SUPPLEMENT TWO DEALING WITH MANAGERIAL PROBLEMS

THE INTERNAL AUDITING HANDBOOK

SUPPLEMENT TWO

DEALING WITH MANAGERIAL PROBLEMS

1 Introduction
Perfection is impossible to achieve. Inefficiency should be contained within acceptable levels and
controlled.

2 Typical Problems with Internal Audit

The need to address problems
Audit management is responsible for resolution of problems in internal audit. Turning a blind eye to
poor practices and not demanding relevant control information are practices that impair good service
delivery. If audit managers do not ask for reports on budget overruns on audit jobs, they are guilty of
mismanagement/maladministration. If timesheets are not being filled in accurately to reflect time
spent, then management must react. The worse case is ignoring internal problems while at the same
time auditors are seeking to promote high standards of control from auditees.

During an audit, a senior auditor wished to advise management to sort out the
filing system which was untidy, with files left out over desks, cupboards and
the floor. Unfortunately this was not possible since the audit manager’s own
office was the most untidy and disorganised in the entire organisation.

Excess hours charged

This can be a problem area. Audit resources can be regarded as the sum of chargeable hours. Time is
the most important factor that must be controlled by audit management. Although some audit
managers fail to control time. This requires:
1. Authorised budgets set for jobs.
2. Timesheets accurately recording hours spent on the job.
3. Regular reports on hours charged.
4. Effective management action.

If there are weaknesses in any of the above then this control will not operate properly. Even where this
system is in place there may still be excess hours charged to jobs. This occurs where:
• The budget was not set properly.
• The budget is not seen as a serious issue.
• Authorisation was not secured for extended hours.
• The audit entailed resolving unforeseen problems and/or difficulties.
• The client asked for additional work.
• The auditor decided to do additional work.
• The auditor was “dumping” time into the job; not all charged hours were worked on the project.
• The auditor was inefficient.
• The audit manager caused extra hours to be charged by intervention or lack of it.

Effective management action requires communication, involvement and consideration if this system is
to work and play a positive role in controlling audit projects.

Inadequate working papers

There are often inadequacies in working papers although this may be trivialised as a minor issue that
detracts from the important issues that concern audit management.

© Spencer Pickett 1997 1

 A new audit manager was given a draft report to review. She asked the field
auditor to provide the working papers. The auditor could not find them at first
and after some time extracted a file from underneath his desk with various
pieces of scrap paper and put this on the manager’s desk. The audit manager
could not relate anything in the file to the audit report; one important figure
from the report was taken from memory and was not mentioned in the
working papers.

If management fails to set and monitor clear standards on working papers then everything is left to
chance. Working papers are important as organisations are being subjected to external review by
investigators, the courts, and government departments. Findings from internal audit reports and files
play an important role. It is insulting to produce a report for management that has no clear supporting
documentation prepared to defined standards. Even where the report is accepted by management, we
should be able to confirm all important material that has been reported. Priorities need to be
addressed. Audit management must as a minimum:
• Set a documentation standard that covers permanent and current audit files.
• Train staff in these standards.
• Review all audits and seek compliance with the standards.
• Review the filing system; destroy old files, or microfilm, archive or retain them on disk.
• Maintain a “clear-desk” policy that ensures files and papers are not scattered.
• Adopt automated papers.
• Use standardised documentation.
• Keep the documentation standard under review.

No sense of direction
Auditors carry out required work and issue reports and advice to management. They assist
management on control issues and are seen as guardians of organisational procedures and control.
Reports give recommendations which may or may not be acted upon by management while, as time
goes on, these reports fall out-of-date and new work is required that takes on board current
circumstances. We may audit a moving target where operational areas undergo continuous change
many of which are confidential. The auditor may make recommendations when not sure what major
changes are planned for the immediate future.

An auditor was coming towards the end of a major review of the Payroll
section (based in the Finance Department) that covered the way staff were
organised and directed to achieve control over this function. Management
had prepared confidential papers to de-centralise payroll with only a core
service at the centre. On receipt of the draft audit report, management was
impressed but felt it would be superseded by their major changes.

It would have been better to set internal audit up as consultants to assist the confidential change
project. There is great danger where the audit role loses direction and operates on autopilot churning
out report after report with little meaning to the organisation or the auditors themselves.

A new audit manager with many auditing qualifications was eager to use his
newly found knowledge to embark on management audits. He briefed a senior
auditor who had been in internal audit for many years, about a new audit
assignment. The auditor showed little interest and eventually commented that
“I will be OK as I remember doing this audit five years ago”.

A sense of loss of direction can be the difference between a good audit and a boring report.
Demotivated auditors are a problem for audit management even where they do their work and keep
within budget. They will not contribute to the development of the audit function nor inspire others to
produce excellent work. Admittedly some auditors cannot be motivated. The CIA should:
1. Prepare and implement an audit strategy that pushes internal audit from one period to another.
2. Publicise this strategy and seek support from staff by involving them in its formation and use.

2
SUPPLEMENT TWO DEALING WITH MANAGERIAL PROBLEMS

3. Market internal audit and recognise achievement so that staff can relate to success criteria.
4. Implement suitable human resource management policies and programmes.
5. Remove blockages to performance, particularly with awkward clients who may impair audit’s right
of unrestricted access to documents, records and information.
6. Keep internal audit fresh and vibrant by regular section meetings, days out, seminars, social
events, and an invigorating audit manual.
7. Have clear goals.

No follow-up procedure
Another weakness is lack of follow-up procedures. Auditors adopt the attitude that they do the audit
and simply walk away. The follow-up procedure is less of a formality and more an acceptance of
responsibility for the audit. The internal auditor needs to:
1. Target high-risk systems.
2. Review the adequacy and effectiveness of the systems of control that protect this system.
3. Alert management to any problems with these controls where necessary.
4. Advise management of ways that systems of control may be improved.
5. Ensure management responds to audit findings and indicates what it intends to do.
6. Monitor the action taken by management.
7. Revisit the audit after a suitable period to highlight further action management needs to take in
respect of its controls.

Much of the above results in recommendations being made to managers on action they need to take in
improving controls or investigating related matters. Many recommendations talk of the need for
urgency in addressing outstanding concerns identified during the audit. To leave the audit after
publication of the report and show no concern to follow up issues that were left with management,
sends out the wrong signals. The follow-up routine is a key ingredient for any audit and it motivates
staff by providing an end-product where required changes are properly actioned by management.

Low pay
This is a problem in some internal audit departments that has a causal effect by impairing the ability
to deliver good audit services. The knock-on effect of low pay is:
• Low status.
• Inability to attract good calibre staff.
• Inability to retain good calibre staff.
• Less scope to implement development strategies within the function.
• Inability to deliver an adequate audit service.

Inadequate audit manual

An indicator of the adequacy of an internal audit function is the condition of the audit manual. If it is
out-of-date, unused or inadequate, audit management has failed to provide clear standards, policies
and procedures for the performance of audit work. The manual is not a low priority item considered
only when there is spare time available. One argument is that smaller units who employ senior
auditors may not need to adopt the rigours of a formal manual. The clear requirement is that standards
must still be set and applied even where staff are experienced. There is no escaping this, although the
depth and scope of coverage of the manual may vary depending on the type of audit unit.

Poor planning
There are internal audit departments that work to no formal plans. They provide a response based
service which suggests that what is important to management on any particular day should also be
important to internal audit. Audit work consists of a constant stream of referrals from senior
management who ask for a variety of matters to be investigated by internal audit. Audit responds,
carries out the work and all parties are happy. Planned audit work is not completed because resources
are diverted. This is based on failure to appreciate two basic concepts:
1. Internal audit works for the organisation, not management. The organisation needs its controls
reviewed and made right whilst individual managers want help in dealing with specific issues
that affect them day by day. Resources channelled away from the organisation are being
misdirected to the detriment of systems work.
2. Most management referrals consist of problems that result from poor systems and it is these
systems that should be addressed by internal audit.

This is caused by poor planning with audit plans not seen as important, superseded by special
investigations. Good planning consists of a formal evaluation of the relative risks in defined audit

© Spencer Pickett 1997 3

units to direct audit resources towards those systems that are the key to organisational success. The
audit plan represents a contract between the organisation and internal audit. It sets out what should be
done and when, whilst investigations are extras that should be funded separately by management. If
the plans are suspect then subsequent audit work is based on a hollow foundation. The problems
derive from a failure of audit management to recognise the importance of properly resourcing these
areas of work. There is a need to develop an effective business plan. This sets the internal audit
function up as a business unit with clients, marketing strategies and concrete business goals.

Inadequate supervision
The level of supervision depends on the type of work and auditors employed. For more senior staff this
may be based mainly around the final review procedure, with little involvement from audit
management during field work. For less senior staff a lead auditor may be appointed or the audit
manager may spend time with auditors on site. The amount of supervision should correspond with the
need to exercise close control over the project. The problem arises where management has failed to
provide the requisite level of supervision. This failing is related to a lack of procedures on how audits
are controlled and supervised rather than the behaviour of individual audit managers. Auditing
standards require the auditors to undertake only audits they are able to perform. This is not for each
individual auditor to be left alone to carry out audits with little or no support from audit management.
It is incumbent on audit management to assess the level of supervision an auditor requires. This
dictates the extent to which direction and assistance is provided during an audit. There is a need to
ensure audit management/seniors are available at short notice, and this should not impact on any
performance appraisal scheme. Seeking advice should not be seen as an admission of failure. Only by
setting suitable standards and ensuring they are met can audit management discharge this role.

Lack of continuing professional education

Another mistake is to forget that staff development is a continuing process and does not end with
professional training. It is one thing to establish formal training programmes and support auditors in
professional training, but we must not forget to view post-qualification training as another
fundamental requirement. There are auditors who may not succeed in formal examinations and their
training requirements cannot be ignored. The world of internal audit is ever-changing and what was
taught years ago has to be updated to keep up with developments.

No career development
Successful internal audit depends on high levels of auditor motivation which is a key factor is career
development. Where auditors believe they have no chance to develop and achieve higher grades and
increasing levels of experience, they become demotivated. Audit can be a long-term career so long as
there is development and ways to ensure staff do not stagnate. Good staff will always be in demand but
if reasonable expectations are not met, they will leave. Less able staff will remain and reduce overall
efficiency. Management must develop staff to reach full potential and develop into all-round auditors.
Career development does not just revolve around increased financial reward. It is a factor but
exposure to the variety of audit work keeps staff interested without necessarily promoting them.

Reporting delays
Auditors work well in the field through the psychological desire to perform well to an audience. They
must be seen to be efficient. Some auditors pride themselves on receiving commendations from
auditees as they put in long hours. Unfortunately this falls away when the auditor returns to the desk
in the internal audit unit. Away from the client and amongst friends and colleagues, the temptation is
to engage in office banter and open-ended conversations. Even with a work flavour, it takes time away
from the main project. Where the department applies a policy of drafting audit reports back at the
audit office this may lead to delay. The implications of excessive delays in reporting are:
• The continuity of the audit may be lost as the auditor works increasingly from files and relies less
on hands-on images obtained at the audit site.
• The audit is de-prioritised by the client who sees the delay as an indication of low importance.
• Changes occur not anticipated by the auditor. This impacts on implementing the auditor’s
recommendations as they are superseded by new circumstances.
• The auditor becomes bored with the project impairing the quality of the final report.
• There is more chance of interruptions from urgent work required in other areas.
• The client may feel the audit is aborted and not expect to receive a report.

Audit management must avoid this and the reporting stage holding up the audit process:
1. Introduce new technology to ensure reports can be prepared, copied and quickly bound in-house.
2. Set clear reporting standards so that structure and style are not re-invented for every draft.

4
SUPPLEMENT TWO DEALING WITH MANAGERIAL PROBLEMS

3. Adopt standardised working papers to feed smoothly into the reporting system. Link papers to
show terms of reference, findings, implications, conclusions, recommendations, client
comment and agreed action in a logical order that fits the report structure.
4. Write most of the report at the client premises as the audit progresses using portable PCs.
5. Set separate budgets for the reporting stage that are carefully monitored and controlled.
6. Set a reporting date standard of say 3 days after completion of the fieldwork.
7. Ensure the audit review process is ongoing and does not hold up progress of the draft report.
8. Ensure auditors receive training in efficient report writing and drafting.

Lack of professionalism
This amounts to a lack of qualified staff working to professional standards. Auditors with no formal
qualification can perform to high standards. Professional and formal training programmes do,
however, bring an injection of new research and ideas. There needs to be a foundation upon which the
CIA may build an audit function and this comes from employing and developing professional staff.
There is always room for people who do not hold qualifications although there must be a nucleus of
staff who have passed formal examinations. This balance should deliver good services.

Financial emphasis
There still exists the old-fashioned view that internal audit is primarily a branch of accountancy. The
modern day equivalent is the internal audit function whose role revolves around financial systems.
Accountants discharge these responsibilities and will support external audit work. This traditional
model of internal audit is easy to manage and may be in line with managers’ expectations, but it has
drawbacks. Firstly, the potential of audit functions that can work on projects outside the financial
arena will be missed. Secondly, the scope for overall development of audit skills and perspectives is
restricted by this fixation with financial systems. Despite this, there are still internal audit units that
hold onto the financial bias, and so long as it meets organisational expectations, it is hard to criticise
them. It is up to the organisation to realise the potential that can be derived from a top level,
unrestricted audit function and a dynamic CIA has a pivotal role to promote this vision.

Performing line functions

We have moved on from internal audit rubber stamping parts of the system and being part of line
operations. The problems are more subtle now where although removed from line roles, internal audit
is still locked into the system. This occurs where managers refer their problems to the auditors for
resolution. It may be a list of system errors, a breach of procedure or waste occurrence. Taking
responsibility away from management and locating this with internal audit gives the auditor
operational responsibility. Where we accept this situation for short-term convenience (and possibly
compliments) there will be longer-term problems and poor appreciation of the duties and obligations
of management. Where internal audit provides this fall-back it is as much a part of the system as it
was in the days when it stamped each payment before the cheque could be released. A more
appropriate response is for internal audit to advise management on how best to solve its problems.

No defined approach
The final problem is where internal audit has no consensus as to its approach to audit work. When
describing an audit we may use a variety of terms including: investigation, study, inquiry,
examination, review, programme, and project. Each carries a different emphasis and means different
things to different people. There are different models of internal audit and the type of work that
discharges the audit role. Short compliance based audits last a few days while major operational
reviews with wide terms of reference take several months. If this agrees with the audit charter and
meets professional auditing standards there is no reason why these differences should not exist. The
problem lies where the CIA has not decided the right approach. Members of the audit department will
be left to guess or make up their approach from personal experience. There is little scope to develop a
professional audit service and associated procedures. There will be role conflict amongst audit staff if
the approach has not been clarified, particularly between systems work and carrying out investigations
on behalf of management.

3 Evaluation of Internal Audit

Such problems may be isolated via a review of internal audit ideally carried out externally and
reported to the CIA. This is because problems may be so embedded into the audit ethos that they are
not seen by audit management. Several parties benefit from evaluation of internal audit:

© Spencer Pickett 1997 5

• The audit committee wish to ensure that the organisation is receiving good value for money from
the internal audit function, and that it is achieving its aims and objectives.
• Internal auditors themselves wish to know how their unit is placed in terms of comparative audit
services. They will want audit management to be on top of all relevant developments and able
to guarantee the success of the service
• Audit managers want to know whether they need take any particular action to strengthen their
procedures and the way they manage the audit service.
• The CIA wants to know how the unit is performing and if changes are required to how managers
and staff are organised. There should be emphasis on the effectiveness of current strategic
plans.
• Audit consultants may be involved in carrying out the evaluation with a vested interest in
promoting this exercise as a regular event.
• Educational bodies that provide training in internal audit may wish to follow developments.
Some reviews of public sector internal audit departments are made available to the public.
• Professional bodies wish to ensure standards are maintained through regular external reviews.
• The external auditor will wish to place some reliance on the work of internal audit where it
impacts on the financial accounts. The results of any external review will be of particular
interest.
• Line management wants to know audit works to professional standards and is objective and
reliable.

How internal audit may be evaluated

Any good internal audit function should subscribe to the standards and practices described. Auditing
techniques, principles and theories each contribute to the overall quality of audit services. Factors to
be considered when carrying out an evaluative review are:

1 Personal development programmes should be in place for each auditor and reviewed on a regular
basis. Action to effect the necessary development should be taken and monitored.

1 The quality of audit reports is important. Any review should consider a sample of audit reports
taken at random which can be rated on a scale agreed before the exercise is started.

1 Adopted procedures. The way work is performed and controlled should be reviewed and we would
look for formally documented procedures.

1 Auditors’ qualifications. The number of types of qualifications should be considered as should the
required levels set out in the job specifications, which should coincide with the type of audit services.

1 The management and control of internal audit. Managerial arrangements should be assessed at
CIA and audit manager levels. If sound there is a good chance that the unit will be well run.
1 Financial budgets. The CIA must hold and manage a suitable budget. The arrangements to
discharge this requirement should be reviewed along with the actual budget and spending.

1 In-house specialism. The types and levels of skills that are available to internal audit should be
sufficient to discharge the audit role and this must be examined in some detail.

1 The quality of services provided is a major indicator and has several components. Audits should
meet their objectives, be within budget and impact on the organisation in line with the audit charter.

1 Audit plans should be in place and based on suitable risk appraisal. They should work, be up-to-
date and provide a clear control for directing audit resources to sensitive control issues.

1 Training programmes which address training needs and run continuously should be in place, along
with a defined person responsible for audit training.

1 Vacancy levels should be examined and kept low. Where vacancies appear in key places such as
computer audit or managerial level, the effect on audit’s ability to deliver suitable services should be
assessed. We should also consider whether any new staff are required, given the expense.

6
SUPPLEMENT TWO DEALING WITH MANAGERIAL PROBLEMS

1 Equipment and IT should be in place and part of an overall IT strategy with an annual budget for
acquisitions and replacements. We would look for a budget for depreciation or obsolescence.

1 The adequacy of working papers is a common area for review. This depends on clear standards
applied consistently. A random selection of audit working files will quickly isolate any problems. The
key is to have criteria defined before files are examined. These may cover matters such as
standardisation, headings, dates, source of evidence, clarity, and review. One standard that may be set
by audit management is to assume all working paper files may be subject to external scrutiny. We
would be concerned if internal review relied on an assessment of the draft audit report only and not
the underlying working papers. Files should contain adequate evidence of review.

1 An up-to-date time recording system should be in place based on the submission of weekly
timesheets assigning each quarter hour to defined work codes. This should feed into the budgeted-
hours designed to keep control over projects. Periodic variance reports should be available on actual
versus planned hours and we would look for clear management action in response to these reports.

1 The scope of audit work. An interesting review area is based on assessing the type of audit role
assumed by the internal audit function. Most hold the view that we would look for the audit function
to bid for a high-profile position within the organisation by moving towards the “top right hand
corner”:

FIGURE 1 LEVEL OF AUDIT COVERAGE

HIGH

“top right
Material & high risk areas

hand
corner”

LOW Sensitive & important areas HIGH

Internal audit would seek to perform audits with a major impact on the organisation. This is an
ultimate goal which depends on the right position, suitable staff, top management reporting lines,
professional development and acceptance by the highest levels of corporate management. All
constraints must be recognised in case audit promises high-level work but is unable to deliver.

1 The Organisation Chart. It is possible to progress a review of internal audit by considering the way
it is structured and located within the organisation. The chart must be available, up-to-date, clear and
promote the achievement of audit objectives. The chart is only one side of the story. It is a snapshot
that must be interpreted in conjunction with the audit strategy and type of staff and services being
delivered. It provides a starting place to understanding the way audit resources are deployed.

1 Level of agreed recommendations help the reviewer discover if the auditor is in tune with
management control needs and problems. Reporting and walking away from problems impacts
negatively on audit reputation. Reasons why management may decline an audit recommendation
relate to professional judgement on the balance of relevant factors. There is a problem where internal
audit makes numerous recommendations that fail to impress management. This may indicate an audit
stance that creates some distance between audit and clients. It may be caused by a lack of
consultation/communication between auditor and client on the findings as they are being developed.
The audit role may be based on providing additional advice to management to be used in conjunction
with other factors before a decision is made. A wasted recommendation may indicate that audit time is
not being used in the best way or that management has no commitment to a control orientation.

© Spencer Pickett 1997 7

1 The audit charter. A simple matter to check during a review is the audit charter. This should meet
a number of tests including that it exists, is appropriate, signed, authorised, implemented, reviewed
and kept up-to-date, understood by auditors and made available throughout the organisation.

1 Use of professional auditing standards. A review would look for a commitment to professional
standards and a clear mechanism for translating these into audit activities through the audit manual.
Where staff are fully qualified this indicates that these standards have been fully assimilated.

1 The audit manual. The review of internal audit may comprise a consideration of the adequacy of
the audit manual and the extent to which it has been implemented and complied with.

1 The client’s view. Whatever is found when reviewing internal audit procedures is irrelevant if the
client receives no perceived benefit from the audit services. A questionnaire to clients is a useful way
to assess this. It can be done on two levels; firstly where specific questions can be asked on the quality
of a recently completed audit; secondly a general questionnaire. If a systems based approach is applied
to the review, we would look for a procedure where the CIA requests this information on a regular
basis. The reviewer would then follow up some of the returns with an interview with a selection of
respondents, to confirm the comments and expand where required. We would ensure that the CIA
takes positive action on receipt of the returns. This is one acid test of the success of internal audit, so
long as the client has been properly defined, such as being an audit committee.

1 The level of independence is determined by position within organisational structures and an

assessment of any barriers should be considered.

4 Combating Threats
This brief section deals with major survival issues.

Statutory versus non-statutory

There are internal audit functions that are statutory requirements. We define three main categories:
1. Required by statute - e.g. local government under the English Local Government Act 1972.
2. Encouraged by statute - e.g. building societies where sound systems of internal control are
required. Housing Associations now have directives on the requirement for an internal audit
function.
3. Not required by law - e.g. a large manufacturing company.
Private or public sector organisations required to establish audit committees fall under category 2 as
this encourages the use of an internal audit service. Category 1 organisations must have internal audit
but this does not define its size and status. Nor is there any requirement for internal audit to be
provided by an in-house team rather than an external contractor. These audit teams may still be under
threat if they fail to deliver a quality service. Category 2 audit functions may be set up to take
advantage of the general drive towards better accountability. However the audit role may be
discharged by a compliance type function that is set up to review whether organisational standards are
being properly applied. Category 3 audit functions depend wholly on the level of support received
from the organisation. Internal audit is not protected through a need to have such a function. It exists
because it fulfils an organisational need and this must be uppermost in the mind of the CIA.

Public versus private sector

The line between public and private sector is blurred. The public sector is increasingly contracting out
services traditionally undertaken by in-house staff. There is the break down of public bodies into
business units or agencies in an attempt to bring in commercial principles. Companies are being asked
to subscribe to codes of corporate governance that restrict their activities within ethical bounds well
known in the public sector. The need for internal audit creates a major opportunity. Large firms of
accountants that in the past operated in the private sector have assumed a key role in public bodies
and may bid for available internal audit contracts.

Organisational/managerial support
Some auditors feel they have a right to discharge their audit role despite a low level of support from
management. This is a fallacy because the role of internal audit ranges from low-level checking with
little meaning to senior executives, through to dealing with the most complicated and pressing
systems issues. The audit role will reflect the level of support it has achieved. Where lacking there will
be major problems. The CIA has to determine the highest level in the organisation where controls are

8
SUPPLEMENT TWO DEALING WITH MANAGERIAL PROBLEMS

seen as important, and then ensure that this forum is the main client for audit services. So long as we
are supported at this level, ideally in the form of an audit committee, some tension may be tolerated at
mid-management level. The best solution is to meet client needs and work with management in
securing better systems of control. A formal complaints procedure and a quality assurance feedback
mechanism that bring out clients’ views will assist.

Contracting out other services

Another source of concern for the chief auditor is the trend to contract out services to external
suppliers. This may apply to computing, payroll, income collection, maintenance, cleaning, pensions
and front-line operational services. Internal audit may find its audit field growing smaller. If a
proactive approach is not assumed, after a while there will be little remaining in-house services that
can be subject to an audit coverage. The CIA must intervene and ensure audit adapts to change:
• Audit the change programme that isolates areas for contracting out.
• Audit the contracting process itself to ensure value for money.
• Audit the client-monitoring procedures that should be established to manage and control contracts.
• Build into contract clauses a clear role for internal audit. Access to books and records that relate to
the contract may be defined. Routine testing may be carried out under the terms of the contract
and special investigations commissioned where there are specific problems with the contract.
• Adopt a pre-determined role for contract arbitration as part of the consultancy arm of internal
audit.
• Ensure the remaining audit field not contracted out is given full coverage by internal audit.

The relevant audit skills to undertake this type of work will alter and we must adopt a suitable long-
term strategy. There is no harm recruiting specialists within internal audit who deal with complicated
contractual, financial and legal matters that arise when an organisation adopts such policy. It will be
developed elsewhere in the organisation if internal audit does not quickly secure these special skills.

Delinquent managers
The handbook is based on the client based approach. This is the correct audit concept so long as
management is in tune with organisational objectives. There is a further complication where managers
are not working in the best interests of the organisation and it is here that a threat to the future welfare
of the audit function may appear. If management at all levels does not support internal audit, this may
result in a diminished audit role. The complication arises where we do not wish to engender this
support but are more concerned with exposing wrongdoings covered up by management. A clear
strategy of exposing corruption should be formulated.

Competing services
Good audit practice requires internal audit to work with other disciplines resourced by the
organisation who have similarities in their workload. We would liaise with management services, data
protection, security managers, quality assurance, compliance officers and other such individuals who
have a relationship with internal audit. This model is acceptable where economies are growing and
organisations are able to resource all the required support services. The problem arises in times of
recession where possible duplications in services are eradicated through rationalisation exercises and
budget cuts. There is simply no room for services that cross over or overlap. This more realistic model
brings home the need to perceive parallel services as competing services that may pose a threat to the
continuing welfare of internal audit now or at some time in the future. The CIA must assess the
implications of related services and ensure that internal audit is best placed should any slimming-
down occur. One defence is the aggressive stance of taking over some of the services and assimilating
them into a branch of the audit role so that they fall under the control of the CIA. This may be a
direct-line responsibility or a functional one where say for example, the organisation’s computer
security officer makes regular reports to and is monitored by the CIA.

A forward-thinking CIA realised the organisation would make staff cuts soon.
He made a successful bid to assimilate four value-for-money consultants who
had reported direct to the Chief Executive. After 3 months the CIA was asked
to make 25% staffing cuts as his contribution to budget reductions. He
offered up three of the four VFM consultants and they were promptly made
redundant.

© Spencer Pickett 1997 9

Whenever people outside internal audit speak of the way they carry out their “audits” the CIA will
have to be alerted to a potential conflict. If internal audit does not employ computer auditors we may
hear that the quality assurance officers who work within the computing unit are carrying out their own
“audits”. There is a gap in internal audit services that is being covered elsewhere.

Link into problems of internal audit

Each problem real or potential must be isolated and resolved if not to threaten internal audit. There is
something wrong with a unit seeking to identify control weaknesses across the organisation when the
same unit has many predicaments that it is not able to rectify. If performance appraisal is seen as a key
control over staff it may be recommended by internal audit. If internal audit has not been able to
implement an appraisal scheme there is a dilemma. Another example is the conflict where internal
audit recommends efficient information systems in operational areas when the audit office is piled
high with old files, boxes of documents and an assortment of rubbish loosely related to old audit work.
In one internal audit office an old broken down typewriter was confiscated for forensic testing that
was not in the event available, and was left in a corridor in the audit offices for over 5 years before it
was finally disposed of. The CIA must evolve a strategy that confronts foreseeable problems as a
priority. The role of audit management need not be purely managerial. An alternative model is where
audit management ignores their staff in favour of various special projects that they personally perform
as top secret assignments. This type of manager will have little use in developing audit strategies.

How to combat threats

Only a small number of the potential threats that face internal audit have been referred to. There are a
number of matters that impact on the ability to combat these threats:
• The CIA must ensure that threats to the future welfare of audit are isolated and dealt with.
• Scan the horizon, assimilate external influences and translate them into resources.
• The resulting research must be incorporated into a formal audit strategy that drives the function
through a defined period generally of years.
• Possible threats may be subtle and may not necessarily affect internal audit directly, but may
impair the ability to deliver an independent audit service to professional standards.
Professionalism cannot be negotiable as the following example illustrates:

The CIA was pressed by the Director of Finance for an urgent audit report
into a proposed purchase that would involve the organisation in £2m of
avoidable expenditure. This decision was blamed on a senior director who
would feature in the final report. The work was performed by a group auditor
who commented that the Director of Finance (who is the CIA’s line manager)
was partly to blame. The report, which was supposed to be urgent, was then
de-prioritised and never formally published.

• The CIA must have an “ear to the ground” and a vital line to all senior staff. Constant feedback on
the image of internal audit will help the CIA judge the position of the audit function. This is not to
suggest a “sell out” to management but to recognise the political dynamism within organisations.
We need not play the game but we must understand the rules and keep an eye on the score.

10