Digressing a little, but think it is relevant to audit functions today…
The Global Financial Crisis raised a number of questions on how risk management functions were run in financial services and also raised a few questions on the internal audit functions. As a reactive measure the regulators started to pay more attention to the internal audit (IA) departments.
In turn the IA departments especially in financial services, setup professional practice functions as an internal check on quality of the function. The professional practice departments were also charged with additional ownership of the methodologies and processes used the auditors in the company.
A good move? Maybe?
I say maybe because as with every other new checkpoint, it should be developed to suit the process and be balanced when reporting errors.
During my experience I have seen numerous audit functions with varied degrees of maturity. If you talk to auditors in majority of these functions of financial services and ask who they fear the most, more often than not the answer would be professional practices!
Okay, maybe a slight exaggeration but you get my drift.
This is because like any other quality function that’s gone wrong, the focus is only on identifying errors made including non-compliance with methodology based on a standard checklist and reporting them without enough root cause analysis. And the focus is not on identifying areas where the audit went wrong in meeting its overall objectives. To given an example, most of the errors noted by the reviews are on steps not completed or sign-off not done on time in the audit process. Very rarely do the reviews point at areas where the audit didn’t cover the right area or question why the audit was done in the first place.
And the review process stops here most of time.
However, the IA function in my view is a very unique function, because the function is charted to look at the company from a perspective that is different from other functions so that they could question and challenge the management. It cannot be a function which only maps out the controls in a process and tests if the controls were effective for a sample of 25. The auditors have to be creative, sometime even think like a criminal/fraudster to identify weaknesses in the processes. And as a result each audit project will differ from the next even when the same area is being reviewed again.
The auditors should have flexibility to increase or decrease scope based on what they see on the ground, however stringent process requirements, fear of non-compliance and being dinged by the professional practices does the always allow the auditor to follow what is needed to achieve the real objective.
As a result when someone expects all audits to meet detailed policies and procedures, they maybe compromising the overall quality of the assurance derived from the audit.
Maybe its time to re-look at the professional practices frameworks in place and see how they can be made flexible to allow for a flexible and reactive audit function.