As the CAE of multiple internal audit departments[1] that were considered world class by members of the board[2], top executives[3], consultants[4], and team members, I would deliberately not comply with the IIA’s Global Internal Audit Standards (as drafted).
Several draft standards are involved, especially:
- We would not perform an assessment of risks to the auditable entity that will be audited. We try to focus our scope on the controls at the entity relied upon to address the more significant risks to the objectives of the enterprise (i.e., we often do not address risks to the objectives that are only important to the entity).
- We do not include recommendations for each risk and control issue in our audit reports. Instead, we work with management to determine and then report agreed action items. Management believes these are necessary for their own success as well as that of the enterprise, so they get done.
- Because the risk is low that the agreed actions will not be completed, we do not formally follow-up and report the status of every action item, and rarely if ever perform a follow-up audit. We discuss significant issues with management in our periodic meetings with them, and that is almost always sufficient.
I posted a video on why I don’t report audit recommendations and some of the viewers found…
