I have been reading about a CAE who took over an underperforming internal audit department of five people.
What he did illustrates the huge difference between risk-based auditing as some see it, including those who preserved it in GIAS, and (enterprise) risk-based auditing as most leading practitioners understand it, including the UK’s Chartered Institute of Internal Auditors (and me).
The department that he took over performed many of the same audits year after year, almost exclusively on financial and policy compliance issues.
As he met with the top executives, he learned that there were manufacturing quality and customer satisfaction issues that worried them, employee safety problems, and trouble recruiting the employees the organization needed.
What did he do?
He went back to his office and reviewed the program for the imminent annual audit of travel and expense (T&E) reporting and payment. The auditor was planning to use the same audit program as in the previous several years.
While he made an improvement by making sure that auditor considered the objectives of the T&E department and the risks to those objectives, he left the T&E audit on the schedule. If anything, he increased the scope.
I’m not sure why – other than wanting to address the concerns of the middle management in T&E.
What he failed to…
