Home > Risk > Internal Audit mistakes

Internal Audit mistakes

December 9, 2021 Leave a comment Go to comments

I want to share Garyn’s fine post on Six Common Internal Audit Miscues to Avoid.

I fully endorse this former IIA vice president’s comments about “overemphasizing independence and objectivity”. Hal’s points that objectivity is far more important and that we need to do what is best for the organization (with the support of the audit committee) and absolutely right.

I recall one CAE telling me that they couldn’t use the same analytics software as management because they had to maintain their independence. Absurd!

The point about needing to complete the annual audit plan is also spot on. Internal audit needs to move to an audit plan that is continuously updated, rather than what was considered important up to a year earlier.

I also agree with his point that “it makes sense to pursue conformance with the Standards, but don’t prioritize it to the level where it risks making internal audit less relevant in your organization”.

I agree with his fourth point about co-sourcing and setting up a strategic relationship with your provider. I just wouldn’t call it out as a major mistake.

His fifth point is far more important, although I would phrase it differently. We should:

  • Audit the risks that matter to the achievement of enterprise objectives
  • Audit them when they matter
  • Not audit stuff that would never matter to leadership (this is so important!!)

The final point talks about turning over analytics and continuous auditing tools to management. Let them use these technologies as detective controls, rather than holding on to them as audit tools. The only time I would retain the use is when I need them for fraud detection. Even then, I would have to think about getting management to take over the fraud detection responsibility.

Hal closes with this important observation: “don’t accept conventional wisdom, and focus on adding the most value you can always, at all times”.

Well done, Hal.

What do you think are the most common and important mistakes internal audit functions make?

  1. Mamane Ibrahim
    December 10, 2021 at 1:45 AM

    Thanks for sharing, Norman. Hal covered the main common misconceptions of Audit functions. Consultancy and Advisory activities are key as they provide timely and fit for purpose insights within the organisation. To me, there’s one element missing: IA should better use the opportunity provided by combined assurance. This means using 2nd Line assurance, external audits (quality, third-parties, statutory, compliance, …) and others type of assessments to supplement IA in its role, an assurance provider. Audit should leverage the existing tools and share best practices with internal teams, it will help to get out the policing perception of the role.

  2. December 10, 2021 at 9:23 AM

    Norman, ‘the most common and important mistakes’? The impression I get is that the worst mistake is the continued use of ‘audit questionnaires’, some bought off-the-shelf. Alternatively, the repetition of the previous audit’s work, usually in 10% less time.

    • Norman Marks
      December 10, 2021 at 9:27 AM

      Well said, David

  3. Johann
    December 11, 2021 at 9:39 AM

    “Not audit stuff that would never matter to leadership (this is so important!!)”

    Who do you include in ‘leadership’ i.e. audit committee, senior executives, or also middle management?
    only head office executives to the exclusion of branch/subsidiary executives ?

    “Stuff that would not matter” ? Take as example reputation risk or customer complaint management. It is not the top of mind operational or revenue issue for management; and would not be an important issue they would want on the plan – until there is bad publicity from a data breach…

    • Norman Marks
      December 11, 2021 at 10:05 AM

      Johann, that’s a good question.

      I focus on what would matter to the board and the top tier of management. That is a way to consider what would matter to the objectives and success of the organization as a whole. If I have time (which is always at a premium) I would consider what would matter to the next level down, division heads, etc.

      Th reputation of the organization is something I believe would matter to the board and top management, especially as it would likely affect both short and longer-term results.

  4. Lalit Dua
    December 17, 2021 at 4:22 AM

    Internal auditor is required to be objective in assessment and reporting and also maintain independent status as well. Is it a mistake if Internal Auditor is doing hand holding or taking initiative to start an improvement process relating high risk observation or support in developing and documenting SOPs and operating manuals?

    • Norman Marks
      December 17, 2021 at 4:37 AM

      Laliy, it is not a mistake. We have to be careful not to make decisions, though. SOPs and operating manuals are a management responsibility. We can go as far as drafting something, if necessary and the right thing to do for the business, but management has to decide whether they are correct, etc.

  1. December 9, 2021 at 5:40 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: