Savvy solutions for small audit shops: armed with effective strategies, small departments can overcome the limitations of size and deliver world-class internal audit services

Internal Auditor, Oct, 2003 by David Salierno

IT'S NO SECRET THAT SMALL AUDIT STAFFS FACE BIG challenges. Human-resource constraints, tight budgets, and the imperative to do more with less are just some of the many difficulties those in small shops confront daily. * When staff size is limited, unique circumstances can arise that practitioners in large audit organizations are not as likely to encounter. For example, if one member of a small team leaves the department abruptly, a well-planned audit agenda can be decimated. Also, being on a small team can deprive practitioners of the camaraderie and mutual sharing of information that usually occurs in large audit departments, resulting in a dearth of new ideas and reliance on outdated methods.

The sheer scope of activities that fall within the domain of modern internal auditing demands that small shops take proactive measures to ensure adequate coverage of the organization and fulfillment of customer expectations. Many practitioners have found creative methods of managing the difficulties associated with being small, rising to the challenge with big ideas and bold solutions. The following seven strategies illustrate ways in which small-shops have succeeded in making the most of limited resources and maximizing their impact on the organization.

Strategy

DEFINE THE RISKS. When resources are scarce, prioritizing becomes essential for ensuring efficiency, if not survival. Many with experience in small audit shops find that risk assessment plays a key role in their prioritizing efforts as well as their ability to ensure adequate coverage of the audit universe.

"I consider a good risk assessment process to be crucial for small audit shops," says David O'Regan, head of audit at Oxford University Press in Oxford, United Kingdom, and author of the book Strategies for Small Audit Shops. "Small shops must deploy their tight resources effectively to the areas of highest risk in their organizations, and risk assessment is the best method of achieving this. The findings of the risk assessment exercise should be a major factor behind the rationale of the audit plan."

Gary Lawrence, director of internal audit at South Carolina's Savannah/ Chatham County Board of Education, has a unique appreciation for the value of risk assessment. With 54 divisions and 53 separate school sites within his group's purview, Lawrence and his staff of three auditors can ill-afford to spend time pursuing unfounded risk areas. The government audit group decided to use control self-assessment as a means of identifying key concerns and maximizing audit coverage.

"It's a struggle to try to cover it all, so we've used a survey-based control self-assessment, particularly on the school sites, and that's worked very effectively," Lawrence says. "It gives me a tool to go out and visit with the school principals and talk about risk and controls. Through that process--both through discussions with the principals and then through the results of the survey questionnaires--we begin to see areas where there maybe risks greater than those we were already aware of."

In the past, his audit group was able to cover only schools with visible problems, and visits to the individual sites were few and far between. Using the self-assessment process, however, he's now able to obtain key information from principals throughout the school system with minimal time invested.

"I've found that it takes about a half day of preparation and background work and about another half day to go back and sit down with each school principal to follow up and review what they found," Lawrence explains. "Then it takes maybe another two to three hours to follow up and see whether or not areas that were problems actually improve after six months or a year. So the whole process takes up to a day and a half, where previously the audits of school sites took us at least five days, sometimes more."

Dave Brucker, internal audit director at Secura Insurance Companies, also uses a survey-based method of obtaining information about risk. Brucker's audit group surveys company managers and directors and uses their feedback to tailor the annual risk assessment.

"If we start with, say, 15 criteria for our assessment," he explains, "we can then use the survey results to identify the key drivers of those 15 and narrow them down to between five and seven different factors. So, that allows us to get at the same data in a more efficient manner."

Brucker further optimizes his risk assessment capabilities by enlisting help from other employees in the organization. His group designates contacts from each business unit and asks those individuals to keep internal auditing in the loop on key developments within their respective areas. Some of the liaisons place auditing on the distribution list for important bulletins or newsletters, while others just make an effort to inform the audit group when a noteworthy development or area of potential risk arises. The auditors schedule periodic meetings with each contact to keep the lines of communication open.