It is not uncommon for an internal audit department to continually send its auditors into the field with instructions to review whatever was done in the work papers from the year before, thereby bringing continual attention to the same risks, year after year. Though this approach certainly informs those being audited of the areas requiring strong controls, it does not account for changes in the business that may require different audit work.
An alternative is to periodically create a formal internal control assessment document, both for the entire company and for individual business units. This document points out changes in the business and how they will impact controls, as well as the status of existing controls and why those controls are needed. This document can then be sent to the senior management team to promote their understanding of emerging control issues, as well as to business unit managers, who will therefore have a greater understanding of which controls are likely to be subject to review by internal audit teams. Of particular importance to the audit manager is this document’s usefulness in determining how control reviews must change from year to year in order to schedule more effective audits.
This document will require a substantial amount of time to prepare and revise, but the time investment is easily offset by the greater understanding of control issues.