A student went into an exam having prepared for days knowing of the professor’s reputation for difficult exams. Settling in, with number two pencil gripped firmly, the student completes detailed answers for every question. Every fact and figure the student had remembered was diligently codified in lengthy answers.
When the exams were handed back, the student was surprised at the professor’s comment. “This was a test of short answers–not essays. You wrote too much and I found it very difficult to read your multi-page answers to determine if you understood and were able to provide the key points from class.”
Likewise, board members may be tempted to scribble such a missive on an internal audit report: “Rather than giving us pages of details you learned during the dozens of audits performed, can you audit the key areas (i.e., risks) and give us the ‘short-answer format’ of what we, as board members, need to be concerned about?”
Indeed, it’s now nearly commonplace for “audit-overkill,” which dilutes the effectiveness of what is perhaps the one of the most important roles a board member can play.
There are a number of typical issues a board member must confront such as risk, governance, and controls. But while some sort of apparatus may be in place, there is no operating manual to which the board member can turn to that clearly identifies the potential risks and presents a set of solutions.
Rather than the conventional protocol of presenting a stack of excel spreadsheets informing the audit committee of the annual internal audit schedule and expecting nothing more than a perfunctory review and approval, (pardon me while I do an infomercial impersonation), what if I told you that your auditing schedule could be replaced with just 17 audits, that if executed properly, could provide even better oversight than the 100 or so you’ve been using?
Below I’ve outlined such a condensed schedule. Upon reviewing this list many GAs may seek to build out a host of additional audits to satisfy the “sufficient coverage” appetite simply through force of habit. However, they must resist this temptation.
To make the decisions that matter, boards must have information that cuts through to the core of the risk issue and provides a clear course of action for review.
In each of the following, the GA should determine the key risks (i.e., the top two to three risks per audit), the strength of governance designed to mitigate those risks, and if concomitant controls are operating as designed.
Here we go…
Nice summary of points Walter. With respects to #1 regarding the strengthening of governance surrounding an entity’s strategic plan, I agree that this is the most critical; however this is often easier said than done and requires full Board and Management support for the Internal Auditor to effectively carry-out this type of audit work and summary reporting. We all have the obligation to ensure the entity carries out its mission, the Board, the Management, and the Internal Auditors. Together, we serve as the “check and balance” system that deters and prevents self-serving interest from superseding that of the Entity in which we serve. The Board and Management must be receptive and willing to engage in the open, candid, and constructive dialogues with the Internal Auditor regarding their views on the effectiveness of the existing governance structures and processes. We must prepare for these candid dialogues by accepting the fact that we must discuss the two topics we are often discouraged to bring to the table – organizational “religion” and “politics.” In the end, these types of periodic candid and constructive dialogues are what will make the difference between those Entities that thrive, die, or barely stay alive.