benefit from knowing the numbers had been accurately calculated. Theoretically, had these two disciplines performed impeccably and cooperated, businesses (and their wider stakeholders) were broadly protected from fraud, mismanagement, error and omission.
Unfortunately, the theory didn’t hold up in practice and with financial crashes and suggestions that auditors on both sides were less effective than they should have been, statutory auditors are now required to pay more attention to the control framework and their understanding of the key controls behind the numbers.
This is a threat to both internal and external auditors as the external auditors haven’t traditionally been trained to understand the risk management controls (and may therefore struggle with the new skills they’re expected to have) and the internal auditors may well be challenged on what value they add if the statutory auditors are now covering the traditionally split roles.
Compounding the problem, historically many job adverts for internal audit positions specified an accountancy qualification and experience associated with statutory auditing. This indicted that many organisations did not fully understand or appreciate the different skill sets involved. This may well have been a root cause for the perceived failures that resulted in the situations mentioned earlier.
So let’s start with the basics and build up from there.
Internal audit is about much more than the financials! You have to be in a position to audit whatever the key risks are, at that point in time, for the organisation.
These risks cover the full Political, Economic, Social, Technical, Legal and Environmental (PESTLE) spectrum so mere financial expertise is insufficient to perform an internal audit to a technically competent level.
Furthermore, two organisations doing exactly the same thing in adjacent premises may have entirely different risk profiles and therefore a one size fits all approach to what their risks are is totally inappropriate. As an example, let’s take three high street shops, all selling an assortment of clothes, china, toys, calendars and cards. You’d think if they were alongside one another they’d have the same profile, right? Wrong!
One of these shops is:
a multi-national corporation: it’s a ‘pile it high and price it low’ store – all about the profit it can take out for shareholders; it pays minimum wage, has a high proportion of part time staff (students, women fitting in work around school hours and semi-retired individuals)
an independent retailer: it focuses on locally sourced and ethically traded, high quality produce – the shopkeeper knows most of their loyal customers by name and can tell you specifically which home-based tailor with small children created the unique dress/blouse; local artist set up a pottery to provide the tableware, community enterprise carved the wooden toys; and which local charities make the cards and calendars it stocks. Profit margins are low and the owner hasn’t had a day off in the past two years, but it’s more about community spirit and putting something back for this business
a charity shop staffed by volunteers, selling a mix of new and second hand items: a lot of their customers are on low incomes and any profit they make goes to the cause they’re supporting.
Each has a very different risk appetite and reason for existing; therefore they should have very different audits. The first probably has a far higher risk of loss through theft than the latter two; the middle is highly dependent on a small number of artisan producers, and therefore stock-out and cash-flow are likely to be key risks; the latter is reliant on donations of both goods and time... if a volunteer fails to turn up the store may be unexpectedly closed, while in times of austerity the quality of donated goods may fall to a point where the shop has nothing saleable coming through the doors, probably at a time when demand is at its highest.
So how do you start to convert the skills of the financial statutory auditor to an internal auditor? The first is to recognise that they already have skills you can use:
they understand a logical approach and professional due diligence
they probably also have a good idea about commerciality so can ask insightful questions around the financial side of the business
they will already understand how to interview people in order to get relevant answers
they will understand financial statement assertions (completeness, accuracy, validity etc).
These are all key skills. The trick is to then train them to think outside of the financial statement box and apply these skills in a wider context.
Let’s start with the easiest form: ‘systems-based auditing’, which is still endemic and possibly the most likely to be recruiting statutory auditors to the role. Systems-based audits tend to be quite compliance-focused and will involve documenting the system either through narrative or flowchart, walking through the system to confirm that what has been documented is true to actual process and then assessing the process map for design gaps and material efficiency savings. The auditors will need:
research skills (to understand the PESTLE and translate it into the terms of reference and scope the work effectively – this may include use of questionnaires such as a system appraisal questionnaire and/or key control identifiers as well as risk appetite assessments)
interviewing skills (to quiz management on how they think the system operates in order to document the system)
flowcharting skills (to translate the interview notes to a process map)
logical analysis (to identify redundancy, duplication, omission and mistimed activities in relation to the control of risk)
walk-through skills (the key here is not to lead the person performing the work but to identify discrepancies subtly as they go through the process, and make pertinent enquiries to establish if there’s a reason for the exception or if that’s how it always works).
Once the analysis has been performed, the auditors need to fact check their issues with management to ensure there is no error or omission in understanding and to agree areas that require improvement. It may be that an interim report or management letter is required at this stage depending on how you’ve agreed to structure the audit.
For controls that are confirmed to be effectively designed and implemented, the next stage is to assess if they are operating effectively and for this a test plan is required. The plan needs to consider:
Direction of testing. For example, if confirming that all invoices have associated purchase orders, selecting a sample from the invoice list is the correct starting point. If you select from the purchase order listing then you have erroneously biased the testing and will not find exceptions... all purchase orders will have associated invoices (timing dependent), but not all invoices will necessarily have purchase orders.
Method of testing. For example, if three people are raising 1000 orders a month, you won’t have time to test all of them so how will you sample to give assurance that, regardless of who processes the order, the controls are effective?
Should you randomly sample from the population? What if one of them processes significantly more than the other two and you therefore end up with your entire sample coming from one individual?
Should you stratify your sample across the three? What if one of them only processes orders for very low value items such as stationery; should that get equivalent attention to the person who is raising high value orders?
Should you interval sample (in which case, how do you first order the population to ensure the interval is not biased)?
Is judgemental sampling the right option? Perhaps you want to focus on the high value items... but what if the process for high value items is slightly different and has to be separately authorised? Are you in danger of picking the ones that are more likely to be correct because someone else has already approved them?
Sample size in relation to the assurance required. According to normal distribution, the greater the accuracy required from the opinion, the larger the sample needs to be in order to avoid sampling error. However, in this day and age of big data and analytics, it’s not impossible to test up to 100% of the transactions in a system and identify those that are most likely to have findings, and then to sample from those to establish if there is a control gap or control failure.
‘Risk-based audits’ are still promoted by the profession as the standard. These audits are focused on the key risks to the business, and how those risks are being managed. Rather than auditing the entire system, specific risks to business objectives are targeted and controls relating to how management prevents those risks from manifesting or detects that they have manifested are the focus of the audit.
While this enables the auditors to focus on the key issues of concern to management, it also means the wider context of the system is lost, and if management has missed a key risk, the auditors are also more likely to bypass coverage of that area if they haven’t performed an independent assessment of the key risks to the entity and its stakeholders.
Increasingly, thought leaders within the profession are advocating a move to outcomes-based auditing. Key audit techniques include understanding:
what the objectives of the business are (this involves interviewing management and challenging your (and their) understanding of what success looks like)
why they have a particular strategy and how that strategy aligns with their ultimate goal
who owns the objectives (is management aligned or do key individuals have different viewpoints which can undermine the objective)
when were the objectives set, communicated, and strategies implemented to achieve them and due to be delivered
where does management perceive the constraints, parameters of operation, risks and threats are to achieving the objectives
how is management treating the interim risks between where they are and where they want to be?
Outcomes-based auditing focuses on what must go right for an entity to thrive rather than attempting to control everything that could go wrong. It takes internal audit from the compliance-focused ticking the box exercise to the strategic assurance and trusted adviser role the board and c-suite need to effectively deliver for everyone.
Sarah Pumfrett, vice-chair, ACCA UK Internal Audit Network Panel
If you would be interested in a conversion course for statutory auditors looking to move into internal audit then please email email@example.com