Audit Engagement Strategy (Driving Audit Value, Vol. III): The Best Practice Strategy Guide for Maximising the Added Value of the Internal Audit Engagements

Audit Engagement Strategy

DRIVING AUDIT VALUE (VOL. III)

The best practice strategy guide

for maximising the added value

of the internal audit engagements

HANS BEUMER

ALSO AVAILABLE FROM HANS BEUMER

Driving Audit Value (Vol. II): Audit Risk Management

Driving Audit Value (Vol. I): Audit Function Strategy

Success for Everyone

Happiness for Everyone

Kumano Kodo

Thailand

20’000 km by Train

Visit www.hansbeumer.com

COPYRIGHT

HB Publications

Zug, Switzerland

www.hansbeumer.com

Text Copyright © Hans Beumer 2017

Figures and Tables Copyright © Hans Beumer 2017

Cover Stock Media Copyright © BillionDigital 2017 and Shutterstock 2017

International Professional Practices Framework and International Standards for the Professional Practice of Internal Auditing, available at: https://global.theiia.org/standards-guidance. Lake Mary, FL: Copyright © 2017 by The Institute of Internal Auditors, Inc. All rights reserved.

All rights reserved. No part of this book may be reproduced by any mechanical, photographic, or electronic process, or in the form of a phonographic recording, nor may it be stored in a retrieval system, transmitted, or otherwise be copied for public or private use without the express written permission of the publisher, except for the use of brief quotations in a book review.

First edition published in July 2017

This book is available as:

-Hardcover:      ISBN 978-3-906861-18-0

-EBook:            ISBN 978-3-906861-19-7

Printed and distributed by Lulu Press, Inc.

This book is not intended to provide personalised business advice. It offers the viewpoints and extensive experience of the Author, but the views expressed should not be taken as instructions or commands. The reader is responsible for his or her decisions and actions for the business of internal audit and related topics. The Author and Publisher expressly disclaim any liability, loss, damage, or risk, business, personal or otherwise, that is incurred as a consequence, directly or indirectly, of the use and application of any of the contents of this book

CONTENTS

FOREWORD

BOOK STRUCTURE

PART I - AUDIT ENGAGEMENT STRATEGIC MODEL

Where were the Auditors?

Soll and Ist

Process and Project

Beumer Audit Engagement Strategic Models©

Beumer Audit Engagement Strategic Model©

Audit Engagement Value Drivers Model©

Audit Engagement Value Enablers Model©

PART II - AUDIT ENGAGEMENT VALUE DRIVERS

Engagement Value Driver 1: Identifying Significant Risks

IPPF’s requirements for identifying significant risks

Standardisation

Process for identifying significant risks

Step 1: What are the key enablers for identifying significant risks?

Step 2: What is significant?

Step 3: Is it a process or substance issue?

Step 4: How to scope for identifying significant risks?

Step 5: How to develop the work programme for identifying significant risks?

Step 6: How to report the identified significant risks?

Identifying significant risks as value driver

Engagement Value Driver 2: Agreeing on Risk Mitigations

IPPF’s requirements for agreeing on risk mitigations

Standardisation

Process for agreeing on risk mitigations

Step 1: What are the key enablers for agreeing on the risk mitigations?

Step 2: What are the appropriate risk mitigation measures?

Step 3: To what level must the risks be reduced?

Step 4: Who should be responsible for the risk mitigations?

Step 5: How to determine the appropriate due dates of the risk mitigations?

Step 6: How to resolve disagreements?

Agreeing on risk mitigations as value driver

Engagement Value Driver 3: Monitoring Progress of Agreed Risk Mitigations

IPPF’s requirements for monitoring progress of agreed risk mitigations

Standardisation

Process for monitoring progress of agreed risk mitigations

Step 1: What are the key enablers for monitoring progress?

Step 2: What assurance needs to be provided?

Step 3: What is the appropriate type of progress monitoring?

Step 4: How to do the progress monitoring?

Step 5: How to handle cancelled, delayed, changed or incomplete mitigations?

Step 6: How to report the results of progress monitoring?

Monitoring progress of agreed risk mitigations as value driver

PART III - AUDIT ENGAGEMENT VALUE ENABLERS

Engagement Value Enabler 1: Resource Planning

IPPF’s requirements for resource allocation

Standardisation

Process for engagement resource planning

Step 1: What is the management activity to be audited?

Step 2: What type of audit work must be performed?

Step 3: What are the available audit resources?

Step 4: How to handle resource shortfalls?

Step 5: What are the audit resources at the time of the audit engagement?

Step 6: How to do the annual time-scheduling of the engagements?

Step 7: How to do the time-scheduling within the engagements?

Example

Resource planning as value enabler

Engagement Value Enabler 2: Engagement Planning

IPPF’s requirements for engagement planning

Standardisation

Process for engagement planning coordination and logistics

Step 1: What needs to be coordinated with management?

Step 2: What needs to be organised logistically?

Example

Engagement planning coordination and logistics as value enabler

Engagement Value Enabler 3: Audit Objective

IPPF’s requirements for engagement objective

Standardisation

Process for determining audit objective

Step 1: Why to audit?

Step 2: What is the required level of assurance?

Step 3: What is the subject matter of assurance?

Step 4: What are the objectives of assurance?

Example

Engagement objective as value enabler

Engagement Value Enabler 4: Understanding the Subject Matter

IPPF’s requirements for understanding the subject matter

Standardisation

Process for understanding the subject matter

Step 1: What are the process characteristics?

Step 2: What are the sources of information?

Step 3: Why understand two levels?

Example

Understanding the subject matter as value enabler

Engagement Value Enabler 5: Subject Matter Risk Assessment

IPPF’s requirements for risk assessment

Standardisation

Process for subject matter risk assessment

Step 1: What are the subject matter’s inherent risks?

Step 2: What are the subject matter’s control risks?

Subject Matter Risk Indicators Model©

Step 3: What are the risks in the 2nd lines of defence relating to the subject matter?

Step 4: How to use the results from the risk assessment?

Example

Risk assessment as value enabler

Engagement Value Enabler 6: Audit Scoping

IPPF’s requirements for engagement scoping

Standardisation

Process for engagement scoping

Step 1: What to audit?

Step 2: Where to audit?

Step 3: Who to audit?

Step 4: What period to audit?

Example

Engagement scoping as value enabler

Engagement Value Enabler 7: Work Programme

IPPF’s requirements for engagement work programme

Standardisation

Process for developing work programme

Step 1: What are the objectives that need to be tested?

Step 2: What types of audit tests are available?

Step 3: What audit tests are allocated to the objectives?

Step 4: What items from the population need to be tested?

Step 5: What time is allocated to each audit test?

Example

Engagement work programme as value enabler

Engagement Value Enabler 8: Audit Execution

IPPF’s requirements for engagement execution

Standardisation

Process for engagement execution

Step 1: What are the execution objectives?

Step 2: How to achieve the execution objectives?

Step 3: What audit evidence is needed?

Step 4: What are the working paper requirements?

Engagement execution as value enabler

Engagement Value Enabler 9: Audit Report

IPPF’s requirements for engagement reporting

Standardisation

Process for the final audit engagement reporting

Step 1: What is the structure of the report body?

Step 2: What audit results are included in the report body?

Step 3: What is the structure of the executive summary?

Step 4: What audit results are included in the executive summary?

Step 5: How to word the audit opinion?

Step 6: How to resolve disagreements?

Step 7: Who needs to receive the report?

Example

Audit report as value enabler

Engagement Value Enabler 10: Performance Management

IPPF’s requirements for performance management

Standardisation

Process for performance management

Step 1: What are the engagement performance targets?

Step 2: How to achieve the performance targets?

Step 3: What are the engagement detection risks?

Audit Engagement Detection Risk Indicators Model©

Step 4: How to mitigate the engagement detection risks?

Audit Engagement Detection Risk Mitigations Model©

Example

Performance management as value enabler

RECOMMENDED READING LIST

VOL. I OF DRIVING AUDIT VALUE: AUDIT FUNCTION STRATEGY

VOL. II OF DRIVING AUDIT VALUE: AUDIT RISK MANAGEMENT

DRIVING AUDIT VALUE BUNDLE: THE INTERNAL AUDIT HANDBOOK

VOL. IV OF DRIVING AUDIT VALUE: HOW TO AUDIT …

ABOUT THE AUTHOR

FOREWORD

Audit Engagement Strategy serves several purposes. For:

Chief Audit Executives (CAEs): to benchmark the internal audit engagements against the best practices and to increase the added value of the audit work.

Auditor Managers: to enhance their management of the internal audit engagements under their supervision, and to increase the quality of the audit work and the audit results.

Auditors: to execute the internal audit engagements in accordance with the best practices, and to increase the added value of their audit work.

Local management, process owners and auditees: to better understand the activities, focus and priorities of the internal audit engagements.

Advisors, consultants, freelancers: to use as a frame of reference for the best practice internal audit engagement strategy model.

Teachers and students: to teach and study internal audit engagement best practices based on a proven strategic model.

The Institute of Internal Auditors: to enhance the IPPF model with best practice elements.

Audit Engagement Strategy differs from all the other books about internal audit, in the way it combines the theoretical knowledge with the practical experiences of a seasoned CAE:

This is the first and only book that develops a clear strategy for the internal audit engagements. It reflects on the audit engagements from an entirely new perspective by defining its added value and how this added value can be attained through the value drivers and value enables.

The Beumer Audit Engagement Strategic Models© provide transparency for the main success principles for an internal audit engagement, presenting a unique new frame of reference for understanding, managing and deploying the audit strategy at the audit engagement.

This book includes the practical experiences, examples, tips and foremost solutions, from an experienced CAE. The content of this book draws upon 28 years of business experience, of which 16 years as leader of audit functions of globally operating corporations.

Audit Engagement Strategy is the best practice guide for implementing a value-added internal audit engagement strategy. Follow the strategic principles and become successful in achieving the objectives of the audit engagements. Apply the fundamental success principles described in this book and your audit engagements will generate the desired added value.

This book is part of a series on internal audit best practices called Driving Audit Value. The first three books in the series are:

1.      Audit Function Strategy: This Volume I of Driving Audit Value describes the strategies for creating the maximum audit added value at the level of the internal audit function. The book explains and analyses the two main value drivers and the six main value enablers. Volume I was published in January 2017 (see the book preview and the global endorsements on pages 377 to 380).

2.      Audit Risk Management: The Beumer Audit Risk Management Model© provides a ground-breaking new approach to understanding, identifying, measuring and mitigating the audit risks at both the audit function level and the audit engagement level. This book focuses solely on identifying and mitigating 60 potential audit risks. These audit risk management measures are described in Driving Audit Value, Volume II, which was published in March 2017 (see the book preview on pages 381 and 382).

3.      Audit Engagement Strategy: The strategic model for driving the audit value at the level of the audit engagements is described in Driving Audit Value, Volume III. At the audit engagement level, the audit added value, value drivers, and value enablers also exist, though with a different content when compared to the level of the audit function.

When you combine the Volumes I, II and III of Driving Audit Value, a comprehensive internal audit handbook is created. The Driving Audit Value Bundle will integrate the best practice strategies for the audit function, audit engagement and the audit risk management into one handbook of more than 750 pages. This Bundle will be available for sale from July 2017 (see the book preview on pages 383 and 384).

Books published under The Successful Business Series describe the professional experiences in various lines of business. The series has the intention of helping you make your business successful.

Read to advance your life,

drs. Hans Beumer

July 2017

BOOK STRUCTURE

This book provides a practical approach and concrete tools to manage the internal audit engagements. The objective of the audit engagements is to achieve the maximum added value for the key customers: the board and executive management, divisional/business unit management as well as the process owner. There is a certain way to organise, plan, direct and execute the individual audit engagements that makes the audit function achieve this added value. The best practice methodologies and strategies for attaining the highest level of added value are presented in three distinct parts:

PART I: Audit Engagement Strategic Model

Part I presents the Beumer Audit Engagement Strategic Model©. This model shows the comprehensive audit engagement framework for maximising the added value of the audit engagements. The model connects 3 value drivers to 10 value enablers. The Audit Engagement Value Drivers Model© shows how the 3 key value drivers can be achieved in 18 defined and focused steps. The Audit Engagement Value Enablers Model© shows how the 10 key value enablers can be achieved in 39 steps. Together these models determine the comprehensive audit engagement strategy model for driving the audit value at the level of the audit engagements.

PART II: Audit Engagement Value Drivers

Part II shows that identifying the significant risks, agreeing on the risk mitigation, and monitoring the progress of this risk mitigation, are the three primary value drivers of the audit function. From the perspective of the board and senior management, this is what the audit function is all about. Everything the audit function does must ultimately result in providing assurance that management knows the significant risks to their business, and are appropriately reducing the impact of these risks to a level that is within the risk appetite of the board. The generation of this added value is based on explicit and structured processes. The chapter Identifying Significant Risks explains how this can be achieved in 6 defined steps. A further 6 clear steps result in Agreeing on Risk Mitigations, and Monitoring Progress of Agreed Risk Mitigations is achieved in 6 straightforward steps.

PART III: Audit Engagement Value Enablers

Part III presents the 10 most significant value enablers for the internal audit engagements: resource planning (2 steps); engagement planning (2 steps); engagement objectives (4 steps); understanding the subject matter (3 steps); risk assessment of the subject matter (4 steps); engagement scoping (4 steps); engagement work programme (5 steps); engagement execution (fieldwork) (4 steps); engagement report (7 steps); engagement performance management (4 steps).

In 10 chapters, these topics are analysed and efficient, effective and practical guidance is provided to maximise the value enabling capacity of each subject, by consequently following these defined steps.

Figure 1 - Book structure

Audit engagement level versus audit function level

Audit Engagement Strategy describes the added value, the value drivers, and the value enablers at the level of the internal audit engagement. Although all of these can be derived from the internal audit function strategy, the latter is not further detailed in this book. At the audit function level the added value, the value drivers and the value enablers also exist, though with a different content. The strategic model for driving the audit value at the level of the internal audit function is described in detail in Volume I of Driving Audit Value: Audit Function Strategy. I refer to the book preview on pages 377 to 380.

Managing the audit engagement risks

At the level of the internal audit engagement, six significant risks may occur: value risks, focus risks, execution risks, performance risks, reporting risks and compliance risks. The strategic model for managing these risks to the audit value at the level of the internal audit engagements is described in detail in Volume II of Driving Audit Value: Audit Risk Management. I refer to the book preview on pages 381 and 382.

Audit engagements versus consulting and support engagements

The title of this book is Audit Engagement Strategy. The emphasis is on audit. The main role of the internal audit function is to provide independent assurance to support management and the board in achieving their objectives. As the 3rd line of defence, it is the audit function’s competencies in risk assessment and its independence that generate the added value. Though internal audit functions also conduct consulting and support assignments, these are neither covered in this book, nor in the series of Driving Audit Value.

How to audit any topic

How to audit strategy-related topics? How to audit a research and development function? How to audit any topic for which the audit engagement team has no advance knowledge and still be able to come up with the high added-value audit results? The performance of the audit work foremost depends on the appropriateness and focus of the audit work programme. Do the appropriate risk considerations flow into the audit steps? Do the audit steps cover all the important areas of the subject matter? Is the testing methodology appropriate for reaching the audit objective? These topics are only generically covered in this book, as the focus of this book is on the general engagement strategy. The topics of the specific work programmes for the value chain and support processes will be covered in Volume IV of Driving Audit Value, called How to audit … I refer to the book preview on page 385.

Lifting the audit engagements to the highest level of added value

This book is the best practice guide for maximising the added value of the internal audit engagements. It clearly describes what best practice processes look like and provides detailed guidance to allow each audit function to realise its own maximum added value. However, it does not cover the topic of how to lift the current status of your audit engagements to this best practice strategy model. Such a roadmap can be best developed using a SWOT analysis (Strengths, Weaknesses, Opportunities, Threats) for benchmarking your current internal audit engagement strategies, processes and procedures against the value drivers and the value enablers presented in this book.

PART I - AUDIT ENGAGEMENT STRATEGIC MODEL

Figure 2 – PART I: Audit engagement strategic model

Where were the Auditors?

Major corporate scandals 2010-2016

VOLKSWAGEN EMISSIONS SCANDAL

September 2015 – The US Environmental Protection Agency caught VW cheating on diesel emissions tests to falsely pass the maximum allowed levels. Diesel models had software installed to fraudulently show that the cars were more environmental friendly than they actually were. More than 11 million cars had to be refitted, regulatory fines amounted to more than $15 billion, civil and criminal suits cost further billions. High profile managers and the CEO were dismissed.

Possible audit engagement issues:

Risk Assessment

Scoping

Work Programme

Audit skills

FIFA CORRUPTION SCANDAL

May 2015 – The FBI indicted the FIFA organisation and officials with racketeering, fraud, corruption, and with paying millions of dollars in bribes to influence FIFA elections, locations for hosting the World Cup, sponsorship contracts, broadcasting rights, and more.

Possible audit engagement issues:

Audit Objective

Scoping

BP OIL SPILL SCANDAL

April 2010 – The Deepwater Horizon rig explosion caused the largest environmental disaster of the 21st Century. Oil and gas producer BP had the worst health, safety and environment practices, which caused damages and cost by far exceeding $25 billion, and destructed shareholder value by more than $100 billion.

Possible audit engagement issues:

Scoping

Risk assessment

YAHOO HACKING SCANDAL OF 1 BILLION USER ACCOUNTS

December 2016 – Yahoo disclosed that a data breach exposed the private information of more than 1 billion user accounts. It related to a theft of names, email addresses, telephone numbers, birthdates, and unrecognisable passwords, as well as encrypted and non-encrypted security questions and answers.

Possible audit engagement issues:

Risk assessment

Scoping

WELLS FARGO SCANDAL OF FAKE ACCOUNTS

September 2016 – Over the period 2011-2016, Retail Banking employees created 1.5 million phoney deposit accounts and issued 0.5 million fake credit cards, without the knowledge or permission of the related customers. Employees resorted to fraud in order to meet challenging growth quotas. The bank paid $185 million in fines and fired 5’300 employees.

Possible audit engagement issues:

Work programme

Execution

Type of test

OLYMPUS ACCOUNTING AND BRIBERY SCANDAL

October 2011 - Olympus hid $1.7 billion in losses over a period of 13 years and admitted to paying kickbacks and foreign bribery.

The company paid more than $0.5 billion to settle criminal and civil investigations.

Possible audit engagement issues:

Risk assessment

Scoping

PETROBRAS CORRUPTION SCANDAL

March 2014 – Executives and key management of Brazil’s state-owned Oil & Gas Company were accused of bribery of officials as well as siphoning off money for their own use. In criminal investigations, more than 80 managers and politicians were charged with money laundering and bribery of more than $8 billion.

Possible audit engagement issues:

Scoping

Work programme

Execution

LIBOR RIGGING SCANDAL

June 2012 – Criminal investigations into the manipulation of interest rates spread to 10 countries and involved more than 20 major banks. Total fines reached more than $10 billion.

Possible audit engagement issues:

Risk assessment

Work programme

Where were the internal auditors?

These eight examples represent some of the major scandals, bribery, corruption, fraud, and non-compliance cases in the period 2010-2016. In each of these cases, you can rightfully ask Where were the internal auditors? The answers to this question can be manifold:

during the planning of the audit engagement, the auditors insufficiently coordinated with the board and executive management about their business, risk and control concerns: BP, Petrobras, Yahoo.

during the audit engagement scoping, the risk assessment was incomplete: VW, BP, Petrobras, Wells Fargo, Yahoo.

during the audit engagement planning, the work programme was not focusing on the right key controls or risks: Libor, Olympus, Wells Fargo, Yahoo.

during the audit engagement planning, insufficiently skilled auditors were allocated to the audit: Libor, Wells Fargo, Yahoo.

during the audit engagement execution, the auditors did not have access to the staff, systems or information they needed to achieve the audit objective: FIFA, Petrobras, Olympus.

during the audit engagement execution, the auditors did not understand the transactions: Libor, Wells Fargo.

during the audit engagement execution, the auditors relied too much on single audit tests, such as interviews and other tests with a very weak evidence: Libor, Wells Fargo, BP, FIFA.

during the audit engagement execution, the auditors did not agree on the appropriate risk mitigation with management: Yahoo, BP.

the auditors performed no follow-up to ascertain that their recommended risk mitigation actions were indeed implemented by management: Yahoo, BP, Libor.

We will never know the real reasons for these companies’ audit functions inability to successfully identify these issues and have management mitigate those risks. For the internal audit functions of these companies, it is already too late. Their effectiveness will probably have been seriously questioned, and this might have resulted in the dismissal of the CAE, downsizing or upsizing of the audit function, combined with a refocus of the audit function’s and audit engagement’s strategies and objectives. However, for your company’s audit function a similar scandal can be avoided. The strategic audit engagement model presented in this book comes to the rescue, and provides practical guidance for preventing such audit engagement risks.

Risks, Mitigations, Monitoring

When you analyse the issues of these eight cases, a clear trend can be identified. In all these scandals three engagement related topics stand out:

1.      The audit engagements did not have the appropriate focus and as a result were not able to identify the significant risks.

2.      If the audit engagements did identify the significant risks, they were ineffective in agreeing with management on the appropriate risk mitigating measures and their urgency of implementation.

3.      An ineffective monitoring of the progress of the risk mitigations resulted in the materialisation of the risks before they could have been prevented or reduced.

The boards of these organisations must have expected their internal audit functions to do their jobs: identify the significant risks, agree with management on the appropriate risk mitigations, and monitor management’s implementation of the risk reductions.

Meeting these three expectations are the key value drivers for any audit engagement and represent the core of the audit engagement strategic model.

Soll and Ist

Comparing Soll and Ist

In its simplest form an audit (test) is a comparison of two states (conditions) of an item, transaction, or activity: the state which should exist and the state that actually exists. Exceptions, risks, deviations, issues, or however these may be called, represent the (incurred or expected) differences between the target state and the actual state. In the German language, this terminology is captured in two simple words: Soll and Ist. The Soll represents the target state, whereas the Ist represents the actual state. In an equation, this looks as follows:

Figure 3 – Standard definition of an audit (test)

Audit (test) =

comparing the actual state (Ist) to the target state (Soll)

Exception =

difference between the actual state and the target state

Soll = Ist + Exceptions

Virtually all audit work, all audit testing, and all audit engagements can be simplified to the core of Soll and Ist:

Wording the audit engagement objective results in stating the Soll, the target state that needs to be confirmed by the audit. The audit assurance is providing the key customers of the audit function a confirmation that the Soll can indeed be achieved.

The audit engagement work programme describes the Soll. It states the objectives of the management activity (process or sub-process), and the controls that management has put in place to ensure that the Ist equals the Soll. The audit testing element of the work programme reflects the audit function’s activity to compare the Ist with the Soll of management’s control activities, to ascertain whether the management controls were actually (Ist) executed as they should have been (Soll).

During the audit field work, the auditor collects evidence that the Ist of management’s control activity is achieving or can indeed achieve the Soll of the control.

The audit report, generated at the conclusion of the audit engagement, reflects on the Soll, the Ist and the Exceptions. The Soll will be described in the audit objective, the scope and the subject matter’s objectives. The Ist and Exceptions will be described in the issues, risks and recommendations. The agreed risk mitigation actions will close the gap between the Soll and the Ist.

In case the Ist = Soll, there will be no exceptions, and the audit report has no issues or recommendations of significance.

In case the Ist ≠ Soll, there will be exceptions or opportunities. The exceptions will result in the wording of (significant) audit issues (risks), while at the same time recommending the actions to mitigate the exceptions (to make the Ist equal to the Soll). Opportunities may arise when the audit identified that management is able to improve the performance of the subject matter above the target.

Whenever the engagement team or the auditors have difficulties in establishing the audit engagement objectives, developing the audit engagement work programme, performing the audit field work or writing the audit engagement report, they should keep in mind this simple principle of (comparing) Soll and Ist.

Auditing without a Soll

What to do when there is no Soll? Or to be more precise, when the board or management did not establish a target state for (elements of) the subject matter, the sub-processes, the key objectives or the key controls?

In essence this would reflect the situation described in Standard 2210 – Engagement Objectives: the absence of measurement criteria. Though the IPPF is somewhat confusing on this topic: it refers to the absence of a measurement system, but assumes that the objectives against which the measurements need to be made are available (the guidance does not provide further explanation). The underlying topic to be addressed is twofold:

absence of objectives;

absence of measurement criteria.

The standard does not address the absence of the objectives. Still, the examples listed in the standard (policies, procedures, laws, regulations, industry practices) may contain objectives as well as measurement criteria. For example, an objective can be to apply the industry best practice process for health & safety, and the regulations explain what this entails and how this can be achieved. So principally, when there are such criteria, there may also be objectives. Still, there could also be criteria without an objective. Management may have implemented health and safety procedures, formally or informally, without setting a clear target.

A policy or regulation in itself may not necessarily contain an objective; it may just describe how the subject matter needs to be organised, but not the goals that need to be achieved with it. ISO standards provide the typical example. A process can be fully compliant with these standards but still lack an objective, be highly ineffective and miss all the substance needed to reach any meaningful objective, output or added value. Compliance with a policy or standard does not necessarily result in success (achievement of an objective that enables the achievement of the organisation’s business strategies). Is it the same the other way around? Can there be an objective without measurement criteria? Such a situation could arise when management sets an objective of having a high level of health and safety, but does not specify how this needs to be achieved (there is no policy or reference to industry standards). It is then up to the audit function to discuss with management against which standard (Soll) the audit testing of the actual situation (Ist) needs to be done. For example, there could be a choice between OSHAS 18000, ISO 45001, HSE49 or other national standards and regulations. Only this situation is covered by the IPPF’s standard.

What to do when there is no Soll for the objectives and/or the measurement system? The IPPF’s standards have answered the latter part of the question. But what if management and the board are not able to answer that question? In my personal experience, there can be situations where no measurement systems are available. Management may not have a comprehensive policy for research & development project management, for developing the strategic business plans, for developing business concepts, for implementing a new IT platform, for business continuity, for managing its intellectual property, for preparing the weekly production planning, for the reasons for hiring