As a government agency we prize quality in all of our work and view it as a necessary precursor to "Better Insights and Better Outcomes”, our mission. With that in mind, over the last few years we have put in place the foundations of a single professional internal audit practice. We’ve done this by developing a range of tools including an audit manual, electronic working paper platform, technical bulletins and guidance notes.
This is a far cry from the position in government internal audit at the beginning of the last decade when more than 70 separate internal audit teams existed with various separate approaches and systems. The 2013 Review of financial management in government enshrined the creation of the Government Internal Audit Agency in government policy. This was followed in 2015 by the formation of the agency proper.
The infrastructure we have put in place since then only gets you so far though. What lies at the heart of driving improvements in audit quality is the way that you equip, lead and manage your people to raise confidence and unleash their potential. Our Chief Executive, Elizabeth Honer, has been instrumental in driving that message through all that we do.
With the focus on people and building firm foundations in mind, we have embarked on a series of training programmes, audit bootcamps and report-writing being the most recent examples. But coming up shortly is a really important piece of the jigsaw addressing the question, “What is the risk we are concerned about?”
To that end we are running mandatory sessions on ‘risk articulation’ for all professional audit staff in the agency. Our philosophy is a simple one really, and it is that if you get the starting point of an audit right, then you are much more likely to enjoy performing the audit and get to the end of the process efficiently and effectively, delivering invaluable insights for our customers.
But why are we so bothered about getting the risk right? Well, any audit subject can be described as a system, say for example, payroll, business continuity, or contract management. And each of those systems has an objective or objectives – paying the right people the right amount at the right time, ensuring business can carry on functioning, delivering goods and services to the right place at the right price.
The risks that the auditor should be concerned with are the risks to those objectives not being achieved rather than - and this is often the common mistake - the absence of a control that you might expect. For example, if a risk to the achievement of payroll system objectives is that the organisation is not clear about the expected establishment of staff, the auditor should be trying to identify how the management in the organisation goes about mitigating that risk. It may be that the controls that the auditor expects to see in place are there and operating well. But it might also be that the organisation has something even better.
An open mind leads to open questions, and an integrated management and audit approach to problem solving is better than checklists! It also makes auditing more rewarding and customers more appreciative of our efforts. Always keep that open mind!