How much and when should internal auditors report about projects outside of their audit plan?
Internal audit is increasingly being called upon to get more involved in nontraditional types of engagements—projects that don’t fall within the scope of the audit plan. These might include counsel, advice, facilitation, data analytics and automation. From company to company, managing these projects varies, according to members of NeuGroup’s Internal Auditors’ Peer Group.
- In a recent virtual discussion with IAPG members, the question was whether they report these extracurricular activities to the audit committee (AC). The general answer is yes, extra activities usually get some mention; it’s just different degrees of mention. In other words, some go into more detail than others.
No report. One member says his department doesn’t issue a report after an advisory project. One reason is that the company’s legal department is sensitive about writing things down if it’s not a full-blown audit.
- Another member is careful not to use audit language in any report or summary of work done. In other words, there are no words like “findings” or color codes for level of severity. “It can’t sound like an audit,” he said.
- Still, the first auditor said, they do list the projects in IA’s quarterly report to the AC, putting them down as “other projects” so that committee members know what they’re working on.
- The other reason they don’t create a written report is that stakeholders “get cagey” if audit says it will fully report something to the AC, especially if the stakeholder has called audit looking for help.
Reports and PPTs. Another member created a methodology where if the assignment is more than 150 hours of work and has assigned resources, he will report it. However, it would be in the form of a short memo and not a deep dive.
- “For the small projects, we tend to just think of them more as minor engagements and want to give auditors the freedom to perform a variety of tasks, so typically not reported,” the member said. “But if we schedule the engagement and think it would be more then 150 hours and/or included multiple resources we would report the project to the AC in our summary.”
- This member has hired someone to manage these special projects, which amount to about 5% of IA’s work.
- Another member said this “non-audit advisory” totals about 10% of her team’s audit work. They create a PowerPoint of a slide or two where they offer recommendations for controls, i.e., for a Workday implementation they did a while ago. Smaller projects, like a recent charitable giving advisory project, don’t merit a PPT.
Who do you work for? Members say that their boards are generally ok with these extra projects but want to make sure the work is not cutting into audit’s main purpose.
- Said one member, “It’s kind of, ‘We don’t mind [you doing the projects] but you’re supposed to be covering our backs, so don’t go to far.’”
- “Yes, do the projects but not at a cost to assurance,” said another.
Just advise. Members also stressed that they are strictly offering guidance or advisory services. “When advising, we’re careful not to help build whatever it is; just recommend controls,” said a member.