The Good, the Bad, and the Ugly in Internal Auditing 2023

I had a fair amount of time for reflection during my nearly month-long vacation over Christmas and New Year’s.

Here are some thoughts I would like to share.

X

THE GOOD

1. Debates (in webinars and social media pieces) about whether a one-page (or no-page) audit report indicated a very healthy openness by practitioners to challenging traditional thinking.

More people have embraced my mantra of “tell them what they need to know, rather than what you want to say, when they need to know – in a readily consumed and actionable way”.

2. People are starting to realize that there is a massive difference between Agile Auditing (a fad) and the need to audit with agility. Congratulations to Clarissa Lucas on her 2023 published book about the latter.

3. There was a major reaction to the IIA’s draft Global Internal Auditing Standards, demanding more attention to (enterprise) risk-based auditing, the reinstatement of “insight” and “foresight” from the Core Principles, and more.

Drifting into the Bad, there were serious problems with the IIA’s draft. But the Good is that they established very low expectations for the final product (just released), and the 2024 final product is a very significant upgrade to the draft. Who knows what we would have thought of it if we had not first seen that draft!!

X

The BAD

1. That GIAS draft. No more need be said.

2. A large body of practitioners are still performing full-scope and even cyclical audits. When will they learn to focus on the more significant risks to enterprise objectives, updating the audit plan continuously?

3. These practitioners and more (encouraged by GIAS and the IIA, it seems, who continue to require an assessment of risks to the entity being audited rather than to the enterprise) include risks in scope that are highly unlikely to represent a significant risk to the achievement of enterprise objectives. As a result, they perform large audits (making them anything but agile) and address issues of significance to middle but not top management or the board, while significant enterprise risks remain unaudited.

4. Consultants and many practitioners are obsessed with technology, such as AI. They are buying tools (and criticizing those who fail to do so) without first identifying the need and value (ROI).

Further, they are using the tools to detect errors – even though that is a management responsibility. These auditors are really performing detective controls! Rather than using the tools ourselves, we should be helping management use them!

X

THE UGLY

I have been called many names, with many descriptions over the years. When Richard Chambers named me one of the Beacon Award winners again (thanks, Richard), it spawned more epithets. I was called “an Internal Audit Icon” and the “Aristotle of Audit” (Andy Kovacs), “ineffably wise” (Sara James), and “venerable”.

This last led to a debate as to whether venerable meant I was old. Some responded quickly to say no, but Richard (thank you) confirmed that it was indeed a reference to my advancing years.

My thanks to Andy Kovacs for these two gifs: