As Internal audit leaders go about their work, there are many decisions to make: How to assess risk? What to audit? How to acquire the expertise needed to execute certain audits? What audit technologies to adopt? How to build the internal audit team? And on and on. Sometimes we make good decisions in these areas and sometime we don’t.
While we all make mistakes, sometimes those missteps are due to accepting conventional wisdom that is either wrong or misguided. Indeed, there are some behaviors or methods many internal audit leaders have adopted that are actually counter-productive to what internal audit is trying to achieve for the organization it serves. Here, I’d like to explore some of those miscues that might be accepted practice in some internal audit corners, but are potentially counter-productive or misguided.
To be clear, these are not the obvious mistakes that some internal auditors make, such as writing audit reports that are too long, conducting audits on the same areas each year, or not communicating well with the audit committee and senior management. The mistakes here often come from doing things the way they have always been done, failing to update your perspective on the how internal audit can add value, and accepting conventional wisdom that, upon inspection, just doesn’t hold up against a range of competing demands on internal audit’s precious time and resources.
So here are six common practices or mistakes that many internal auditors should leave behind or, at least, rethink:
1 Overemphasizing independence and objectivity (They should be important considerations, but not dictate what you do.)
Independence and objectivity are hallmarks of the internal audit profession. The Institute of Internal Auditors’ International Professional Practices Framework (IPPF) is filled with references to these key tenets. Independence is a function of where you report, and in most organizations internal audit has a dual reporting relationship. Typically, internal audit reports on a day-to-day basis to the CEO or other member of the C-suite, but it gets its independence from a functional reporting relationship to the board of directors or specifically to the board’s audit committee.
Realistically, then, you have little say over the independence of your reporting relationship. So, if you are not as “independent” as you would like, don’t lose too much sleep over it, since it’s not something you can directly control. Do everything you can to do your work to the best of your abilities. In most cases, all will be fine. You might advocate for a reporting structure that would improve independence, but tread lightly; it may not be worth creating turmoil, and the pushback could be extensive. In most cases it won’t really change how you go about your day-to-day work.
Objectivity, on the other hand, is often referred to as a state of mind and is the avoidance of bias in the work performed. Internal audit works to sustain its objectivity by not performing operational activities that might inhibit its ability to be objective when auditing those same operational activities in the future.
Senior management or others in the organization, however, might ask you to do things that are important for the business and the best use of internal audit resources, with the consequence that it could appear to impair internal audit objectivity. Worst things have happened. Internal audit is doing more advisory work and helping the organization by leveraging its expertise in risk management, the control environment, and other areas. In most cases, good internal auditors can maintain a reasonable level of objectivity and are professionally able to weigh in on important matters that leverage internal audit’s expertise. So, don’t stress over it. Do everything you can to protect your ability to be objective in mind, if not in fact. And help your organization be successful. It’s about adding value and making a difference first and foremost.
2 Trying to complete the entire audit plan (Try to get your priorities completed and explain when and why the plan might not get completed.)
Some C-suite leaders and audit committee members create an expectation that once they have approved an audit plan, internal audit should complete it in full without exception, typically in the course of a year. Smart internal audit leaders know, however, that such an expectation is not achievable if they are to be agile and responsive to the changing needs of a dynamic organization. In fact, it’s ill advised. Situations arise, risks change, priorities shift, special projects surface, and frauds happen. Nimble internal audit functions are able to better deploy resources to the most immediate need.
It’s important to educate C-suite and audit committee members on the importance of remaining flexible and responsive to the changing needs of the organization. At best, you have a general framework for the assurance projects you want to get done over the next year and set a firmer plan on a rolling quarterly basis. For any assurance projects you had previously committed to that you will be deferring or substituting, explain the reasons why resources are being redirected.
Also, don’t forget the importance of getting involved in advisory work and change initiatives throughout the organization. These advisory projects might very well be more important than some of the more traditional and previously planned assurance projects. In the end, trying to complete the entire audit plan might just not be achievable or even advisable.
3 Too much emphasis on complying with Professional Practice Standards (They are important, but your stakeholders really don’t care. Strive for conformance, not perfect compliance.)
Many consider conformance with the IIA’s Professional Practice Standards as a low bar for achievement, particularly larger internal audit functions, yet some find achieving full conformance as a challenge, especially smaller internal audit functions. The Standards were developed to be principle-based, so there is a lot of latitude in how internal audit goes about achieving conformance. While there is little doubt that pursuing the achievement of conformance across all the Standards will help make your internal audit function better, it won’t necessarily make it a great one. And, importantly, there will be almost no one outside of internal audit who cares about the Standards or your conformance with them, if they even know they exist.
So, yes, it makes sense to pursue conformance with the Standards, but don’t prioritize it to the level where it risks making internal audit less relevant in your organization. You might, for example, have to accept work that risks your independence or objectivity in the best interest of the organization. Or, as another example, you might have to put off getting the required Quality Assessment Review (QAR) done to free resources to complete other high-priority work. These “non-conforming” activities, if done consciously and with good reason, may be the right decisions at the time and perhaps the best choice for you, your organization, and the function as a whole.
A quick note here: I am a big proponent of the IIA’s Standards and Guidance. As the chief audit executive for two different organizations, I worked hard to make sure we conformed with them in all we did and even worked on them when I was a member of senior staff at the IIA. So, I am not advocating internal auditors change how they go about their pursuit of conformance with the various elements of the IPPF. I am, though, challenging some things that have been, for many, accepted as conventional wisdom. It’s about keeping perspective and prioritizing what matters most.
4 Misuse of co-sourcing and outsourcing (You need to use outside parties, but they should be more like strategic partnerships not tactical transactions.)
Almost no single internal audit function will ever have all the skills, talent, and competence needed to execute all audits if the internal audit plan is developed with the highest risks in mind. Resources to complete the audit plan at a high level need to come from somewhere. So many internal audit functions turn to co-sourcing for subject matter expertise to supplement, or augment, their existing resources. For some, this approach is highly transactional: “We need ‘x’ resources, or an expert in a certain field, so we’ll go into the market and get these resources.” Yet, there are countless examples of projects that don’t go well, or even completely fail, because the promises of the third party in terms of the skills and talents they have available to them aren’t consistent with reality.
In other instances, the internal audit function doesn’t communicate well with the hired resources—particularly on a one-time engagement—or integrate them into the existing team and they never get on the same page.
Instead of co-sourcing, as it is traditionally done, it would behoove a savvy internal audit function’s leadership to invest in some strategic partnerships with third parties who are more closely aligned with wanting a long-term relationship and will only promise what they can actually deliver, as opposed to the transactional promises of external parties looking to just win work.
Even worse is when some internal audit functions outsource audit work entirely. In this scenario, the internal audit team doesn’t learn anything about the particular audit area. There is no resulting knowledge-transfer. In such a case, use co-sourcing and ensure that staff internal auditors are shadowing hired subject matter experts closely so they can learn from their expertise and, importantly, stay involved in the project. You may have outsourced the work, but you haven’t outsourced your ownership of the project or the results.
5 Thinking you are doing “risk-based auditing” (You are doing audit’s based on your point-in-time assessment of risk.)
I have always found the term “risk-based” interesting. Interesting in that we all use it, and yet we really don’t even know what it means or what it is. (I use it too, so guilty as charged!)
Risk is what we define it to be, we all see risks differently, and our biases enter the equation, consciously or unconsciously. So, something that is done based on risk (or “risk-based”) is only as accurate from a risk perspective as the quality of our analysis, our comprehension of the situation, and our ability to cognitively manage our biases.
How many times have we learned something we didn’t know before and it changed our perception of risk (positively or negatively)? How fluid and dynamic are our organizations such that risks change, evolve and morph, sometimes to our knowledge and sometimes not. So, if we plan something previously, and start work on it tomorrow, the risks have changed on just about everything in the organization in the interim, but we didn’t go back and change our risk assessment and the factors that gave rise to a particular project being on the audit plan that have likely changed by now.
So, we do our best, stick our finger in the air, and come up with our best interpretation of risk at a given point in time and drive our plans from that assessment. So, yes, it is work that is based on our assessment of risk, but it is likely not “risk-based” at the time we are actually doing it, since the risks have changed and we are a victim to what we don’t know, what we think we know but really don’t, and what we learned to be true and not true based from our original assumptions! Perhaps, then, it is more “risk informed” than “risk-based.”
6 Guarding continuous auditing and continuous monitoring systems (If it’s important for you to do, management should be doing it already.)
OK, this one might be controversial. But the best run organizations don’t need internal audit! Ideally, everything we looked at, and everything we evaluated had no issues at all, and all our assurance work concluded that everything was fine. That would render internal audit irrelevant. That’s not the case though, and never will be. We know it and our organization knows it.
What does this have to do with continuous auditing and continuous monitoring? The organization needs to run itself, and we should not be doing anything that might be deemed as operational when someone, somewhere else outside of internal audit should be doing it. So, if we come up with some type of automated routine that monitors some aspect of the organization on an ongoing basis, that’s great. But don’t keep it within internal audit. That just makes us the police constantly monitoring for something to go wrong. Turn it over to the company and let them monitor themselves. Therefore, in my view, don’t do continuous auditing or continuous monitoring—or better yet, do it, but then hand it over to operations. It’s not your ongoing job as part of the assurance work you do. The goal is to benefit the organization, not benefit internal audit’s ability to continuously monitor the organization. It’s not, and never should be, about us.
Perspective and Prioritization
So, yes, all of what is on the list above are important internal audit concepts: independence and objectivity, audit planning, Professional Practice Standards, co-sourcing, risk-based auditing, and continuous auditing and monitoring. Yet none of them trump the fundamental need for internal audit to add value to the organization. We shouldn’t pursue them with single-minded inflexibility. Often, it’s about perspective and prioritization—seeing the big picture and understanding what’s most important. Think about these things differently, don’t accept conventional wisdom, and focus on adding the most value you can always, at all times.
It sounds simple, but often its actually quite difficult.
Hal Garyn is Managing Director and Owner of Audit Executive Advisory Services, LLC based in FL.
very relevant and practical cues each auditor deals with.
Excellent article!
Thank you so much for your insight. I particulary agree with your statement: “focus on adding the most value you can always, at all times.”
Very practical and brasstacks-relevant advice, hard-hitting at places, but sensible nevertheless. What all CAEs would do well to internalise.
Excellent read. Thanks for sharing.
Excellent, spot on assessment! Changes the entire thought process while conducting audits to focussing on value addition and emphasis on the bigger picture! Thanks