Over my many years in internal audit, including 20 as its leader (CAE), I have always faced a challenge common (I believe) to almost every CAE:
There are more sources of risk than audit resources to address them.
My goal was to deliver a formal, annual, overall assessment of internal controls and the management of risk to the board and top management. That meant I had to gain reasonable assurance on all the top sources of risk. (My report explained that my opinion was based on the audits and other work we had done, and that the audit plan was designed, with their help, to address the more significant sources of risk.)
At the same time as ensuring that my team performs QUALITY work, I have to be obsessed with EFFICIENCY.
Every hour I spend doing something that has little or even moderate value to my customers in management and on the board is at the cost of doing something that will have great value.
If the team audits an area of medium risk or continues to audit after they have done enough to form an opinion, that is waste of their time: time that could have been spent doing something of great value.
I was taught a huge lesson when I led my first audit as a senior auditor with Coopers & Lybrand (now PwC) in London. Even though my team had completed the work in fewer hours than in the prior year, the engagement…
