In most public sector jurisdictions, internal audit is a mandatory requirement. There will always be some routine “tick and flick” type audits that will be required from time to time to confirm the adequacy of controls for generic activities. But effective Internal Audit is about so much more than the old “tick and flick”.
Ever since non-core services were first contracted out en masse in the 1990s, Internal Audit has too often been perceived as some sort of generic commodity. This is a fallacy. While the physical process of auditing can be somewhat generic, the professional judgement, expertise, care, professionalism, as well as the depth and breadth of experience, are key differentiators of quality.
A worthy service provider will not only provide you with a good price, but even better value.
Say you are in the market for some chilled drinking water. There are three taps on the wall from three different suppliers and you must choose only one. They all look pretty similar, except that one of the taps is gold-plated. Prices are competitive in relation to the water that each tap provides. The gold-plated tap looks nice and shiny, so you choose that one.
You turn the shiny gold tap and find that the water pressure is very low. It takes ages to fill your glass. The water itself, while safe to drink, is slightly warm and tastes a bit strange.
Disappointed, you then turn the next tap. The water pressure is good, but the water looks rusty and smells. You don’t even risk tasting it.
Shaking your head, you turn the last tap. The water flows out at good pace, is cool, looks clear, and tastes fine.
So which tap provides the best value? Most people would agree that it’s the third tap. The first tap looks great and technically meets your needs, but the water it provides and the manner in which it provides, is not really what you wanted. The second tap, while it provides sufficient water, doesn’t really meet the brief at all.
Only the third tap provides a product that services both your needs and your wants at a competitive price.
Setting out what makes a good Internal Audit service provider, instead of an average one (or a poor one…) can be difficult. Based on our long experience working with clients across all sectors, we’ve developed a summary of the high-value versus the not so good aspects of internal audit service delivery.
|Ineffective IA service delivery||Why not?|
|Labour-intensive: Clients do not want to ‘hold the hand’ of the auditor for an extended period.||- Time is better spent elsewhere.|
- Auditors should be skilled enough to operate independently.
- Auditors should have relevant experience, preferably regarding the subject matter or within the sector.
|Not risk-based: Clients do not want lots of low-risk “housekeeping” audit recommendations.||- Management and the Audit Committee spend a disproportionate time monitoring low-risk actions that do not add much value or mitigate key risks.|
- Line management experience audit fatigue as they do not have time to implement change before the next audit.
|Lacking quality: Clients do not want to perform badly against external Quality Assurance Reviews of the Internal Audit function.||- An external review is a requirement of the IA’s International Professional Practice Framework, and is built into public sector policies and procedures.|
- Poor performance may lead to reputational damage and create a new suite of tasks to complete.
|Dictatorial: Clients do not want or appreciate an auditor who tells them how to run their business.||- Over-prescriptive audit recommendations that are not fit for purpose or do not engage management.|
- A “one-size fits all” or “been there done that” approach does not encourage an understanding of the risks or ownership of internal controls.
|Not inclusive: Clients do not want an auditor who fails to keep the Chief Audit Executive or Project Sponsor in the loop.||- By not keeping the CAE fully apprised throughout the audit undermines the credibility of both the CAE and the audit function overall.|
- Audit activity could be driven by service provider preferences rather than organisational needs.
|Passive: Clients do not want an auditor who is not prepared to identify and report bad news.||- Auditors need to be frank, and at times, make findings regarding high risks that management might not want to hear / read.|
|False economy: Clients do not want auditors who lowball on price so that they can use audit as a ‘loss leader’ to find more lucrative consulting opportunities.||- Service providers might not deliver on the quality audit team promised when the contract was signed, instead sending in “raw” junior staff.|
- This can lead to price gouging and a waste of public funds.
|Poor communication: Clients do not want reports that are poorly written, unclear, difficult to understand and easy to ignore.||- Poorly written reports make it hard to gain acceptance of audit findings and the associated recommendations.|
- This has the potential to damage the credibility of Internal Audit.
The value and/or performance of internal audit should be regularly monitored and reported. Good metrics for internal audit effectiveness include:
An internal audit service provider should also be the “right fit” for your business. Senior personnel should be qualified, responsive and willing to share their time, experiences and knowledge of better, innovative practice. They should also be attuned to and readily fit in with the prevailing culture of the organisation, whilst sill remaining independent at all times.
Centium’s Risk & Assurance team comprises experienced Senior Auditors that understand business and the public sector environment. Each and every member of the team has a proven track record across multiple sectors and jurisdictions. This experience lends itself to our team members being able to make helpful and pragmatic recommendations and suggestions for improvements, based on their extensive learnings across the public and private sectors.
Centium’s Senior Auditors understand risk management, the competing demands on your time and your expectations regarding cost-effectiveness; we always scale and present our audit recommendations in a manner that best suits your business.
Our Auditors perform sufficient testing, maintain good working papers to ensure compliance with the IIA’s Standards and are willing and able to provide them to you on demand. The team writes well and we stand by the quality of our audit reports.
Our Director Risk & Assurance will support and work in partnership with the Chief Audit Executive / Project Sponsor to meet the needs of both the organisation and the Audit Committee. Our team is professional and can call on broad, collective experience to identify poorly-controlled risks, initiate a call to action, and provide appropriate advice as to how other organisations have addressed similar risks.
Finally, our Risk & Assurance team charges sustainably for their services (an ethical requirement) and provides value for money for both assurance and consulting engagements. We also have a range of discrete, low-cost management tools that help diagnose and assess organisational maturity across a range of risk-based issues.
If you have questions or concerns about finding the right internal audit provider, or would like to further discuss Centium’s audit offering, you can contact Director Risk & Assurance, Penny Corkill at email@example.com or 0409 251 011 for a confidential, no obligation conversation.