By Terry Owen
Are you managing your audit projects or are they managing you?
I worked in a high-volume audit shop where our team issued nearly 100(!) audit reports each year with a staff of 12 auditors and 2 support staff.
That was in addition to performing risk analysis of potential audit objectives, following up on previous audits, training, and responding to inquiries by anyone that had an axe to grind or a bone to pick.
Our world without solid internal audit KPI metrics
Each audit project was tracked by the auditor on a spreadsheet on our shared drive. The process was prone to error, so management, appropriately, didn’t always trust the statuses found in the spreadsheet.
Too often audit projects would fall through the cracks, and it was always THAT audit. You know the one…the audit that’s going to get your organization all kinds of unwanted attention.
We also tended to either overload or under-load auditors with audits and work.
The team leaders that scheduled audits estimated, based upon their experience, how long each phase of an audit would take and set budgets based upon their guess-ti-mates.
Auditors in the trenches know that no two audits are alike, at least not if you’re really performing risk-based auditing. You never know what you’re going to find until you start digging into the audit evidence.
We also didn’t have solid data on how much time audit staff were attending training, meetings, and non-audit functions instead of performing actual audit work. More often than not, the goals set for each auditor were unreasonable and unachievable and that’s a morale buster for even the most professional among us.
In short, we didn’t have Internal Audit KPI metrics that would help us manage our work and audit risk. (KPI stands for key performance indicators, by the way.)
The pain pushed us to improve
There were a large number of other pain points in our processes that we intuitively knew were preventing us from working more efficiently, assessing risk more accurately, and completing more audits with the same number of staff.
Luckily, we had a dedicated staff with a wide-range of experience from 3 months to over 25 years so we heard plenty of new ideas as well as hard-earned wisdom. Even though we had a diverse staff, what they all had in common was that they knew we could do better and they were willing to roll their sleeves up and make it so. But, where to begin?
We stopped and redesigned our processes
Our team spent two entire days combing through our processes, step-by-step, to understand the current state. We also identified all of the tasks, sub-tasks, redundancies and inefficiencies that we had been living with.
In some cases, the way we thought things worked, was not how they worked at all.
We weren’t capturing information, including the risk areas for a given audit. If we had the information, we knew it would help us understand when or if the same area should be audited again in the future.
In summary, we weren’t capturing high-value information that could help us assess future risks and become more effective as an organization.
From that exercise we developed an ideal state.
Our ideal state
As Peter Druker said, “You can’t manage what you can’t measure.” So we added collecting internal audit KPI metrics to each audit. Our ideal state was as follows:
From our quest to find the ideal state, we developed a virtuous cycle that addressed most of our pain-points, while eliminating redundancies. We discovered that there was a lot of wasted effort in our processes.
In other words, you need reliable and relevant internal audit KPI metrics and a system in place to track them if you want to be an effective audit shop.
From our quest to find the ideal state, we developed a virtuous cycle that addressed most of our pain-points, while eliminating redundancies. We discovered that there was a lot of wasted effort in our processes.
We needed IT support and leading indicators
With the support of IT professionals, we developed a web-based solution where we could track each audit near-real-time. At the conclusion of each audit, the auditor would calculate a new risk score and populate that information into the tool.
As we learned more, we were able to begin relying more on leading indicators of risk rather than lagging indicators.
Internal audit KPI metrics allowed management to reduce waste
All of this captured information was utilized by the team leaders when they created subsequent annual audit plans, which cut planning time by more than 25% in the first year. Also, management could clearly see why a particular audit was included in the plan based upon hard data, rather than by whim.
We collected hours data for each phase of each audit. Additionally, hours for training, meetings and non-audit functions were captured to give us a staff-utilization rate and a clearer picture of where we were spending our time.
When management and staff reviewed this information, they could clearly see where time and effort were being wasted.
Each audit project was given a numerical complexity score where the higher the number, the more complex the audit was likely to be. We then developed a range of reasonable hours values for each phase of an audit based upon the complexity of a given audit.
The total hours for each phase were used to assign audits and budget total hours for each staff member. Negotiated completion dates for each audit were tracked in the tool to aid staff and management in scheduling and managing the project.
The results were worth the effort
Now, everyone could quickly see how each audit was progressing and what phase of the audit it was in! As a result, over-scheduling and under-scheduling of auditors’ assignments was cut in half over a two-year period and continued to improve as we collected more data.
It required almost an entire operating cycle for audit staff to realize that taking a couple of minutes each day to capture this information saved them both, hours of time and the frustration of trying to manage too many projects.
It also saved management the embarrassment of over-promising and under-delivering on the annual audit plan.
Obviously, we weren’t able to solve every problem that we identified; however, we did find solutions for those that would give us the most bang for the buck.
It became easier to track each audit project and where it was at in the process. The days of an audit falling through the cracks were in the past because each staff member had a dashboard that listed all audits that were assigned to them.
The fruit of our labor was dramatic. Developing and refining these internal audit KPI metrics made our audit shop rock in just one operating cycle, and by the end of year two, we had refined our processes even more.
We also provided training to staff members on project management techniques and other skills to make them more effective team members. These critical skills not only helped them be better auditors, it made them better business professionals.
The result was that we were finally able to manage our audit projects, instead of the audit projects managing us.
Retention of staff improved and everyone felt a sense of pride and ownership for what they had achieved.
If you want to know more…
If your audit shop could use assistance to evaluate your processes and look for solutions to make your internal audit shop rock, contact us at info@Yellowbook-CPE.com.
In spring of 2021, we developed a new survey tool to help your audit team establish their current state. We are looking for testers. Testers would receive the results of our analysis for free. If your audit shop is interested, please write to info@Yellowbook-CPE.com for more information.
Yellowbook-CPE.com is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: