Raising organisational risk
Audit organisations should improve their visibility into change but they should also strive to deploy audit resources faster a February 2021 survey of 200 audit business partners by analyst firm Gartner revealed, that over half (56 per cent) of respondents said they were facing more changes in the last two years, and a large majority agreed these changes were both bigger (81 per cent) and faster (74 per cent).
The pace of change is set to continue with 65 per cent of executives expecting significant transformation in their industry over the next 2 years, said Ian Beale vice president, advisory at Gartner.
“For audit leaders, the real problem is not the change itself,” he said. “The problem, according to 95 per cent of 135 chief audit executive (CAEs) we polled in February of this year, is that implementing a project or process change regularly leads to control gaps.”
Many audit business partners agree that such changes can result in significant or even extremely negative outcomes
“High levels of change are creating control gaps that in turn are creating significant organisational risks,” said Beale. “Audit leaders must firstly improve their visibility into changes happening in their organisation and secondly develop the capability to deploy audit resources faster when changes arise.”
Improve Visibility into Change
Most internal audit functions are already on a journey to improve visibility into areas undergoing changes, according to Beale. Three years ago, many functions pursued real-time assurance and sought to better leverage data to get a more comprehensive and real-time view of risk.
A year ago, audit leaders were focused on attracting more information from business partners about changes to enable foresight and also by equipping their auditors to better articulate how audit can help management avoid problems and when to ask.
Today, audit leaders are being more proactive, actively seeking more conversation with other assurance functions, better access to senior management, the board, executive and steering committees, by liaising with other assurance teams.
“This is all about getting earlier knowledge of changes, so that there is more time to make necessary audit resource adjustments and avoid control gaps,” said Beale. “However, visibility alone doesn’t solve challenges that arise from resource allocation problems. Improving the speed of audit deployment is also an important part of mitigating control gaps.”
Enable Faster Audit Resource Deployment
There are several reasons why visibility doesn’t lead to faster audit deployment. Often audit’s resources are already full allocated, requiring auditors to stop or hold one thing to take on another. Audit engagements are designed for end-to-end execution, and this tends to limit the movement of auditors until their current engagement is complete.
The audit plan – rigorously developed and agreed with stakeholders – can have a lot of inertia that is hard to stop or change once it is in motion, and therefore it can hamper audit’s response in the face of change.
“To respond more effectively to the levels of change that organisations are experiencing, audit leaders must look beyond improving visibility into changes and aim for what Gartner calls ‘real-time resourcing’ of their engagements,” said Beale.
Real-time Resourcing
There are some simple steps that many CAEs don’t take which can significantly improve audit’s ability to deploy faster and therefore close control gaps arising from process or project changes. For example, just 30 per cent of the 135 CAEs surveyed this year said they broke audit engagements into individual tasks that can be executed separately. Just 16 per cent said they brought staff into audit engagements as needed rather than a full engagement on each occasion.
“Audit leaders have traditionally focused on getting earlier visibility into control gaps arising from process or project changes,” said Beale. “But in doing so they have tended to overlook small adjustments to how audit resources are deployed that will also have a significant impact on audit getting to control gaps on time.”
Tags: AuditComplianceGartner