Limited Staff, Resources No Longer a Problem in New IIA Guidance
The Institute of Internal Auditors (IIA) has released a new practice guide that acknowledges the challenges faced by many chief audit executives (CAEs) and audit leadership in small audit activities in implementing the IIA‘s standards.
Assisting Small Internal Audit Activities in Implementing the International Standards for the Professional Practice of Internal Auditing helps smaller audit organizations maintain professional standards by providing specific examples and leading practices to help them meet challenges like limited staff and resources.
These challenges can impact the organization’s ability to conduct the internal and external assessments required by the IIA’s standards and make it hard for small audit organizations to maintain independence and attract and retain qualified subject matter experts.
IIA Vice President of Standards and Guidance Beryl Davis said: “The Standards are applicable to all audit organizations, regardless of their size, level of resources, or complexity. However, smaller audit activities sometimes have challenges implementing the Standards due to limited staff and resources.”
The new practice guide identifies the five most challenging areas for small audit organizations, namely, independence and objectivity, quality assurance/improvement programs, managing the internal audit activity, engagement planning, and performing the engagement.
The IIA advises audit organizations to “maintain open communications with the board and senior management concerning the importance of preserving independence and objectivity. This includes explaining the difficulties involved with auditing areas over which auditors may have been given operational responsibilities, and discussing the challenges resulting from organizational reporting structures.”
Audit organizations should also perform an audit review as part of each audit and obtain feedback from stakeholders through surveys or documented discussions to integrate quality into the audit process according to the guide.
For example, the reviews of an external peer organization can be used “to satisfy the Standards requirement that an external quality assessment be conducted at least once every five years.”
Furthermore, audit organizations are advised to “solicit feedback from key stakeholders periodically to verify that the audit activity is performing value-added audits and that the audit plan remains aligned with strategic objectives and key risks facing the organization.”
This will ensure that managing the internal audit activity is risk-based according to the IIA.
In planning the engagement, audit organizations should identify the key components of the process — the engagement objectives, scope, and audience — which should drive many of the factors considered during the planning stage, including the duration of the audit, key due dates, staffing, and the extent of documentation.
In performing the engagement, CAE’s involvement high-risk or complex processes should be increased while for lower-risk engagements an experienced audit staff may set the expectations and review the work of less experienced staff, the IIA added.
Davis said in a statement: “In small audit organizations, staff members may wear multiple hats, their work may not be based on a risk assessment, and they may place more emphasis on financial auditing. They may even have to audit their own work at times.”
The practice guide includes a detailed template that “serves as a checklist to help audit leaders get organized as they review their common practices to make sure that they are complying with the Standards,” Davis added.