1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
  2. Hello and Welcome to The Quality Forum Online...Continuing in the spirit of People Helping People !
    Dismiss Notice
Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

New Rating Measure for Internal Audit Engagements

Discussion in 'ISO 19011 - Auditing Management Systems Guidelines' started by Melvin, Nov 28, 2017.

  1. Melvin

    Melvin Member

    Joined:
    Nov 28, 2017
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Hi All,

    I have recently been designing a new rating measure for internal audit engagements with the objective of addressing come of the traditional challenges that we have internal audit engagements such as: Disruptive management attitudes, delays with information requests, lack of commitment and ownership over audit findings. The new measure is designed to to bring about more positive, engaging and efficient outcomes from internal audit engagements and will compliment the traditional control effectiveness rating measure (Effective, partially effective...) that we have on internal audit reports.

    I have proposed the use of a five-point maturity model for this new measure who focus on the following key themes of Governance & Culture, Risk Assessment, Information & Communication and Commitment.

    1. Governance & Culture focusing on managements operating style and philosophy including initiatives implemented by management to improve governance and process standardization through out the subject matter under review.

    2. Risk assessment designed to assess the effectiveness of managements risk awareness and management practices in subject area under review.

    3. Information & Communication designed to assess the effectiveness of managements responses to engagement information requests. This includes and is not limited to the following: management comments on the draft report; audit information requests; audit queries and feedback on audit quality improvement surveys.


    4. Commitment to assess managements commitment to taking ownership over the formulation of solutions and corrective actions to audit findings. The measure will also evaluate the effectiveness of management actions to address findings raised in the same area from prior reviews.

    We are currently in the process of planning our first pilot run with this new measure and wanted to get some feedback regarding additional or alternative measures that could be introduced. Any suggestion to improve the model will be highly appreciated.

    Thanks
    Melvin
    melvin.kishore@yahoo.com
     

    Attached File(s): 1. Scan for viruses before using. 2. Report any 'bad' files by reporting this post. 3. Use at your own Risk.:

  2. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    1,682
    Likes Received:
    859
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Welcome, Melvin:
    An interesting project. What do you believe this measurement will tell you about internal audits? There are many, many measurements which may be taken of a process, however, in the end what does the result of the measurement tell anyone?

    Somewhat contrary to your aim here, it seems these criteria are symptoms of the internal audit program and it's management. Is that your goal? To detect issues with planning?
     
  3. Melvin

    Melvin Member

    Joined:
    Nov 28, 2017
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Hi Andy, Thank you for your comments. I'm new to this website so still finding my feet around.

    My goal is not to detect issues with planning but rather positively change the management attitudes around internal audit and to address some of the challenges that internal auditors face. Challenges such as management not prioritizing audit information requests (covered under the information and communication measure), management hiding issues and being aggressive with audit findings or not engaging during an audit; management not taking up responsibility over corrective actions from audit etc.

    I intent to share the measure before the audit starts, so they have a clear target on how to achieve high scores, which I naturally hope everyone would want to achieve (designed as a KPI target) - which will directly help achieve the outcomes that internal audit wants to out of these engagements. I have included below some objectives/ goals behind my key theme areas below which will give you more insight into this.

    Objectives/ Aim

    1. Governance & Culture - Improve management philosophy and operating style; Improve governance and process standardization though-out the business
    2. Risk Assessment - Improve managements risk management practices.
    3. Information & Communication - Improve the delivery time on audit information requests; Improve managements delivery time on the draft report; Improve the feedback rate on the audit feedback questionnaire
    4. Commitment - Improve management commitment over completion of corrective actions; Improve the performance on the existing corrective actions

    I hope I make some sense. Thoughts?
     
  4. Golfman25

    Golfman25 Well-Known Member

    Joined:
    Nov 6, 2015
    Messages:
    311
    Likes Received:
    85
    Trophy Points:
    27
    I honestly don't see how you're going to change anything by forcing a KPI on them unless it is driven by your top dog. What is the root cause of your issues? Sometimes you catch more flies with honey.
     
    Melvin likes this.
  5. normzone

    normzone Well-Known Member

    Joined:
    Aug 3, 2015
    Messages:
    129
    Likes Received:
    69
    Trophy Points:
    27
    Sounds to me like what I refer to as "bottom-up management". I've done my share of it.

    After beating your head on the wall long enough, approaches such as this can become tempting, but the success rate is usually limited.

    If they aren't already hardwired to care before you try this approach, how flexible are you expecting them to be to having their rigidity graded?

    Still, best of luck to you, and please share the results here.
     
    Melvin likes this.
  6. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    1,682
    Likes Received:
    859
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Let me help you save time and frustration: The reasons for lack of support of internal audits is the following:

    Audits are done to satisfy registrars
    Audits are done to a calendar which has zero to do with business issues
    Audits are done because "ISO-says-so"
    Audits are done to emulate the registrar process (because that's how they are taught)
    Audits are about "style" not substance
    Audits report things in terms ISO requirements, graded "major", "minor" and OFI
    Audits don't engage management in any way they understand
    Audits report things which aren't on managements' radar

    I could go on...
     
  7. Golfman25

    Golfman25 Well-Known Member

    Joined:
    Nov 6, 2015
    Messages:
    311
    Likes Received:
    85
    Trophy Points:
    27
    Why even call it an "audit?" Audits are negative -- conjures up images of the IRS knocking at your door.
     
  8. Melvin

    Melvin Member

    Joined:
    Nov 28, 2017
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Hi Golfman25, I absolutely agree with the comment regarding the top dog. I think i have that covered because the new measure (in theory) has been suggested by the Board. One of the key challenges that I faces is getting management comments back on findings - with two instances where it took over three months.

    The root cause is that management try and implement corrective actions in the background and have them near completion or completed when the report is finalized. In a drastic shift, we have recently started sharing draft reports to the board at the same time the report is issues for management comments - this does require more due diligence from our end to ensure that our findings are factually accurate - this was requested by the board too. And its basically to stop management putting lipstick on the findings.
     
  9. Melvin

    Melvin Member

    Joined:
    Nov 28, 2017
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Thank you normzone. I feel like we have shared the same frustrations. The difference here is that management does care about the work we do - they care a bit too much and try and delay our findings to give them enough time to implement corrective actions. Everyone is out saving their own ass and we are caught in the crossfire.
     
  10. Melvin

    Melvin Member

    Joined:
    Nov 28, 2017
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    My situation is rather different, management and staff are very engaging and positive during the audit, however we hit a road back when it comes to receiving management comments back on findings. Management try all the tricks in the book to delay our report presentation at the Board to allow them more time to put in place corrective actions. This more recently has been rectified with the board now requesting our draft reports be published with them even before management comments are received.

    I found your earlier comments very useful and since then I have drafted the purpose, scope, objectives for the measure which better articulates some of the background that I did not spell out - taken for granted.
     
  11. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    1,682
    Likes Received:
    859
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Of course! They are going along with it because they don't want to be responsible for the consequence(s), however, their lack of actions) reinforces their engagement is superficial at best.

    BTW - what type of audit is this? QMS? Financial? Governance? I made the mistake of assuming it was an ISO 9001 type audit - my bad.
     
  12. Melvin

    Melvin Member

    Joined:
    Nov 28, 2017
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    The audits are predominately control effectiveness reviews that expand over both the financial and operational side of the business.
     

Share This Page