How Worthy Time Management is in Internal Auditing
By Mikhail Ben Rabah, CIA, CFE, CRMA
Government Audit Manager, Presidency of the Government, Tunisia
I have been told many times that internal auditors do not care so much about time budgets while executing audit engagements. Schedule overruns are common and frequent in the audit work. And internal auditors will always find a way to justify these delays. This recurrent issue raises the following questions:
- Are time budget overruns due to failure to adequately planning an engagement and/or monitoring it?
- Is audit work subject to many unexpected events and constraints so that respecting schedules becomes nearly impossible?
- Are auditors’ mindset inherently averse to time constraints?
- Is the level and quality of auditees’ cooperation and involvement in the audit engagement crucial in meeting deadlines?
- Are internal auditors aware of potential consequences of audit work delays?
- Shall internal auditors address time budget overruns as an audit activity failure risk?
- May Agile auditing be the way out?
Time Management Challenges in Audit Work
The IIA Performance Standard 2200 – Engagement Planning – states that “Internal auditors must develop and document a plan for each engagement, including the engagement’s objectives, scope, timing, and resource allocations. The plan must consider the organization’s strategies, objectives, and risks relevant to the engagement”. However, in practice things are not quite that simple.
Time budgets for audit engagements are prepared in employee-hours or employee-days. Time estimates are given to each internal auditor to help with time management. Staff auditors submit periodic time sheets that indicate time spent and the status of the job.
Since every engagement is unique, there are no general rules for time allocation to each step of the audit work. For example, allocating 20%, 30% or 40% of the time budget to the planning phase is not the point. It could be 20% for some engagements and 50% for others.
Among challenging issues in time budgeting, internal auditors may face difficulty in:
- Evaluating the nature and complexity of the engagement. For example, access to information and documents may be harder than expected and require more time. Hidden processes/risks and/or stakeholders may be identified throughout the engagement requiring scope and major budget adjustments. Detection of a significant fraud scheme may also push to drastically adjust the audit project. While time budget adjustments are not always a bad thing, excessive and frequent adjustments are a red flag of a planning process failure. Note that budget adjustments need to be justified and approved at a level higher than the engagement supervisor.
- Estimating the available resources. Internal auditors may fail to determine appropriate and sufficient resources to achieve engagement objectives. For instance, they may discover in the course of work that the support of IT experts is crucial to meet the engagement objectives what may lead to allocating extra time to hire an internal or external professional.
- Relying on management’s current risk assessment especially when the entity’s risk management is not mature. Hence, internal auditors may reconsider the whole risk management processes and spend more time than expected.
- Selecting the adequate audit procedures. The quality of the audit works highly depends on the selected audit procedures. Failing to do so may lead the audit team to redesign the audit procedures and therefore spend exceed the engagement timetable.
- Predicting the level and quality of cooperation of the auditees. As auditors, we tend to overestimate the potential involvement of auditees in the engagement. For instance, planning an engagement in an area during a period when employees are overloaded with work may undermine the audit project.
- Justifying required budget time to management and board members. I have seen many audit teams accepting unreasonable deadlines while assigned urgent audit projects, especially when the audit activity is not well positioned in the organization and enough mature.
Yet it should be noted that the points above refer to some but not all the challenges faced by internal auditors in time budgeting.
Furthermore, internal auditors should avoid the pitfall of establishing time budgets by replicating the time spent in prior years on the same or a comparable engagement. Because no projects are precisely the same (even those covering the same activity), budgets should be reevaluated after the preliminary survey.
It goes without saying that the CAE and audit managers should be trained in effective project and time management. Although some audit projects are well designed and planned, lack of engagement supervision may lead to time budget overruns.
Personally, I would have liked to see project management as one of the required performance competencies to plan and perform internal audit engagements within the new IIA Internal Audit Competency Framework. Note that meeting audit project timescales is a KPI for the internal audit activity.
Moreover, effective audit project management including time management should be an integral part of the audit activity’s quality assurance and improvement program.
The Auditors’ Time Comfort Zone
Unlike managers, auditors seem to be not very sensitive to the importance of timely audit delivery. While a delay of a one single day could be undermining in management, a delay of one month in audit delivery may not make a difference. At least this is what many auditors think. It could be relatively true two decades ago. In today’s technology-driven world of unprecedented rapid change, things have changed. Timely audit delivery has become crucial especially when addressing emerging risks and threats. Hence, the incubation of crises is shortened in the context of the new technology risk landscape. Everyday counts.
Auditors are often reluctant to leave their time comfort zone. Many of my colleagues keep saying that the nature of audit work is unique so that no time budget can be strictly respected. Worse still, stressing auditors with constraining time schedules is a major audit limitation which has adverse impact on the quality of the audit work, they continue to say.
It is the responsibility of the CAE to make auditors aware about timely delivery of audit engagements.
Is Engagement Time Budget Overrun (ETBO) an Internal Audit Activity Risk?
The IIA Practice Advisory 2120-2 “Managing the Risk of the Internal Audit Activity” put risks to internal audit activities (not to be confused with audit risk) into three broad categories: audit failure, false assurance, and reputation risks.
The ETBO is an audit failure risk when it is due to ineffective time management by the CAE, audit managers and engagement supervisors. Failing to estimate and allocate appropriate time budget to each audit sub-process is deemed to be an audit failure risk.
However, when delays are due to failure to select appropriate and sufficient resources or failure to design effective internal audit procedures and hence the internal auditors should re-perform the work, the ETBO is an impact of the audit failure risk.
In view of all this, a leading practice to mitigate the ETBO risk is that the Chief Audit Executive (CAE) identifies and assess for each engagement:
- The time overrun risk factors and the potential trigger events that may lead to audit project delays.
- The risk impact of running late (estimated in days and cost). The CAE should be aware that delays are impacting also the entity/activity being audited. Audit deliverables not provided on time are not worth and could even impact the reputation of the audit activity (reputation risk).
- The adequate detective, preventive and corrective controls to mitigate the time overrun risk. For instance, having a preset list of shortly available subject-matter experts (internal or external to the organization) on which the audit activity can rely is time saving. This is a preventive control. Likewise, opting for some outsourcing strategies such us guest auditor programs to speed up a complex audit project facing unexpected overruns. This is a corrective control. In the same vain, implementing a process to collect permanent feedback from auditees about the achievement of the engagement objectives can timely detect the lack of management commitment to the audit project. This is a detective control.
Agile Auditing, the Way Out?
When appropriate, introducing the Agile approach in internal auditing contributes to a better management of engagement time budgets. Agile internal audit projects are conducted through sprints which are time boxes of two to four weeks. Incremental, formal communication of observations during each sprint facilitates better understanding and agreement of findings with stakeholders and allows management to begin developing risk responses throughout the engagement as issues are discovered.
Definition of Done (DoD) describes the output of the audit sprints. It can be expressed in a degree of certainty, a list of observations, risks or recommendations – depending on the wishes of the stakeholders and the internal audit activity. A DoD helps to indicate the moment a sprint has been completed from the perspective of the audit product owner. If the overall DoD audit is completed, the audit is finalized.
Hence, the output of the audit project is communicated to auditees throughout the engagement and no further need to wait for the final report like in traditional waterfall auditing.
So the answer is yes. Agile auditing, when appropriate, can be the way out.
- Overzealousness, a Threat to Auditors’ Objectivity? - January 19, 2021
- How Worthy Time Management is in Internal Auditing - December 28, 2020
- Sense-making, A Core Competency for Internal Auditing? - December 25, 2020