In a recent blog post, I explored the reality that most internal audit departments are actually small, with a staff of five or fewer full-time auditors. But just because a department is small doesn’t mean it can’t generate a big impact. That said, a “big impact” audit can mean different things to different folks, so I thought it would be helpful to discuss here what I believe one actually looks like.
Whether it’s in internal auditing or in life in general, we all aspire to make a difference. We want a feeling of accomplishment that comes with knowing we have changed the world, if only in a small way. But internal auditing is especially rewarding when we can make a big impact — when we can bring about major changes that improve operations and cause senior management and the board to sit up and take notice.
So, what’s big impact in internal auditing? Many assume that it often equates to “big dollars.” From my experience, any auditor would be proud of a report revealing that a contractor had overcharged their organization by tens of millions of dollars — or, better yet, that a full $300 million could be saved merely by leveraging automation instead of constructing a new facility.
There’s no doubt that a big-money audit will command the immediate attention of management and the board. But sometimes an audit that makes the biggest impact is not one that directly adds to the bottom line. Even faced with inflation, and now a potential recession, we need to remember that internal auditing extends well beyond engagements that yield financial savings. Internal audit reports can generate immediate, significant, and enduring results in other ways and can bring about significant changes. For example, an audit that identifies potential violations of environmental regulations could be expected to have a major impact regardless of any financial results. Such an audit may not add to the bottom line through immediate savings. Instead, it may save the company/organization from reputational fallout and millions of dollars in potential fines and penalties in the future.
Big-impact audits tend to:
Have immediate results. Too often, internal audit engagements are slow to generate impact. But consider the effect of a cybersecurity audit that identifies serious control weaknesses, or an audit that unearths substantial noncompliance with employment statutes/regulations. These engagements may or may not have a substantial financial impact, but the results would be both immediate and significant.
Endure long after the audit concludes. Imagine, for example, a report demonstrating that, based on findings of financial, reputational, operational or other risks, a proposed merger/acquisition strategy is not in the best interest of your organization. Your organization might literally be transformed or saved because of a single well-documented audit finding.
Have enterprise-wide impact. Many internal audits focus on isolated or limited problems. We need to avoid unnecessary scope creep, but we should also keep in mind that, the broader the audit scope, the bigger the potential impact. For example, a companywide audit that identifies inadequate contract administration usually will have more impact than one that focuses solely on construction contract problems in a single business unit.
Spotlight highly-visible or -sensitive issues. This is particularly true in the government sector, where audit reports are often brought to the public’s attention. The impact would be immediate and significant if, for example, an audit discloses that agency officials are abusing official funds for personal use. However, in the public sector, as elsewhere, financial results are not the only issue. As I described in a blog post last year, much publicity came after I issued a report that government employees in my agency were using their work computers for the SETI@home project, a scientific experiment that used internet cooperation to search for extraterrestrial intelligence. And we can all imagine the headlines if a government audit discloses consistent, agency-wide lack of adherence to carbon emissions regulations.
Explore health or safety issues. Such audits do not have to be broad or extensive. For example, auditing a facility renovation plan might disclose that the plan does not ensure adequate asbestos abatement. Lives might be saved if an audit finds that a medical technician training program does not adequately train personnel on the use of life-saving equipment.
When identifying big-impact audits, you should consider the attributes your stakeholders value. Stakeholders are unique, though they almost always appreciate practical recommendations that enhance the bottom line by increasing revenue, managing costs, or mitigating key risks. That is particularly true when navigating the macroeconomic headwinds of 2022. But our customers also value audits that unearth significant new risks or that respond to their specific requests.
Sure, some may think, “internal audit never really changes anything in my organization,” or “our audit department is so small we can’t really make a difference.” But any audit is more likely to have a big impact if we have the basics in place. For example, we are more likely to get results if our audit reports are succinct and timely, and if they show balanced results based on continuously objective auditing. When we are regarded as trustworthy and fair, our reports are likely to carry more weight. And, by building strong relationships with management, we are helping to ensure that our recommendations are given serious consideration. The result? Most types of engagement can have a big impact under the right circumstances.
In internal auditing, as in life in general, you don’t have to be big to make a difference. In an upcoming blog, I will outline five specific strategies for making a bigger impact with internal auditing — strategies that can be used successfully even by the smallest internal audit shops.