Home > Risk > Rethinking internal auditing

Rethinking internal auditing

In 1998, the magazine of the American Institute of Certified Public Accountants (AICPA), the Journal of Accountancy, approached the IIA. They said they wanted to write an article about progressive internal auditing leaders and (I thank them) the IIA pointed them to me.

I was the CAE of Tosco Corporation. I had been in that position for 8 years and had seen the company grow from $2 billion in revenue to $15 billion. It was still growing rapidly and profitably. Tosco would reach its peak in 2001 when it recorded $28 billion in revenue and was about #50 in the Fortune 500 list of US companies. Sadly, the board decided to take advantage of the market and sold the company to Phillips Petroleum for $7.5 billion.

Today, I want to share the piece they wrote.

Looking back, I haven’t changed my thinking a great deal in the 20+ years since then.

I will let you read it and then comment on what I might say differently if interviewed today.

Rethinking internal audits

By Anita Dennis

Journal of Accountancy, November 1998


What are the keys to running a lean, proactive internal audit department? At Tosco, a petroleum refining and marketing company, Norman Marks, general auditor, has developed an approach that adds value while reining in costs. His strategy can help to provide a model for other internal auditors seeking to enhance their departments’ contributions.



When Marks joined Tosco in 1990, the audit committee’s chairman said to him, “I’ve got about $6 million worth of stock in this company. Make sure there are no surprises.” Marks has taken it as his charge to protect all the stakeholders in the company from a variety of unpleasant surprises that can result from failures in internal controls. “We have to consider the integrity of financial reporting, custody of assets, environmental and safety issues, and the efficiency and effectiveness of operations,” Marks says, in addition to what he calls “the 60 Minutes test.” “I try to protect us from doing anything that would embarrass us if it ever turned up on 60 Minutes.”

The challenges of his job have grown along with the company, which went from a $2 billion operation in 1990 to an organization today with $15 billion in sales. Despite its size, “it’s a very small company. In 1997, we had sales of $13.3 billion, but our pretax earnings were $381 million, just 2.9% of sales. That’s not a function of write-offs but of the fact that the petroleum industry has very thin margins. In terms of revenue per thousand employees, this industry has one of the highest ratios, which means we have very few people for a very large amount of dollars. Since our margins are thin, to survive in the industry you must be one of lowest cost operators, which we have become.” At the same time, companies in the industry face financial uncertainties in a number of transactions. Tosco, for example, buys $10 billion worth of crude every year, which is subject to market price shifts; at a single refinery, operating costs can run $100 million per year, or one-fourth of its pretax earnings. “That gives me a lot to worry about. Not only must I consider outside forces but also I must provide the audit committee with assurance about controls and I have to be careful about how much money I spend.”



When Marks came to the company, he had worked in public accounting and in industry. “Having been audited and having done auditing, I saw how painful and disruptive it could be. I wanted to do something that was more like a service.” To achieve his goals, Marks has crafted an approach to make the most of his 22-person audit staff. To measure efficiency, he relies on benchmarks to compare his operations against those in the industry and in manufacturing as a whole. For example, his company has 1.3 auditors per billion dollars of gross sales, while the industry average is 4.35 per billion. While Tosco has 0.67 auditors per 1,000 employees, the industry average is 3.05 employees per 1,000. However, he considers the most important Benchmark to be internal audit cost as a percentage of sales. For his company, that number is 0.017%; for the industry, it is 0.044%.

How can the audit department maintain these numbers while providing high-quality audits as well as offering worthwhile solutions to company problems? His blueprint is one that may serve as a recommendation for other internal audit departments seeking leaner operations:

Stop auditing history. “Our general routine is not to go back and audit what’s happened in the past,” Marks says. “Many companies will take a month’s or even a year’s past transactions and verify them. All that’s doing is auditing the past. My job is to audit the present and to provide protection for the future. Our emphasis is on the controls we have today rather than on what might have taken place.”

Narrow the focus. In a step he calls using a laser rather than a shotgun, Marks’ department focuses exclusively on key risks. For example, Tosco’s Linden, New Jersey, refinery could be considered the top risk area in the company based on the volume of its operations and the money. While some internal auditors might audit the total refinery, “I am interested only in certain business risks within that operation,” Marks says. “We decide where, if controls fail, we are likely to have a problem.” Areas to audit are chosen based on a subjective assessment of risk to the company and value of the audit. “Each audit has a value (to management and the board) in its assessment of controls and in the positive changes it effects. The changes could have a direct contribution to the bottom line (such as cost savings, revenue enhancements) or an indirect contribution (risk reduction, fraud deterrence). We work with management at all levels to define those areas.” In a given year, Marks may determine that the biggest risk in accounts payable is payments to maintenance contractors, so the auditors will target just that segment of accounts payable. In the following year, observations of the refinery operations and experience in other audits may lead the auditors to examine payments to utilities. Although the internal auditors perform a number of audits at the refinery, they concentrate on selected risk areas rather than blanketing an entire department.

Dispense with lower level staff positions. While some audit departments have a hierarchy of positions ranging from neophyte to manager, Tosco hires mainly manager-level staff and some seniors. “If you ask managers how much time they spend supervising, training, reviewing workpapers and rewriting the audit report, you find they are probably spending as much time as if they were doing all the work themselves,” Marks says. The department seeks a blend of experience, from people who’ve worked with large and midsize accounting firms to former controllers, treasurers and internal auditors in the oil and other industries. Because Tosco has cut out an entire level of staff, “our cost per auditor is higher, but total audit costs are lower.” Productivity also is enhanced. “Our people are so much more experienced that the quality of the audit tends to be higher. We are able to explain to people in other departments what we are doing and focus quickly on the significant business risks. Since we don’t go in and ask silly questions, the work is received better by people in other departments.”

Employ stop-and-go auditing. In this technique, auditors go into an area and determine on the job whether the risk is so low that an audit isn’t needed or whether greater resources should be devoted to the audit because of questions uncovered. With experienced people and a narrowed focus, this technique can greatly boost efficiency, but companies don’t always employ it. When the company acquired a wholesale terminal, Marks was told that the previous owner had sent two internal auditors to perform a month-long audit; the Marks team, however, sent one person for four days. “Our managers know every unnecessary hour spent auditing an area costs the company money and takes time away from another project we could do that has value.” On most jobs, auditors go in with an estimate of 250 to 300 hours to perform the work, but they are encouraged to use their discretion to spend more or less time as needed. “We hire people who are proficient enough to make those decisions.”

Position auditors throughout operations. Tosco’s auditors work alongside other staff members in locations throughout the company’s operations, which include refining and marketing. Marks believes this enables them to understand a business area and its risks and to add value in the eyes of the audit committee and management by, for example, becoming familiar enough with an area to offer useful suggestions. “We don’t want to be seen as outsiders coming in from corporate management but, rather, as part of the local management team.”

Marks has not experienced resistance to the changes he has made in his area because of the quality of the people in his department and the value that they add to processes throughout the company.



Marks believes his approach is justified by the fact that well over 90% of the recommendations made by the internal audit department are implemented. For example, some of the company’s audits may cover a business risk that spans many departments, such as the one performed recently on travel expenses. The company’s travel agent forwarded to management any reports about travel items that departed from policy. Those reports were then sent to two vice-presidents for follow-up. The internal auditors suggested the reports be sent to the relevant department manager instead, since it seemed unnecessary to tie up senior executives’ time over travel expenses. “The person doing the audit who made that suggestion is an ex-controller, and he knows how to run a business,” Marks says. “Because I run the audit department as a business, we’re always trying to make sure we’re adding value.”


The fundamentals have not changed in my approach. I would change some of the language, but the practices I developed for Tosco endure.

  1. I would talk more about assurance and its positive value for our leaders. That’s more of a language change, since even then I knew that telling people that “everything is OK and there is nothing to worry about” has huge value to board members and top executives.
  2. Instead of talking about not auditing history but today, I would talk about the need to audit today and tomorrow: what might happen over the next year or so. Change is where the greatest risk and opportunities lie, and where controls are more likely to be in need of improvement.
  3. I would emphasize that when I talk about risk-based auditing, I am talking about risks to the enterprise as a whole. I worry about risks to a process or business operation if and only if it is a source of risk to the enterprise as a whole.
  4. At Tosco, I was more concerned with things that might go wrong as our margins were thin. But that changed as I moved from Tosco to other organizations. I included in my audit plan controls that provided assurance that we would take advantage of possibilities that would benefit us, the creation of value, whether in sales or even in procurement.
  5. I would also make every effort to avoid using the 4-letter “r” word, as it has negative implications and triggers less than an enthusiastic response from management.
  6. The article doesn’t say anything about reporting. This is an area where I made a lot of innovations at Tosco that I carried on in my later positions. Basically, it’s the idea that you “tell them what they need to know, not what you want to say, and do it in as few words as possible”.
  7. I would also say something about the people on my team. They were the source of any success I had. I learned a lot as a leader and would bring those out – as I did in my books.

Questions for you:

  1. How have the profession and its practice moved on from what I was doing in 1998? Or have many still to catch up?
  2. The idea of not hiring junior staff was highly controversial in the 1990’s. It was before SOX, so there was little need for that level of internal auditor. Do you agree with the basic principle explained in the article?
  3. Do you audit controls over the creation of value?
  4. The article doesn’t talk about technology, although I used it when it had value. Do you agree with me that the use of technology has to be dependent on its value? In other words, if we really have a dynamic audit plan, you should make sure there is value in spending the money to develop internal audit software and analytics that may only be used once.
  5. What other comments do you have?
  1. April 14, 2020 at 3:39 AM

    How have the profession and its practice moved on from what I was doing in 1998? Or have many still to catch up?
    Although I’ve been retired for many years, I don’t see any evidence from publications that the profession has moved on. Indeed, there still seems an insatiable appetite for ‘Internal Control Questionnaires’, which indicates some of the profession hasn’t moved on from the 1950s.

    The idea of not hiring junior staff was highly controversial in the 1990’s. It was before SOX, so there was little need for that level of internal auditor. Do you agree with the basic principle explained in the article?
    Yes. I removed the junior posts when I was CAE.

    The article doesn’t talk about technology, although I used it when it had value. Do you agree with me that the use of technology has to be dependent on its value?
    Yes. Why should IA be different from any other function? (IA should also not be involved in using technology to monitor the on-going effectiveness of controls – that’s management’s job.)

    What other comments do you have?
    I haven’t seen the word ‘objective’ in your article. It’s the aim of internal audit and all other functions, to assist the organisation in achieving its objectives. IA does this by checking that circumstances (risks) which will affect the achievement of these objectives are being managed by processes (controls) to bring them to a level of likelihood and consequence considered acceptable by the board. This includes the ‘risk’ that opportunities to increase value are not taken. IA report on the basis of this checking as to whether the organisation’s objectives are likely to be achieved into the future.

  2. Luke
    April 14, 2020 at 2:47 PM

    Great article. I don’t agree with not hiring junior staff though. Where are the next generation of cae’s supposed to go from if all cae’s are looking for the finished product rather than a work in progress? Where are junior staff supposed to learn from?

    I so wish I was in internal audit in your time rather than now though 😊. All we ever seem to do nowadays is just Sox and I can tell you, it is so so so boring!

    Looking forward to your next article.

  3. Perplexed!
    April 15, 2020 at 2:32 PM

    Hi Norman and readers, I like how you’ve phrased the “60 Minutes test”. I’m part of a small audit shop and try our best (based on your influence!) to hone in on the risks that really matter for the future.

    However, we face a particular dilemma where our audit reports are included as board committee materials and presented there, as we are directly accountable to them. At the same time, our regulators have the right to inspect the board minutes. So we are strongly advised by the legal team to avoid reporting in writing matters that could be considered damaging or give “bread crumbs” to the regulator in case they visit. Wondering what you would do in this situation to get the most value from the audit function?

    Really appreciate the blog and community – really helps us stay on course!

    • Norman Marks
      April 15, 2020 at 2:57 PM

      Good question.

      I would review every preliminary draft report with legal to make sure I understand what they consider to be ticklish language, I would make every effort to remove anything of that ilk. Legal will advise whether the draft should be destroyed.

      Your report to the audit committee should be seen as oral, supplemented by written materials. Cover the ticklish matter verbally and let the secretary to the committee (presumably the general counsel) write the minutes. If you write the minutes, do so with legal advice.

      That’s what I did and I hope it will work for you.

      • April 16, 2020 at 1:29 AM

        I can appreciate the position of ‘Perplexed’. Luckily I have never been in it. I find it unsettling, to say the least, that IA is being prevented from reporting on what could be their most significant findings. If anything serious occurs, doesn’t that put IA directly in the firing line?

      • Perplexed!
        April 17, 2020 at 7:27 AM

        Appreciate the discussion and advice Norman and dmgriff! Yes we recognize that both legal and internal audit is trying to manage risk, and it’s definitely awkward as we thread a fine needle. We’ll need to up our verbal reporting yet I agree it’s a bit unsettling and treads on independence issues when we’re prevented from putting in writing the report and subsequent followups to the most important things. I’m concerned that our board is not yet mature enough to hold on to the facts through time and turnover when things are only discussed verbally.

        But if we’re clear about the issues with management and the board, and clear about the management response, I’m thinking that should help us from being in the firing line.

  4. Bertrand
    April 22, 2020 at 2:44 AM

    Formal transparency enforce good governance and clear communication. To avoid awkward words is one thing, to destroy a draft and not to report high risks (even in a diplomatic way) is a regulatory breach, at least in the finance industry.

  5. Godern Chuma
    May 3, 2020 at 4:06 AM

    Since audit is about assurance, this article seem more like advisory than the former. Should there be no balance between the audit focus.

  1. April 16, 2020 at 5:22 AM
  2. June 4, 2020 at 9:29 AM

Leave a Reply to dmgriff Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: