It’s such a basic idea. Internal auditors are asked to look at an area. They (hopefully) establish the priority areas to be looked at, liaising with a management sponsor, ideally at a level of seniority above the level of the manager of the area they are looking at.
They consider the time available for the assignment and then they issue a “Terms of Reference” (also known as an audit scope).
If the auditor is doing a good job they will spell out what is “in scope” and what is “out of scope”. Based on this they will develop an assignment work programme of things they are going to check.
Spelling out what’s in/out of scope is an important good practice for internal auditors because it helps to set expectations with stakeholders about what is going to be looked at, giving them an opportunity to challenge what work is going to be done and also setting their expectations.
Oftentimes, you will see terms of reference expressed in words. For example:
This assignment will look at the staff recruitment process. Key areas to be examined will include:
- Staff selection and background checks,
- Staff induction and on-boarding process.
Outside of scope will be:
A. The engagement/recruitment of part-time staff and contractors.
B. Benchmarking the cost of recruitment.
The decision to exclude areas from an assignment may be based upon areas that are: i) less relevant to the key assurance needs and also ii) a lesser priority/risk, given the time available for the assignment.
But beyond this approach to communicate scopes, I am seeing increasing use of diagrams to explain this. Diagrams do not replace words but can complement them. Furthermore, if done well, a diagram can show more clearly some of the “hard choices” around the boundaries of an assignment that may be less obvious when simply expressed in words.
Thus, when you consider an area to be examined, it may be addressed by a process, but that process will often be underpinned by IT systems/applications and data flows. In turn, processes/systems may be managed by support functions (e.g. IT/HR) and their role may be more/less important to the key issues under consideration. Also, there may also be third-party service providers who support a process (e.g. recruitment agencies), and – again – their role may be more/less important in relation to the management of a risk.
A diagram can make it clear, in an instant, which process areas/systems/departments will and won’t be looked at. The power of a diagram is that it helps auditors, and managers, think carefully about what will/won’t be relevant to an assignment. And if issues are uncovered, it can be simple to “locate” these on the diagram. and many times it will be clear that issues arise between one part of a process and another, or between one department and another, rather than just in one area.
Finally, a diagram also provides a great way of helping an audit team understand the totality of what has and has not been looked at so that when planning future assignments it is easier to “join up the jigsaw puzzle”.
There is a whole body of practice to be shared about exactly how internal audit functions make robust choices around what is in/out of scope, but the starting point is to be crystal clear what is and is not being done – with diagrams an important tool to help do this.