August 18, 2021 • 17 mins
This is the first of a series of episodes that focus on performance auditing.
In this episode, we discuss strategic audit planning (a.k.a. forward work planning).
For internal auditors, this is similar to annual (or equivalent) audit planning.
- Understanding your community / public expectations
- Understanding your elected body / parliamentarians
- Understanding the entities within your audit office's jurisdiction
About this podcast
The podcast for performance auditors and internal auditors that use (or want to use) data.
Hosted by Conor McGarrity and Yusuf Moolla.
Produced by Risk Insights (riskinsights.com.au).
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Narrator (00:07):
You're listening to The Assurance Show.
The podcast for performanceauditors and internal auditors
that focuses on data and risk.
Your hosts are ConorMcGarrity and Yusuf Moolla.
Conor (00:20):
Today we're going to kick off the first in a little series
about performance auditing.
Auditors general arerequired usually to prepare
a forward work program.
Generally most of them wesee cover a period of three
years, that sets out the topicsthat they are going to be
addressing in terms of theirperformance audit mandate.
So today we just want totalk about some of the
(00:40):
inputs and considerationsthat go into developing
that forward work program.
Yusuf (00:45):
This may be of relevance to both performance auditors
and internal auditors.
Strategic audit planning in thecontext of performance audit
is interesting as a topic byitself, but also interesting
to internal auditors who alsowould need to do annual planning
or shorter range planning.
Just to understand how thatworks in the performance audit
world and what they couldpotentially take from it.
Conor (01:06):
Forward work programs are significant documents.
Take quite a bit oftime and cost to prepare
because they have thatsort of long-term view.
So in preparing them,it's essential that you're
doing proper scanning ofthe environment in which
you're operating to try andunderstand what are the current
or even emerging risks todelivery of public services.
To be able to do thateffectively, you need to
(01:28):
look at three broad areas.
The first thing you need tounderstand the community,
what's happening withinthe jurisdiction in which
you're operating, what isimportant to those people,
and what services do they use.
Secondly, you need to understandyour elected officials.
So whether that'd be yourParliament or your Congress.
What are they talking about,what's important to them, and
(01:50):
how can you tap into that tomake sure that what you're going
to address in your work planis as relevant as possible.
And then thirdly, it goeswithout out saying, you need
to understand the entities.
Those departments or localgovernments or utilities,
how well do we know them.
So let's startwith the community.
This is perhaps the leastwell done of the three
aspects we just described.
(02:10):
Obviously you can'tsend a survey to every
member of the public.
But what you can do nowadaysis scan their reactions as
individuals to things likewhat's happening in the media.
What are their views on certainpolicies of the government
or new laws or any decisionsbeing made that impacts them?
And the practical way to goabout some of this is scanning
(02:31):
the volume of activity orthings like online blogs
responses to newspaperwebsites, or media articles.
What are people gettinghot under the collar about?
What do they seem tobe passionate about?
This activity and scanningthese responses can give
you a good steer aboutwhat's most relevant to them.
The tools these days to beable to do that are manifold
and quite readily available.
(02:52):
And even things likesentiment analysis can be
pretty useful in trying tounderstand what members of the
community are concerned about.
Yusuf (02:58):
In doing that, you mentioned reactions to policy
or views government policy.
And many auditors generalmandates don't extend to
evaluating government policy.
So government policy is, agiven, and then you evaluate
the programs that aredeveloped under that policy,
the administration of those,efficiency of the delivery
(03:19):
and then effectiveness of theoutcomes of those programs.
So how do you differentiatebetween understanding policy
and evaluating policy?
Conor (03:28):
So the first thing is that m ost legislation that
sets up audit offices andgives that statutory role to
auditors general have explicitstatements in there to say
the auditor general cannotevaluate the merits of policy,
which is exactly what you said.
It's not the role of an an auditoffice to try and second guess
or undermine or to call intoquestion the elected decision
(03:51):
making body and what they'vetaken forward through the
parliament or their Congress,.
They have to evaluate theimplementation of that policy.
So your question comes backto how do you draw that
distinction or that line?
It's not that easy todo all of the time.
Knowing that we're onlyevaluating implementation, the
(04:12):
main consideration you needto have, is that the questions
we are asking as performanceauditors, are they things
that can be answered by thepublic servants delivering
implementation of the policy?
Or is it something theysimply can't answer because
they weren't part of thedecision-making framework
in the first instance.
Yusuf (04:31):
At what level does that restriction apply?
So you've got the merits ofoverall government policy, and
then you'd have, for example,within a government department,
in order to be able to implementcertain practices, they would
have policies that they create.
Conor (04:44):
That's a different thing.
So those policies relate tothe proper functioning of
that organization, as opposedto implementing the wishes
of the elected government.
Yusuf (04:55):
What performance auditors can do is quite
extensive, but there is alimitation around that overall
high level evaluation of themerit of government policy.
Conor (05:05):
the government might make a decision that for every baby
born this year, we're gonna givethe parents a thousand dollars.
Now, an auditor generalgeneral, may not think that's
an appropriate use of money,but if that's a policy that's
been implemented by thegovernment, then an auditor
general has no right to questionthe merits of that policy.
Yusuf (05:23):
And Now we've had to look at what the community
want, what do we do next?
Conor (05:27):
The second thing, we need to have a consideration of.
The parliament or Congressand those elected officials.
So whether we like it ornot what they say matters
for each and every one ofus, because they impact our
lives on a day-to-day basis.
So we need to understandwhat they're talking about.
So one simple, but very powerfulway to do this is by analyzing
(05:49):
the official record of whathas been talked about in the
parliament or in the Congress.
Text analytics techniquescan really help with this.
But the other thing to bearin mind is that audit offices
have an educative role.
As well as an evaluative role.
So, the more you canunderstand what is important
to those people the betterequipped you'll be to
(06:10):
select your audits for yourwork program and provide
information to your parliament.
Yusuf (06:15):
What are the sorts of things that you would look at
that are important to them thatthe audit office can actually
play a role in, what doesthat look like in real terms?
Conor (06:21):
If we take the official record and Hansard as we call
it here in our jurisdictionof Queensland Australia.
Everything is recorded,documented, and then published
for members of the public.
What we should be lookingfor are common themes
that are being discussed.
The volume of certain words.
Topics or things that areimportant and could be
about to be voted on, orare currently being debated.
(06:44):
These are gonna become partof our day-to-day lives.
So if an audit office canget a handle on what's being
discussed what those topicsare, why it's important.
And even more so perhapsunderstand if there are any
competing arguments aboutthose individual topics, then
that gives you really greatinsight into what's important
and what you might want to planfor auditing in the future.
Yusuf (07:05):
You want to be responsive to new issues that
are emerging, but a lot ofthe performance audit work is
around evaluation of, outcomes.
which there is a reasonabletime lag between the starting
point for which the methodsare discussed and the actual
implementation of the programs.
So, how do you determinewhat right timeframes are?
Conor (07:23):
You could either look back to the commencement of this
term of the current government.
In most Westminsterdemocracies, that's a
three or a four year term.
It's from then on that, thegovernment of the day will
be trying to actually getits policies implemented.
So that's a reasonable timeframeto go back and start from.
Yusuf (07:43):
Alright what next.
Conor (07:44):
Thirdly, we said you really need to understand
the entities you're auditing.
There's lots of this valuableinformation locked up
files, in colleagues heads.
Experience would suggestthat sometimes this can
be overlooked and we don'tplace us as much emphasis on
that as perhaps we need to.
We're really doing everybodya disservice if we're
not interrogating our ownsystems and in-house experts.
Yusuf (08:06):
What else is there that comes in from either the outside
or the inside that is a littlebit more specific then the
broad, scanning that we do?
Conor (08:14):
An important thing to talk about here is the
proliferation of open data.
Many public sector organizationsand peak bodies are putting
up valuable data sets andresources and reports.
One example, and thiswould apply to all
jurisdictions regardlesswhere you are in the world.
Governments pay a lot of moneyon road infrastructure, both
(08:35):
in developing it, buildingit, but also in maintaining
it there's significant dataholdings publicly available
in almost every jurisdictionnow that, talk about road
length, maintenance schedules,capital budgets, all sorts of
valuable information that youcan basically get within a
couple of clicks of the mouse.
Yusuf (08:55):
That all sounds good, but it does sound quite extensive.
Without trivializing thevalue that is obtained by,
rigorous analysis and researchand evaluation to come up
with a forward work plan.
What is reasonable in termseffort toactually come
up with that work plan.
Conor (09:12):
Perhaps if I reflect the question back in terms of how
important are these programs,to the public and how important
do we take our job because ifwe're doing a really important
job for the community, as weare as performance auditors, and
we know that potentially how welook at things and what we find
will impact their lives, thenwe need to ensure that we are
(09:35):
resourcing that appropriatelyand not just set and forget.
We need to have the resourcesworking in the background
to make sure that thosetopics we're taking forward
are the most relevant ones.
And we're doing them in theright way, at the right time.
Yusuf (09:50):
Often in these forward work plans, you'd
see a high level scope.
of work Now, when the workactually then starts on a
particular performance audit or,a particular topic, you would
then do more detailed scopingand planning for that audit.
How do you draw the linebetween the initial scope
that is determined and themore detailed scope that
(10:12):
is, figured out later on.
Conor (10:13):
You've probably done enough work at the initial
broad scoping stage, just toget something into your program,
if you can clearly articulatethe potential risks that you're
trying to address, and you needsome sort of evidentiary base.
So, you can't just pluckit out of thin air and say,
I think this is important.
Let's do this.
As soon as you've got thatreasonable evidentiary base as
(10:36):
to why this is a problem or whythis is important to look at
this particular topic, you'vedone enough at that stage.
Now, quite often thatcould involve some
preliminary data analysis.
And in fact, we'd suggestthat that happens even as
part of forward work program.
But try not to get too boggeddown in the detail of the
analysis, particularly ifit's an outer year project or
(10:58):
topic, because invariably therewill be changes over time.
So you're possibly wastingyour effort and resources if
you get into too much of thatdetailed analysis of performance
at the early stage, as opposedto just trying to understand
broadly the risks that exist.
Yusuf (11:15):
At the outset when creating the forward work plan,
do you set what the objectivesof the audit are going to be?
Conor (11:21):
Yes
Yusuf (11:22):
So the risks will drive the objective.
Conor (11:24):
The risks to efficient or effective or compliant
service delivery should drivethe objective of the audit, even
when you're at that early stage.
Yusuf (11:34):
Okay.
And then do you later onmaybe change that and say,
you're not going to look ateffectiveness here, we're going
to look at efficiency instead.
Conor (11:41):
Absolutely.
The way in which that serviceis being delivered, so the
mechanisms for delivery,they may have changed.
There may be new laws orregulations have come out
in an intervening period.
There may have been changesin funding, all sorts of
considerations like that.
So they are the types ofthings that then could
change what you look at.
Yusuf (12:01):
Internal audit teams, in developing their plans,
often it's not just aboutthe risk, but it's also about
the understanding of whatthe controls are in place.
So how well somethingis being done.
Do you do that withinyour forward work plan
as well so understand therisks, but also you would,
through your understandingof those departments.
Say if you had a departmentthat, you know, just executes
(12:25):
very well, would you maybeconsider not looking at
that because there maybe others that you can
focus your attention.
Conor (12:31):
So you've just encapsulated there, everything
we've been talking about.
When you're selectingtopics for your program,
you have to use all theintelligence available to you.
So if that intelligence suggeststhat department or agency X
is a very schmick, well honedservice delivery agency, then
(12:52):
absolutely you'd have to usethat when determining do I
need to deprioritise lookingat them or deprioritize
looking at particularaspects of their functioning.
Using that collectiveintelligence to make that
sort of determination.
And you can do that by speakingto your own internal staff
who know that agency insideout, which goes to the point
(13:13):
we tried to make earlierthat sometimes that doesn't
happen as easily as it should.
Yusuf (13:18):
So I want to just draw a few parallels between
internal audit and whatyou explained there before
asking one last question.
The parallels are you wouldneed to understand the
executives in your organization.
So that's second point youmade, senior decision makers
and what they are interestedin and what their focus is.
A lot of times that willbe driven by strategy.
(13:40):
The equivalent to reallyunderstanding what the
community wants, becausenot the same within, a
non-public sector entity.
Obviously within the publicsector, if you're an internal
audit team within the publicsector, then understanding
what recipients of yourservice are, or want.
So if you're, in education, forexample, that would be parents
and teachers and principals,and obviously kids in schools
(14:02):
what exactly they want.
But when we're talking aboutnon-public sector entities,
It could be the voice ofyour customer potentially.
So you could want to understandwhat your customers want and
need, but quite often, that'snot going to give you enough
to be able to understand whatthe audit plan needs to be.
So you would want to goto strategy, obviously.
And in an ideal worldyou'll tie them up.
So what is the customer saying?
What do the customers want?
(14:23):
And then what ismy strategy say?
And where am I going?
And then the lastthing you mentioned was
understanding the, agencies.
So knowing how well theagencies actually operate.
Within the internal auditworld, that would be
understanding the differentdepartments or functions
within your organizationand how they operate and
how well they operate.
But the last questionis, and this is relevant
again to internal audit.
Within the performance auditteams, when you're developing
(14:45):
your forward work plan, towhat extent do you look at
topics or matters that otherjurisdictions are looking at?
So, your peers the reports thatthey've produced or what's in
their forward work plans towhat extent does that influence
your forward work plan?
Conor (15:01):
Looking at sister organizations or different
jurisdictions and whatthey've done or haven't
done, should form part ofthe research component to
your forward work plan.
If, for example, you wereconsidering undertaking
an audit on a topic thathad been done in another
jurisdiction but they didn't.
have major findings or,conversely they could have had
(15:22):
major adverse findings, thenthat needs to flow into how
important that issue is here.
So we need to learn fromothers, basically, as
part of the research.
As to whether we would orwouldn't do a topic simply
because it had been donein another jurisdiction,
I don't think that's auseful mindset to have.
Yusuf (15:41):
So when you were working internally within an audit
office , and developing those,, strategic audit plans as they
were called back then, towhat extent did that external
scanning affect your program.
Conor (15:51):
It was helpful to understand what
others were doing.
But I found it far morehelpful where others hadn't
done anything on a topic, butit had through our environmental
scanning emerged as a realrisk area in service delivery.
And then when you look outyou say, oh, no other audit
offices have tackle thisor approached this I found
(16:12):
that more interesting.
Yusuf (16:13):
Within internal audit, organizations have been moving
towards consolidating the auditplan into fewer topics overall.
So instead of trying to say,we're going to cover 36 topics
this year, they're goingdown to, let's have that and
see if we can do big audits.
So even down to a third and do,even bigger audits than that.
Conor (16:33):
That's a really interesting point Yusuf.
So these days some auditoffices seem to be taking
more of a thematic view.
So they may say, over thenext three years, one of our
major streams of work is goingto be in the digital space.
And they may do multiple auditsin each of the next three years
that has a digital aspect to it.
(16:54):
Potentially, we may seemore of that in the future.
Yusuf (16:57):
In summary, forward work plans, strategic audit
plans, it doesn't matter whatyou call it, basically your
plan for the next few years forconducting performance audits.
Three key things toconsider the first is what
is the community saying?
Or what are the community want?
What is the sentiment within thecommunity around the services
that are being deliveredor that are planned for.
The second is understandingthe individuals that
(17:18):
are running the show.
And the third is understandingthose departments and agencies
and, thinking about all of thelocked up information that we
have internally that we can use.
All of this would be usefulfor internal auditors to
consider as well in howthey develop their plans.
Are you thinking about thosevarious factors in coming
(17:38):
up with your plan to deliverthe best value that you can?
Thanks Conor.
Conor (17:42):
Thanks Yusuf.
Narrator (17:43):
If you enjoyed this podcast, please share
with a friend and rateus in your podcast app.
For immediate notificationof new episodes, you can
subscribe at assuranceshow.com.
The link is in the show notes.
You're listening to The Assurance Show.
The podcast for performanceauditors and internal auditors
that focuses on data and risk.
Your hosts are ConorMcGarrity and Yusuf Moolla.
Conor (00:20):
Today we're going to kick off the first in a little series
about performance auditing.
Auditors general arerequired usually to prepare
a forward work program.
Generally most of them wesee cover a period of three
years, that sets out the topicsthat they are going to be
addressing in terms of theirperformance audit mandate.
So today we just want totalk about some of the
(00:40):
inputs and considerationsthat go into developing
that forward work program.
Yusuf (00:45):
This may be of relevance to both performance auditors
and internal auditors.
Strategic audit planning in thecontext of performance audit
is interesting as a topic byitself, but also interesting
to internal auditors who alsowould need to do annual planning
or shorter range planning.
Just to understand how thatworks in the performance audit
world and what they couldpotentially take from it.
Conor (01:06):
Forward work programs are significant documents.
Take quite a bit oftime and cost to prepare
because they have thatsort of long-term view.
So in preparing them,it's essential that you're
doing proper scanning ofthe environment in which
you're operating to try andunderstand what are the current
or even emerging risks todelivery of public services.
To be able to do thateffectively, you need to
(01:28):
look at three broad areas.
The first thing you need tounderstand the community,
what's happening withinthe jurisdiction in which
you're operating, what isimportant to those people,
and what services do they use.
Secondly, you need to understandyour elected officials.
So whether that'd be yourParliament or your Congress.
What are they talking about,what's important to them, and
(01:50):
how can you tap into that tomake sure that what you're going
to address in your work planis as relevant as possible.
And then thirdly, it goeswithout out saying, you need
to understand the entities.
Those departments or localgovernments or utilities,
how well do we know them.
So let's startwith the community.
This is perhaps the leastwell done of the three
aspects we just described.
(02:10):
Obviously you can'tsend a survey to every
member of the public.
But what you can do nowadaysis scan their reactions as
individuals to things likewhat's happening in the media.
What are their views on certainpolicies of the government
or new laws or any decisionsbeing made that impacts them?
And the practical way to goabout some of this is scanning
(02:31):
the volume of activity orthings like online blogs
responses to newspaperwebsites, or media articles.
What are people gettinghot under the collar about?
What do they seem tobe passionate about?
This activity and scanningthese responses can give
you a good steer aboutwhat's most relevant to them.
The tools these days to beable to do that are manifold
and quite readily available.
(02:52):
And even things likesentiment analysis can be
pretty useful in trying tounderstand what members of the
community are concerned about.
Yusuf (02:58):
In doing that, you mentioned reactions to policy
or views government policy.
And many auditors generalmandates don't extend to
evaluating government policy.
So government policy is, agiven, and then you evaluate
the programs that aredeveloped under that policy,
the administration of those,efficiency of the delivery
(03:19):
and then effectiveness of theoutcomes of those programs.
So how do you differentiatebetween understanding policy
and evaluating policy?
Conor (03:28):
So the first thing is that m ost legislation that
sets up audit offices andgives that statutory role to
auditors general have explicitstatements in there to say
the auditor general cannotevaluate the merits of policy,
which is exactly what you said.
It's not the role of an an auditoffice to try and second guess
or undermine or to call intoquestion the elected decision
(03:51):
making body and what they'vetaken forward through the
parliament or their Congress,.
They have to evaluate theimplementation of that policy.
So your question comes backto how do you draw that
distinction or that line?
It's not that easy todo all of the time.
Knowing that we're onlyevaluating implementation, the
(04:12):
main consideration you needto have, is that the questions
we are asking as performanceauditors, are they things
that can be answered by thepublic servants delivering
implementation of the policy?
Or is it something theysimply can't answer because
they weren't part of thedecision-making framework
in the first instance.
Yusuf (04:31):
At what level does that restriction apply?
So you've got the merits ofoverall government policy, and
then you'd have, for example,within a government department,
in order to be able to implementcertain practices, they would
have policies that they create.
Conor (04:44):
That's a different thing.
So those policies relate tothe proper functioning of
that organization, as opposedto implementing the wishes
of the elected government.
Yusuf (04:55):
What performance auditors can do is quite
extensive, but there is alimitation around that overall
high level evaluation of themerit of government policy.
Conor (05:05):
the government might make a decision that for every baby
born this year, we're gonna givethe parents a thousand dollars.
Now, an auditor generalgeneral, may not think that's
an appropriate use of money,but if that's a policy that's
been implemented by thegovernment, then an auditor
general has no right to questionthe merits of that policy.
Yusuf (05:23):
And Now we've had to look at what the community
want, what do we do next?
Conor (05:27):
The second thing, we need to have a consideration of.
The parliament or Congressand those elected officials.
So whether we like it ornot what they say matters
for each and every one ofus, because they impact our
lives on a day-to-day basis.
So we need to understandwhat they're talking about.
So one simple, but very powerfulway to do this is by analyzing
(05:49):
the official record of whathas been talked about in the
parliament or in the Congress.
Text analytics techniquescan really help with this.
But the other thing to bearin mind is that audit offices
have an educative role.
As well as an evaluative role.
So, the more you canunderstand what is important
to those people the betterequipped you'll be to
(06:10):
select your audits for yourwork program and provide
information to your parliament.
Yusuf (06:15):
What are the sorts of things that you would look at
that are important to them thatthe audit office can actually
play a role in, what doesthat look like in real terms?
Conor (06:21):
If we take the official record and Hansard as we call
it here in our jurisdictionof Queensland Australia.
Everything is recorded,documented, and then published
for members of the public.
What we should be lookingfor are common themes
that are being discussed.
The volume of certain words.
Topics or things that areimportant and could be
about to be voted on, orare currently being debated.
(06:44):
These are gonna become partof our day-to-day lives.
So if an audit office canget a handle on what's being
discussed what those topicsare, why it's important.
And even more so perhapsunderstand if there are any
competing arguments aboutthose individual topics, then
that gives you really greatinsight into what's important
and what you might want to planfor auditing in the future.
Yusuf (07:05):
You want to be responsive to new issues that
are emerging, but a lot ofthe performance audit work is
around evaluation of, outcomes.
which there is a reasonabletime lag between the starting
point for which the methodsare discussed and the actual
implementation of the programs.
So, how do you determinewhat right timeframes are?
Conor (07:23):
You could either look back to the commencement of this
term of the current government.
In most Westminsterdemocracies, that's a
three or a four year term.
It's from then on that, thegovernment of the day will
be trying to actually getits policies implemented.
So that's a reasonable timeframeto go back and start from.
Yusuf (07:43):
Alright what next.
Conor (07:44):
Thirdly, we said you really need to understand
the entities you're auditing.
There's lots of this valuableinformation locked up
files, in colleagues heads.
Experience would suggestthat sometimes this can
be overlooked and we don'tplace us as much emphasis on
that as perhaps we need to.
We're really doing everybodya disservice if we're
not interrogating our ownsystems and in-house experts.
Yusuf (08:06):
What else is there that comes in from either the outside
or the inside that is a littlebit more specific then the
broad, scanning that we do?
Conor (08:14):
An important thing to talk about here is the
proliferation of open data.
Many public sector organizationsand peak bodies are putting
up valuable data sets andresources and reports.
One example, and thiswould apply to all
jurisdictions regardlesswhere you are in the world.
Governments pay a lot of moneyon road infrastructure, both
(08:35):
in developing it, buildingit, but also in maintaining
it there's significant dataholdings publicly available
in almost every jurisdictionnow that, talk about road
length, maintenance schedules,capital budgets, all sorts of
valuable information that youcan basically get within a
couple of clicks of the mouse.
Yusuf (08:55):
That all sounds good, but it does sound quite extensive.
Without trivializing thevalue that is obtained by,
rigorous analysis and researchand evaluation to come up
with a forward work plan.
What is reasonable in termseffort toactually come
up with that work plan.
Conor (09:12):
Perhaps if I reflect the question back in terms of how
important are these programs,to the public and how important
do we take our job because ifwe're doing a really important
job for the community, as weare as performance auditors, and
we know that potentially how welook at things and what we find
will impact their lives, thenwe need to ensure that we are
(09:35):
resourcing that appropriatelyand not just set and forget.
We need to have the resourcesworking in the background
to make sure that thosetopics we're taking forward
are the most relevant ones.
And we're doing them in theright way, at the right time.
Yusuf (09:50):
Often in these forward work plans, you'd
see a high level scope.
of work Now, when the workactually then starts on a
particular performance audit or,a particular topic, you would
then do more detailed scopingand planning for that audit.
How do you draw the linebetween the initial scope
that is determined and themore detailed scope that
(10:12):
is, figured out later on.
Conor (10:13):
You've probably done enough work at the initial
broad scoping stage, just toget something into your program,
if you can clearly articulatethe potential risks that you're
trying to address, and you needsome sort of evidentiary base.
So, you can't just pluckit out of thin air and say,
I think this is important.
Let's do this.
As soon as you've got thatreasonable evidentiary base as
(10:36):
to why this is a problem or whythis is important to look at
this particular topic, you'vedone enough at that stage.
Now, quite often thatcould involve some
preliminary data analysis.
And in fact, we'd suggestthat that happens even as
part of forward work program.
But try not to get too boggeddown in the detail of the
analysis, particularly ifit's an outer year project or
(10:58):
topic, because invariably therewill be changes over time.
So you're possibly wastingyour effort and resources if
you get into too much of thatdetailed analysis of performance
at the early stage, as opposedto just trying to understand
broadly the risks that exist.
Yusuf (11:15):
At the outset when creating the forward work plan,
do you set what the objectivesof the audit are going to be?
Conor (11:21):
Yes
Yusuf (11:22):
So the risks will drive the objective.
Conor (11:24):
The risks to efficient or effective or compliant
service delivery should drivethe objective of the audit, even
when you're at that early stage.
Yusuf (11:34):
Okay.
And then do you later onmaybe change that and say,
you're not going to look ateffectiveness here, we're going
to look at efficiency instead.
Conor (11:41):
Absolutely.
The way in which that serviceis being delivered, so the
mechanisms for delivery,they may have changed.
There may be new laws orregulations have come out
in an intervening period.
There may have been changesin funding, all sorts of
considerations like that.
So they are the types ofthings that then could
change what you look at.
Yusuf (12:01):
Internal audit teams, in developing their plans,
often it's not just aboutthe risk, but it's also about
the understanding of whatthe controls are in place.
So how well somethingis being done.
Do you do that withinyour forward work plan
as well so understand therisks, but also you would,
through your understandingof those departments.
Say if you had a departmentthat, you know, just executes
(12:25):
very well, would you maybeconsider not looking at
that because there maybe others that you can
focus your attention.
Conor (12:31):
So you've just encapsulated there, everything
we've been talking about.
When you're selectingtopics for your program,
you have to use all theintelligence available to you.
So if that intelligence suggeststhat department or agency X
is a very schmick, well honedservice delivery agency, then
(12:52):
absolutely you'd have to usethat when determining do I
need to deprioritise lookingat them or deprioritize
looking at particularaspects of their functioning.
Using that collectiveintelligence to make that
sort of determination.
And you can do that by speakingto your own internal staff
who know that agency insideout, which goes to the point
(13:13):
we tried to make earlierthat sometimes that doesn't
happen as easily as it should.
Yusuf (13:18):
So I want to just draw a few parallels between
internal audit and whatyou explained there before
asking one last question.
The parallels are you wouldneed to understand the
executives in your organization.
So that's second point youmade, senior decision makers
and what they are interestedin and what their focus is.
A lot of times that willbe driven by strategy.
(13:40):
The equivalent to reallyunderstanding what the
community wants, becausenot the same within, a
non-public sector entity.
Obviously within the publicsector, if you're an internal
audit team within the publicsector, then understanding
what recipients of yourservice are, or want.
So if you're, in education, forexample, that would be parents
and teachers and principals,and obviously kids in schools
(14:02):
what exactly they want.
But when we're talking aboutnon-public sector entities,
It could be the voice ofyour customer potentially.
So you could want to understandwhat your customers want and
need, but quite often, that'snot going to give you enough
to be able to understand whatthe audit plan needs to be.
So you would want to goto strategy, obviously.
And in an ideal worldyou'll tie them up.
So what is the customer saying?
What do the customers want?
(14:23):
And then what ismy strategy say?
And where am I going?
And then the lastthing you mentioned was
understanding the, agencies.
So knowing how well theagencies actually operate.
Within the internal auditworld, that would be
understanding the differentdepartments or functions
within your organizationand how they operate and
how well they operate.
But the last questionis, and this is relevant
again to internal audit.
Within the performance auditteams, when you're developing
(14:45):
your forward work plan, towhat extent do you look at
topics or matters that otherjurisdictions are looking at?
So, your peers the reports thatthey've produced or what's in
their forward work plans towhat extent does that influence
your forward work plan?
Conor (15:01):
Looking at sister organizations or different
jurisdictions and whatthey've done or haven't
done, should form part ofthe research component to
your forward work plan.
If, for example, you wereconsidering undertaking
an audit on a topic thathad been done in another
jurisdiction but they didn't.
have major findings or,conversely they could have had
(15:22):
major adverse findings, thenthat needs to flow into how
important that issue is here.
So we need to learn fromothers, basically, as
part of the research.
As to whether we would orwouldn't do a topic simply
because it had been donein another jurisdiction,
I don't think that's auseful mindset to have.
Yusuf (15:41):
So when you were working internally within an audit
office , and developing those,, strategic audit plans as they
were called back then, towhat extent did that external
scanning affect your program.
Conor (15:51):
It was helpful to understand what
others were doing.
But I found it far morehelpful where others hadn't
done anything on a topic, butit had through our environmental
scanning emerged as a realrisk area in service delivery.
And then when you look outyou say, oh, no other audit
offices have tackle thisor approached this I found
(16:12):
that more interesting.
Yusuf (16:13):
Within internal audit, organizations have been moving
towards consolidating the auditplan into fewer topics overall.
So instead of trying to say,we're going to cover 36 topics
this year, they're goingdown to, let's have that and
see if we can do big audits.
So even down to a third and do,even bigger audits than that.
Conor (16:33):
That's a really interesting point Yusuf.
So these days some auditoffices seem to be taking
more of a thematic view.
So they may say, over thenext three years, one of our
major streams of work is goingto be in the digital space.
And they may do multiple auditsin each of the next three years
that has a digital aspect to it.
(16:54):
Potentially, we may seemore of that in the future.
Yusuf (16:57):
In summary, forward work plans, strategic audit
plans, it doesn't matter whatyou call it, basically your
plan for the next few years forconducting performance audits.
Three key things toconsider the first is what
is the community saying?
Or what are the community want?
What is the sentiment within thecommunity around the services
that are being deliveredor that are planned for.
The second is understandingthe individuals that
(17:18):
are running the show.
And the third is understandingthose departments and agencies
and, thinking about all of thelocked up information that we
have internally that we can use.
All of this would be usefulfor internal auditors to
consider as well in howthey develop their plans.
Are you thinking about thosevarious factors in coming
(17:38):
up with your plan to deliverthe best value that you can?
Thanks Conor.
Conor (17:42):
Thanks Yusuf.
Narrator (17:43):
If you enjoyed this podcast, please share
with a friend and rateus in your podcast app.
For immediate notificationof new episodes, you can
subscribe at assuranceshow.com.
The link is in the show notes.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Special Summer Offer: Exclusively on Apple Podcasts, try our Dateline Premium subscription completely free for one month! With Dateline Premium, you get every episode ad-free plus exclusive bonus content.
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!