The risky internal auditor
Earlier this week, I discussed the topic of the risky risk officer. What is the ideal risk attitude to have in a risk practitioner?
Today, I want to shift to the risk attitude of the internal auditor.
Do we want an internal auditor that is so risk averse they won’t spend $5 on a lottery ticket with a 10% chance of winning $100,000?
No.
Neither do we want an internal auditor that enjoys running across a busy street for the thrill.
Consider the internal auditor who does this:
An audit identifies a weakness in internal control because invoices from telephone companies are only reviewed for validity if they exceed $100.
The auditor writes this up as a “finding”, rates the risk as medium because there is a possibility that crooks could create a large number of fictitious invoices under the threshold (and this has happened in the past) and the loss would then be significant.
The draft report is sent to management for a response. Management has two options:
-
- Go along with the auditor and promise to change the threshold to $50, even though they believe the additional cost is not justified by the risk; or
- Disagree with the auditor and create a problem for senior management, who does not want to appear obstructive in front of the audit committee and top management.
Here’s a second example, this time one that occurred to me when I was a vice president in IT.
An audit of information security resulted in an audit report with multiple ‘findings’ rated as high. They related to the ongoing implementation of security software (ACF2) and tasks that had not yet been completed.
In each case, the auditor recommended that the issue be corrected promptly.
Every one of the so-called findings was on the project task list that my information security team handed the auditor at the start of the audit.
When challenged, the auditor agreed that we had known about each issue and that they were already scheduled for action.
The auditor also agreed, and this is telling, that if he was the project lead he would not change what we were doing! He agreed with our priorities and that we had scheduled actions in the correct sequence, did not have the resources to accelerate the work (and adding resources mid-project was of doubtful value), and so on.
Nevertheless, the audit report remained with these ‘findings’ and recommendations. The IT audit manager insisted that the facts were correct (which they were) and actions were necessary. He refused to add to the report any language that acknowledged that we had already identified the issues and were addressing them appropriately. He also refused to acknowledge that accelerating the tasks would need additional resources.
I drafted a response pointing out that each issue was already on our project task list and no change in the project timeline was appropriate.
For that, I received a blistering call from top management telling me that I could not disagree in writing. I changed the response subtly to say that we would address each issue and gave the timeline in our project plan (without changing any dates).
Now consider this real-life example from my team at Business Objects S.A. (prior to the company’s acquisition by SAP).
An audit of the UK legal function by a team out of the Paris office (Olivier and Frederic) saw that the attorneys were so consumed by their review of draft sales contracts (required for revenue recognition purposes) that local management was engaging outside counsel for legal advice and work on a variety of initiatives and issues.
They recognized the risk this presented as significant, as outside counsel was not as familiar with the company, its business, or the issues involved.
Olivier and Frederic realized that the attorneys were spending nearly as much time on small contracts as on large ones. They used analytics to understand the population of contracts and worked with management (financial, sales, and legal) to set a threshold below which sales contracts would get a less thorough review.
They recommended management taking more risk in one area so they could reduce a more significant risk in another.
The two auditors approached this as business people, willing to take intelligent risks. They worked with management rather than acting as corporate police trying to make a name for themselves.
Auditors should never recommend actions they wouldn’t take themselves in management’s shoes.
Auditors need to listen actively and intently to management, working with them to:
- Understand and agree on the facts
- Understand and agree on the severity of any risk they represent
- Understand and agree on whether action is necessary
- Understand and agree on the options and which is best for the business
- Help management succeed in running the business
I don’t want auditors who can’t see a risk without rushing to stamp on it.
I don’t want auditors who are too readily persuaded to run across the road in pursuit of a sack of gold.
What do you think?
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
Norman, you make some very good points. Internal Audit is not special. Its aims should be the same as every other department in the organisation – to assist the organisation to achieve its objectives efficiently and effectively. This means a sensible balanced approach, not ‘How many points can I score? ‘
My experience as a line manager and CAE taught me that too many controls can be as bad as too few.
Tks Norman, I would love to learn more about real-life examples where the IA can bring values (i.e. advisory for areas of improvement) to the organization, instead of just performing cycle review.
Real-life examples are discussed in this blog and in my books. Thanks for asking
H, all too recognisable… I once worked at a global bank (see LinkedIn ;-/ ) where in some audit department, no report could be issued with fewer than three Medium risks. #fail