Among the most difficult factors to consider before and during an internal audit is its scope, or the boundaries and objectives of the audit. Set too wide and internal auditors can feel like they are trying to boil the ocean. Set too narrow and it may seem like the audit findings wont amount to more than a drop in the bucket.
Defining the scope during the audit planning process and getting all stakeholders agree to it is an important step to any internal audit and can make or break the engagement. Done right, it can provide a roadmap for internal auditors to follow. Done poorly and it could send auditors on a wild goose chase that ends up leaving everyone frustrated.
Here we’ll look at ten factors to consider when setting the scope of an internal audit.
1 Know the Organization
Before setting the scope, it is imperative to have a deep understanding of the organization’s structure, operations, and strategic objectives. This involves studying the company’s mission, vision, and values, as well as its organizational charts and key stakeholders. Understanding the business environment will help auditors identify the areas that require the most scrutiny.
2 Define Audit Objectives
No project should ever start without first identifying its goals, and internal audit engagements are no exception. The audit objectives serve as the foundation for setting the scope. They should be specific, measurable, achievable, relevant, and time-bound (sometimes referred to with the acronym: SMART). These objectives must align with the organization’s strategic goals and address the areas of greatest risk or concern. For example, objectives could include assessing compliance with industry regulations, evaluating financial controls, or reviewing operational efficiency.
3 Identifying Risks and Priorities
Risk assessment is a crucial step in determining the scope of an internal audit. This involves identifying potential risks that could impact the organization’s ability to achieve its objectives. Risks may be financial, operational, compliance-related, or related to the organization’s reputation. Prioritize these risks based on their potential impact and likelihood of occurrence.
4 Establishing Boundaries
Clearly defining the boundaries of the audit is essential to prevent scope creep, which occurs when the audit extends beyond its initial objectives. Determine which areas and processes will be included in the audit and which will be excluded. This may involve specifying particular processes, departments, functions, or locations that are within the scope.
It’s important to also remember that the boundaries don’t have to remain fixed during the entirety of an audit. The scope can change during an audit if the initial inquiries and field work point auditors in a new direction. But expanding the scope should be a decision that is not taken lightly. It should be well considered, discussed, and agreed upon by stakeholders before the scope is changed.
5 Considering Legal and Regulatory Requirements
Compliance with legal and regulatory requirements is a fundamental aspect of any internal audit. Auditors must be familiar with industry-specific regulations, as well as broader legal frameworks such as Sarbanes-Oxley Act (SOX) or General Data Protection Regulation (GDPR). Ensure that the audit scope encompasses all relevant compliance areas and regulations.
6 Engaging Stakeholders
Engaging with key stakeholders is crucial for gaining their input and ensuring that their concerns are addressed in the audit scope. This may involve discussions with senior management, department heads, and other relevant parties. Their insights can provide valuable perspectives on areas of concern and risk.
7 Industry Standards and Best Practices
Leverage industry-specific standards and best practices when defining the audit scope. These benchmarks provide a framework for evaluating processes and controls. For instance, in the financial sector, auditors may refer to International Financial Reporting Standards (IFRS) or Generally Accepted Accounting Principles (GAAP).
We do not have to reinvent the wheel with every audit. Just about every internal audit has been done before and there is a wide range of literature and documentation about the standards and best practices when conducting particular audits, especially in financial and IT areas. Don’t neglect to consult them. Smart internal audit teams also know when they don’t have the expertise to conduct certain audits and will seek outside help or “guest auditor” arrangements.
8 Assessing Resource Availability
Internal audit leaders would likely have much different audit plans if they had unlimited resources. Since that is never the case, they must be realistic and consider the best way to leverage the resources they do have. Consider the availability of resources, including time, budget, and skilled personnel, when setting the scope. Ensure that the scope is realistic and achievable within the allocated resources. If additional resources are needed, this should be communicated and addressed early in the planning process.
9 Documenting the Scope Statement
A well-documented scope statement is crucial for ensuring clarity and alignment among all stakeholders. The scope statement should outline the audit objectives, areas included and excluded, key risks, and any specific legal or regulatory requirements. It should also specify the timeline for the audit.
Reviewing and Finalizing the Scope
The proposed audit scope should undergo a thorough review process involving relevant stakeholders. Feedback should be incorporated, and any necessary adjustments should be made. Once consensus is reached, the final scope should be formally approved by senior management.
—
Setting the scope in an internal audit engagement is a critical step in ensuring that the audit process is focused, efficient, and aligned with the organization’s objectives. By understanding the organization, defining clear objectives, assessing risks, and engaging stakeholders, auditors can establish a comprehensive scope that provides meaningful insights and value to the organization. Following these steps will contribute to the success of the internal audit process and ultimately enhance the organization’s overall performance and compliance.
A good scope, when set correctly, will have a Goldilocks effect: not too wide, not too narrow, but just right.
Joseph McCafferty is editor & publisher of Internal Audit 360°
The Article typifies what we have been emphasizing while setting out to conduct any Internal Audit Assignment. Unless the Auditor knows and defines what he wants to Audit , the Auditee will ben left flustered.