We will start this morning's class with a pop quiz. This will count as 5 percent of your final grade, and the content will be the basis for your final exam. Let us begin:
What is your internal audit department's vision or mission?
What are the objectives of your internal audit department?
What risks exist that may impact achievement of those objectives?
What processes and controls exist to mitigate those risks?
How do you measure your success toward achieving those objectives?
Okay, pencils down. As internal auditors, I expect you to adhere to The IIA's Code of Ethics as you grade your own papers.
If it took you more than five seconds to come up with an approximation of your vision or mission: zero points. If you wrote down measures of success rather than objectives: zero points. If you have not recently assessed the risks internal audit faces: zero points. If you cannot articulate how your processes relate to risks: zero points.
If your measures of success have no correlation to the objectives: zero points. And if you have not thought about any of these questions as they relate to your internal audit department: an overall grade of zero.
It seems that every auditor I speak with who has been through an internal quality assessment brags about the solid performance of the audit department. And yet these same people often fail when posed these five questions.
The problem is that few audit shops practice what they preach; they do not look at the effectiveness of internal audit's control framework. So when they complete their internal quality assessments, they focus on documentation, reviews, and approvals without considering the broader aspects of objectives, risk, and controls.
One quick example. No other operation within internal audit seems so universally unsolvable as report issuance. Every audit department...