Home > Risk > Lazy auditors

Lazy auditors

February 4, 2021 Leave a comment Go to comments

Internal auditors don’t always have to work harder than others, but I do want them to work smart.

I have seen what I would consider lazy practices over the years and more recently in comments on LinkedIn.

Here are some examples:

  • “Give me a checklist or audit program that I can use.”

This is lazy because the scope and audit approach for every audit needs to be refined every time to address what matters today and will matter tomorrow, rather than what mattered in the past. Assuming (and we know what that means) that the individual who developed the program in the past has it right for today is lazy.

It is especially lazy when it is a document downloaded from the internet or passed to you by somebody in a different company.

Use it as a basis for your own work, perhaps, removing and adding tasks as needed – after thinking it through carefully. But it is usually better to start with a blank sheet and an understanding of the risks that matter and the controls in place to address them. Only then, perhaps, use somebody else’s work to challenge yours.

XX

  • “This is true because the standard/framework/book says it is.”

It is so much better to think for yourself. I have seen LinkedIn comments saying that something is necessary or true because this or that standard says so. Well, sorry, but you need to determine what is appropriate for your specific organization at this point in time. While publications (even my books) should be “food for thought”, thought is necessary. Blindly following the standard without understanding whether and how it applies to your specific situation is lazy.

By the way, so-called ‘best practices’ are what somebody who doesn’t know your organization thinks is best. It’s lazy to go with them instead of thinking about what is best for your business.

XX

  • “I am auditing to company policy.”

But sometimes the policy may be outdated or even sub-optimal. When you audit for compliance with a silly policy, are you auditing against what the organization needs?

We have all heard or even experienced situations where somebody, some official perhaps, gets in the way of progress because of the rules. Maybe those rules need to be changed!

Assess whether policies, standards, and other guidance are appropriate and right for the organization before auditing against them.

XX

  • “We always do it this way.”

You wouldn’t accept this from an ‘auditee’, so why say it yourself? Why be so lazy?

We should constantly challenge our own past practices, even if they have been hugely successful, and see if there is a better way.

For example, I see LinkedIn posts saying you need to have a standard report format if you want to communicate effectively with executives and the board. That is totally wrong: the way in which information is communicated should be tailored to the needs of the individuals you want to receive it – and act on it.

XX

  • “The control is not functioning; fix it.”

If there is a problem with a control, it is lazy not to perform a root cause analysis and find out why it is not functioning. That root cause (and there may be several) must be addressed for the symptoms (the control failure) to be healed.

But there is another why that has to be asked: why is the control important? Why is it needed? Maybe it is not really necessary and that is why it is not being performed consistently.

If you don’t understand the risk that a control is intended to address (see the next point) and whether it justifies the time and cost of performing the control, you can be asking management to waste scarce resources.

It may also be the wrong control procedure; maybe there’s a better way to address the risk (such as using analytics).

It is lazy to see a control is not working properly and as a reflex ask management to fix it so it is performed consistently in future. Make sure you are encouraging actions that are right for the business, not theory or what is “usual”.

In addition, it is lazy to describe a ‘finding’ (an awful word) as “high risk” without explaining why and to what. In other words, explain how the business and its success may be affected.

XX

  • “It is my job to find issues; it is up to management to fix what I have found.”

Continuing from the last point, it is lazy not to work with management and agree with them whether the issue is important or not. The control may be unnecessary or redundant. It is lazy to ask management to continue to perform a control that has no real value.

It is also lazy to send management the draft report with a recommendation (“fix it”) rather than sitting down with them and working out what is the best corrective action (if justified).

Our job is not to find issues. Our job is to enable valuable change. We have failed (IMHO) if management doesn’t see the value of a change and either delays or even ignores it. We succeed when management agrees that there is value in a change and therefore wants to make the change.

It is especially lazy to ask them to make a change where we haven’t worked with them on the need or what the appropriate change is, and then criticize them again (in a follow-up on ‘outstanding findings’) for not making the change on our schedule.

XX

  • “My audit is for two weeks, so I will keep on auditing.”

If it is clear that you are not going to find anything (more) of significance, and you can provide an opinion on the more significant risks to the enterprise based on the work performed, stop! Work should not expand to fill the time available. It is lazy to keep going instead of working with your manager to adjust the schedule.

It is also lazy to continue with the original scope and schedule when it is clear that there are areas of significant risk to the enterprise that were not included in scope, or it is clear that getting to the root cause of serious issues within the current scope will require additional time. Work with everybody to adjust the schedule accordingly.

XX

  • “I can only say what I can prove.”

This is also laziness. While it is desirable to have evidence to support your assessment, your opinion, we are professionals – and entitled to have professional opinions.

Some of the most valuable insights and other information we can provide management and the board stem from our objective and independent view of operations, including people. While we may not want to commit all our thoughts to writing, we should be willing to share our insights as professionals on the competence of managers, the culture of the organization, and so on.

XX

There are other lazy behaviors that I haven’t mentioned. Please feel free to add them in your comments, as well as your thoughts on the ones I have listed above.

  1. February 5, 2021 at 2:05 AM

    Absolutely right points, these are reasons for a certain death of the audit-profession. In a VUCA-World we as auditors have to be creative, have to adopt our audit approach to the current situation, have to think what happens in the past, what will be the next development, need to be counterparts for management on eye level and are required to take the perspective of management and still be committed to the laws, values and standards of the company

    • February 11, 2021 at 2:29 AM

      100% with you Stefan and Norman.

      I think the problem concerning the LinkedIn comments is that many are looking for a one-size fits all solution. Each company has different concerns and risks to be aware of so there isn’t a single solution out there that will fit everyone.

      Sharing best practices is an important but so is having a complete understanding of an individual business and educating on this matter.

  2. February 5, 2021 at 3:02 AM

    Norman, couldn’t agree more!
    As an addition how about, ‘I decide on the annual audit based on my judgement of the risks faced by the company. Any management involvement would threaten my independence’.
    And
    ‘Why are the company’s objectives relevant to the audit plan?’

    • Dorcus Ngoasheng
      February 5, 2021 at 7:53 AM

      David, I like your question. And thanks for your books on risk based internal auditing hopefully lots of auditots will learn from them. The books are providing good guidance for auditors to ensure that their plans are relevant and in line with organisation’s risks and objectives.

  3. Bertrand
    February 5, 2021 at 3:51 AM

    Very good post Norman.

  4. Dorcus Ngoasheng
    February 5, 2021 at 7:50 AM

    Very well put. I like point one more. Some auditora are so lazy to think out of the box and would rather use standardized audit programme without considering the dynamics in each project. Thank you

  5. Dorcus Ngoasheng
    February 5, 2021 at 7:54 AM

    David, I like your question. And thanks for your books on risk based internal auditing hopefully lots of auditots will learn from them. The books are providing good guidance for auditors to ensure that their plans are relevant and in line with organisation’s risks and objectives.

  6. FloridaBuff
    February 10, 2021 at 6:38 PM

    Good article!
    My comment is that many “internal auditors” are CPA’s who spent all their education learning to comply with fixed standards. Internal audit is only partly compliance work, with much of requiring creative analysis and review. I have found many CPA financial auditors not able to make the transition to dealing with unstructured, ill defined operational areas needing audit and they need to learn how to do so. I once took over the internal audit function at a Nissan operating division based in California, and found two Big 4 CPA’s on staff who spent four months just audting expense reports and had only one finding. Now they worked for the ill suited former accountant Internal Audit Director I replaced, but they didn’t see anything wrong with doing the massive expense report audit following statistical sampling. There really is a difference between operationally focused internal auditors who may be CIAs and compliance driven CPA’s.

  7. February 13, 2021 at 3:19 AM

    Norman, interesting to compare your comments above, such as, ‘…, it is lazy not to work with management and agree with them whether the issue is important or not. The control may be unnecessary or redundant. It is lazy to ask management to continue to perform a control that has no real value.’ with the sample questions in the IIA’s ‘Internal Audit Assessment Tool for Audit Committees’ (https://na.theiia.org/news/Pages/IIA-Launches-New-Assessment-Tool-for-Boards-and-Audit-Committees.aspx ). Very little in the latter document which refers to working with management, on risks for example.

    • Norman Marks
      February 13, 2021 at 6:20 AM

      That is unfortunate!

  8. David Doney
    February 13, 2021 at 10:10 PM

    “Our job is not to find issues. Our job is to enable valuable change.” – Words to audit by!

  9. April 6, 2021 at 8:40 PM

    Hi, very insightful pieces of work shared.

  1. February 7, 2021 at 10:56 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

<span>%d</span> bloggers like this: