jump to navigation

The Chair of the Audit Committee Requests… April 13, 2015

Posted by Audit Monkey in The Joy & Pain of Internal Audit.
Tags: , , ,
trackback

As some of the Internal Auditors who read this blog know, periodically, the Audit function will be subject to an ‘effectiveness review’.

The purpose of the effectiveness review is to assess the er, effectiveness of the Internal Audit (IA) function. (I admit that was a poor description but I couldn’t resist.) In practice, this means an independent party assesses the Audit function on intangibles such as impact on the organisation, compliance with IIA standards while benchmarking the function with other organisations. (It usually goes a bit deeper than this depending on the firm (consultancy practice) doing the review; some use a scoring card, others wing it.)

Nevertheless, a Head of Audit will have an effectiveness review scheduled into the Audit Plan at some point, usually on a three yearly cycle, to be seen as ‘proactive’, ‘on the ball’, ‘in touch’. Heads of Audit will try to keep the results close to their chest and not share the precise detail with the Board as let’s face it, there’s no point highlighting your flaws to the those with the power to hire and fire. Sometimes the Board may get a glossy Powerpoint presentation from the firm performing the review.

But what happens when the Chair of the Audit Committee requests an effectiveness review? This signals that the Audit Committee isn’t happy with the Audit function. Sadly, a ‘Head of IA’ (of a financial services firm) friend has been caught by this. The Chair of the Audit Committee requested that a Big Four firm perform a review of the Audit function and has been benchmarked against the IIA standards such as risk assessment, skills, training, etc.

And what do you think the outcome was? Apart from the usual ‘some working papers weren’t properly cross-referenced’, they found that the Audit function wasn’t looking at obvious risk areas such as cyber-security, data protection, internet payments. Given the recent Sony hack and scale of cyber crime, inclusion of these in the Audit Plan should have been a no-brainer. They also found that the Audit function was under-resourced as they had too many audits on the Plan for the auditors available. Of course, the mandatory CPD hours went out the window.

Needless to say, this left the Head of IA on the rack. To be fair, he did escalate his concerns over the Audit plan, resources, etc, to the Global Head of Audit but it fell on deaf ears. We know the outcome of the effectiveness review was never going to have a happy ending. Our Big 4 friends have got their eye to the main chance, i.e. winning an outsourced audit contract, so the Audit function had to be pretty darn good to avoid a shoeing.

So can you probably guess what happened next? Would it help if I told you that the Chair of Audit Committee asked his alma mater accountancy firm to perform the effectiveness review? The incumbent Head of Audit was asked to leave (but with a few quid in his pocket for this trouble) and the Big 4 firm which performed the review were appointed as Internal Auditors. The cost of the function doubled to over £500,000, a nice little earner for the Big 4 firm but shareholder dividends took a hit. And you can’t tell me there wasn’t a drink in it for the Chair of the Audit Committee.

‘Lessons learnt?’ to use that well-known phrase. Don’t over commit the Audit function, try to cover the riskier areas. Of course, the irony of all this is the Audit Committee should have given the Audit function a steer but the Audit function has borne the brunt of their complacency.

Advertisements

Comments»

1. ITauditSecurity - April 14, 2015

On one hand, auditors need to eat their own food and drink from the floor like everyone else. Auditors like to rake others over the coals, but don’t walk over those coals themselves very often, and seldom trouble themselves to even blow on the coals to keep them warm.

On the left hand, like everyone else, Audit functions seldom get what they need to do the job effectively. Sometimes the best you can do is major on the majors and continually keep management informed of your limitations and needs.

When auditors don’t have the staff to do their audits, that’s a great time to look at your audit process and weed out the non-essentials, like all the wasted time putting audit reports through 5 reviews that add very little value other than give the audit manager/director warm fuzzies for ensuring each period is followed by 2 spaces and other critical items like that.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: