Surprise! Proposed IIA Standards Will Mandate Internal Audit Ratings on Findings and Reports
March 27, 20236 Things Internal Auditors Should Remember About Human Nature
April 10, 2023In recent months, there have been some excellent articles on mistakes that internal auditors should avoid in planning and conducting internal audit results, and reporting engagement results. As I have absorbed the wisdom of my colleagues on these important topics, it reminded me of an article I wrote a number of years ago on mistakes I have witnessed over the years that doomed an internal audit. These are not mistakes that kept the audit from being completed. They are mistakes that keep the audit from fulfilling its full potential.
In too many instances internal audits fail to live up to their potential for reasons that could easily be prevented. From my experience, internal audits that underachieved were often the product of the same few mistakes. In the hope that we can learn from each others’ mistakes, here is my list:
- Not setting aside enough time to adequately plan the audit. It’s all too easy to postpone audit planning when you’re still focused on the previous audit. That’s probably why this might be the most common audit mistake of all. What can go wrong if you delay planning until the last minute? I have heard tales of the location scheduled for the audit having been shut down two months earlier, auditors having to stay at a hotel two hours away because no vacancies were available locally, a new technology having been implemented that the team was unqualified to review — the list goes on and on, but you get the idea. If you want to sabotage your internal audit, simply do nothing until just before fieldwork is scheduled to begin. That way, when something goes wrong, you won’t have the “safety net” of a few extra days in which to salvage the situation.
- Trying to audit too much (and scope creep). Setting the scope is one of the rare areas where the most diligent auditors tend to run into the most problems. When the initial scope is too ambitious or too open-ended, the risks go way up that the job will take too long or that the auditors will miss important issues that were included in the scope. It’s difficult enough to stay on schedule and avoid “scope creep” later in an audit when the scope is well-defined to begin with. When the scope is open-ended, it can lead to crushing work schedules or to unrealistic stakeholder expectations. Either way, failing to limit the scope appropriately might mean that your audit will be viewed as less than successful.
- Not involving the client. Failure to involve your client early and often can be a real “audit killer.” Just imagine holding a closing meeting a thousand miles from home during which management says, “You spent three weeks testing that? But nobody even uses that report anymore, and that isn’t a risk these days because. …”
- Failing to augment the audit team with “functional expertise.” If you are a very experienced and confident auditor, you may tend to overestimate your ability to “go it alone” without expert help. Involving a subject matter expert early in the audit planning process can help ensure you haven’t overlooked something vital. These experts are often invaluable in identifying root causes when the audit identifies issues or deficiencies. I once hired a team of economists to augment an internal audit team evaluating the company’s product pricing strategies. These experts elevated the credibility of the audit team immensely in the eyes of management who thought we were in over our heads until the economists joined the team.
- Forgetting the audit should ultimately add value. We all know that internal auditing is not just about pointing out what’s wrong — it’s about helping management accomplish its objectives and, at times, helping management identify and take advantage of opportunities that otherwise might have been missed. We need to design audit activities with the potential to add true value — not to design activities primarily aimed at catching small mistakes. It can help to “risk assess” your audit tests: What’s the best/worst that could happen if we perform this particular test? If the test can’t lead to major findings or recommendations, maybe you are planning to test the wrong things.
- Not following the risks. If your “planning” is normally to perform the same audits the same way each year, regardless of risks or changing circumstances, then the odds are good that your results won’t be the same as they were last year; they will be worse. You may fail to identify new risks and opportunities — and at best, you will be less likely to add value than in the past. After all, you already gave management recommendations based on last year’s tests, and the chances of a truly important new insight or recommendation are lower the second (or fourth) time around. One management official who was later convicted of fraud said, “Internal audit wasn’t a problem. I always knew they wouldn’t come back for a year, and I knew exactly what they would look at when they returned.”
- Failing to “watch the clock.” Those who follow my works, know that I am a long-time evangelist when it comes to internal audit timeliness. A significant portion of my Audit Trail Academy seminar, “Auditing at the Speed of Risk,” is dedicated to audit timeliness. After all, when it comes to some internal audits, it can be “better never than late.” The six mistakes above can all contribute to untimely audit results, but the most significant factor is being indifferent or oblivious to the calendar.
These are just a few of the mistakes that keep undermining promising internal audits. Your list might be different. What are some of the biggest mistakes you have seen that derailed an internal audit? Share your thoughts in the comments section for this blog, or email me at blogs@richardchambers.com.
I welcome your comments via LinkedIn or Twitter (@rfchambers).