Reducing Effort for CAEs through Combined Assurance
The Chief Audit Executive (CAE) operates in two separate realms. At the audit activity level, the CAE is a manager responsible for planning, organizing, staffing, directing, and controlling the internal audit function. On an organizational level, the CAE’s role is also to provide assurance on the effectiveness of risk management and the control environment. Through effective coordination with other internal assurance providers, the CAE can accomplish both aspects of their responsibility.
Based on IIA Standard 2050, the CAE should connect with internal groups to ensure “proper coverage and minimize duplication of efforts.” All too often, the internal audit department is stretched to capacity trying to cover all aspects of assurance in an organization. At Wolters Kluwer, we see a trend with CAEs assuming responsibility for internal audit, internal control, and risk management. Since taking responsibility beyond audit could compromise the CAEs independence, these functions should be separated, but separation does not preclude coordination.
During audit plan development, auditors should understand the scope and objectives of the work being performed by the other teams. The assessments completed and work planned by other assurance teams such as internal control and risk management, should be relied upon for coordinated audit coverage.
When CAEs approach the concept of coordination, the first step is generally sharing information with other departments that focus on risks and controls in a similar fashion to internal audit. Typically, this involves internal control teams (for example, SOX departments) and Enterprise Risk Management (ERM) functions.