Don’t Tell Me That!
October 17, 2022Dear Audit Committee – Guess Who Audits The Most Critical Risks?
November 7, 2022As my faithful blog readers know, I like use analogies to make a point to members of the internal audit profession. Over the years, I have encouraged us to courageously “sail toward the storms” confronting our organizations. I have argued that we must “push against closed doors” to gain full access to information. I have even argued that we must shed our image as “bean counters” and demonstrate our expertise on how beans are grown, harvested, and taken to market.
Over the past two decades, we have shed many of the classic stereotypes that weighted us down for so much of our storied past. We have been called upon by our boards and executive management stakeholders to help our organizations navigate the risks of cyber breaches, toxic cultures, even ineffective risk management itself. But despite our progress, there are still some stigmas that we must work collectively to discard.
As young internal auditor, I was indoctrinated early on the need to catch those who might be doing “bad things.” Looking back, I realize how ridiculous the approach could be at times. As a civilian auditor for the military, I was called on to do regular audits of the officers’ clubs. One of our audit steps involved inventorying the unused bottles of alcoholic spirits to ensure that bartenders had not been guilty of generous pours (or worse). We were referred to by some as the “liquor police.”
Over the years, we were successful at convincing our stakeholders that such audits added little value in the big scheme of things. But there were still many audits and audit steps designed to detect fraud, waste, and mismanagement. As I look around the profession and hear regularly from internal auditors in the 21st century, I am saddened by the amount of policing that internal audit still undertakes. It’s one of the reasons we are still disparagingly referred to as the “corporate police” inside many organizations.
I would like to think we are saddled with these policing duties because our stakeholders demand it. Unfortunately, some of us still act like police because we enjoy it. There is a sense of power that comes from picking up a “radar gun” to identify speeders. Good internal auditors resist that temptation, and focus on a range of ways to achieve outcomes. Catching speeders isn’t the only way to achieve traffic safety, just as findings of compliance violations isn’t the only way to reduce compliance risks.
To be clear, I am not suggesting that compliance audits have no place in an internal audit plan. There will always be compliance risks that warrant internal audit coverage – particularly in regulated industries. However, we must reassess the extent to which we deploy compliance testing – particularly in non-compliance audits such as operational, financial and IT areas.
There is no one size fits all solution to this challenge, but there is a guiding principle that serves us well in all that we do: “follow the risks.” In other words, we must assess where the risks are the greatest in deciding what and how to audit. In assessing your approach/dependence on compliance testing methodologies in your audits, I suggest you challenge yourself by exploring the reason for the audit and the appropriate methodologies to achieve the objectives. In deciding the extent to which compliance testing will be appropriate, you might ask:
• Why was this area/process/business unit chosen for audit?
• What was the risk that resulted in its addition to the plan?
• Was there a compliance aspect to the risk?
• Have we crafted audit objectives that align with the risks.
• Do the methodology and objectives truly necessitate compliance testing?
• Is there a better way to mitigate the risk and enhance outcomes than test for compliance?
In the end, you may well decide that compliance testing will be an important part of the engagement. If so, you should communicate with the client and design the testing so as to minimize the sense that you are in a policing role. Make sure the client and operating staff understand why the testing will be necessary – how will minimize risks and ensure the success of the business unit and enterprise in the future.
All of this may sound somewhat elementary and even superficial. Yet, from my experience our relationships with the client and the ultimate success of the engagement is dependent on how they perceive our motives and whether they feel respected. Consider your reaction to a traffic policeman with a radar gun aimed at you, and contrast that with the appreciation you feel for the traffic officer who guides you around an accident or construction site.
As always, I welcome your thoughts.
I welcome your comments via LinkedIn or Twitter (@rfchambers).