Comprehensive audit planning
Every organization is asked to do more with less. Staffing levels often remain flat or are not increased to a level that would significantly alter the scope of the work we have the capacity to perform. By coordinating with other groups inside our organization, we have the opportunity to increase our audit coverage by leveraging the work already being completed. The IIA does provide guidance on this matter in Standard 2050 in the International Standards for the Professional Practice of Internal Auditing (IPPF). While the Practice Advisory (2050-1) is applied to reliance on work from external auditors, the standard is written to address coordinating “activities with other internal and external providers of assurance”, which would encompass groups like EH&S.
Based on this standard, the CAE should be reaching out to internal groups such as the EH&S team to ensure “proper coverage and minimize duplication of efforts”. During audit plan development, we should consider the scope and objectives of the work being performed by the EH&S team. In fact, in a comprehensive risk assessment, environmental risks, health risks, and safety risks should be considered, and the worked planned by the EH&S auditors can be relied upon for the audit coverage for these areas. Once the audit plan is drafted we can take the next step and combine the report process with senior management.
We can gain efficiency when reporting results to senior management and the board. During the beginning of the year, both the CAE and the Director of EH&S auditing should submit summaries of their respective planned audit activities, staffing plan, and budget to senior management and the board. By combining this presentation, we can help our stakeholders better understand the scope of the work and planned audit coverage.
The same holds true for interim and year end results reporting. By co-presenting internal audit and EH&S audit results, we can better help management focus and set priorities for the organization. We must be careful not to overwhelm the board with endless information. Always present summary information, ideally with visuals, and provide any details as an appendix to the summary. Remember that senior management has a very limited amount of time to dedicate to your data, so be succinct and provide your reports well in advance of any meetings.
In line with our respective audit processes, we should provide more risk information to the audit committee. When discussing EH&S, this will likely gravitate to compliance risk. In any case, instead of getting mired in the details, focus on trending information related to audit results. Our ability to present trends is more illustrative of the organization’s overall status.
As we all work toward providing our organizational management with useful and concise information for their decision making process, combining efforts between internal audit and EH&S will lead to improvement. We will better understand our audit coverage, and we will gain efficiencies in our audit planning and reporting activities. Ultimately, by strengthening the relationship between these similar functions, we will improve our ability to protect overall organizational value while raising our own internal value to senior management and the board.