A good kind of lazy auditor

My congratulations to David Dufek for his recent article for the IIA’s Internal Auditor magazine, Building a Better Auditor: Be Lazier.

He makes several excellent points, but misses one: it can take hard work to be what he calls “the good kind of lazy”.

He says, and I agree with him:

Being the good kind of lazy doesn’t compromise your responsibility — and can boost performance.

This is the central theme:

Auditing too much or too often can lead to diminishing returns.

He says a lot in a couple of sentences:

If you’re spending more time on minor details than the big picture, you might be auditing too much. We do not need to prove every opinion we have.

1. We should not be spending any time at all on minor details. Let me repeat that: we should spend zero time on low risks, risks that don’t matter to the success of the organization. As I say in the title of my ground-breaking book on internal auditing, we should only audit what matters – to the board and top management as they endeavor to lead the organization to success.
2. We are entitled to have a professional opinion. We do not have to prove that we are right; we are not in a court of law where controls are effective until proven guilty. We spend far too much time as a profession (and in the Standards) documenting why we have made an assessment. Do we require this of doctors, mechanics, or other professionals? OK, the external auditors have to go to extremes, but we are highly unlikely to be sued for making an honest mistake. Investors are not relying on our opinions.

I also like this paragraph:

If your work only confirms what’s already known without adding new insights, you need to reassess your focus. Don’t fall into the trap of telling management what it already knows. Management has identified an issue? Great! Give them credit, agree to remediation for future follow-up, and move on.

3. Telling people what they already know adds some but not much value. It is valuable, I agree, to confirm that controls are effective. But telling them they are not when they have already reported that to the board, for example, is anything but a good use of our time. I have written about the time when I was a vice president in IT and my team was in the process of implementing the ACF2 security package. The internal audit team took the list of outstanding items from our status report to management and turned them into “findings” without saying where they got (‘found’) them, and not giving us credit for having them on our project plan for imminent completion.

David tells us:

Aside from regulatory requirements, if you find yourself doing the same tests in the same way three years after the last audit, have you fallen into habit, rather than auditing based on true risk?

That’s the bad kind of lazy!

4. If you are auditing the same area three years in a row because the risk is high and you have found control weaknesses, then you failed in prior years. You have failed to work effectively with management to get the controls fixed.
5. If you are auditing the same area three years in a row because the risk is high, but you have not found serious control weaknesses in the past, where is the value? Go audit something where you can share not only your assurance, but valuable advice, insight, and foresight.
6. If you are auditing the same area three years in a row and the risk is not high, shoot whowever put the audit plan together. This is laziness personified.

I really like this:

Knowing what not to audit is as important as knowing what to audit.

Only audit where there is value to your customer. In fact, only perform work that has value to your customer, the rest is by definition (in Lean) muda or waste.

David shows great wisdom when he says this:

As professionals, we should look to our own processes with the same critical eye we use to evaluate management. Where are we lacking efficiency, scalability, and speed? Where are we failing to meet our stakeholders’ needs? In doing so, we should be asking all the ways in which we perform unnecessary work, where we duplicate efforts, and where we haven’t freed ourselves from the practices of 20 years ago.

7. We should examine all our business processes, including risk assessment (continuing vs. annual); audit planning; audit staffing; control identification, testing, and assessment; and reporting. What can be eliminated without seriously affecting the value we deliver to our customers? How can we streamline those processes? Are all the controls, such as working paper review, necessary? Can our processes and controls be improved, streamlined, etc. Are we making intelligent use of technology, where it delivers a great return on investment (measured in value to our customers) than it costs in dollars and hours?
8. Can we rely more effectively on the work of others?
9. Are we doing things because we always have, rather than because they are the best way to deliver value to our customers?
10. Are we doing things because somebody (maybe “the auditors” – IIA Standards – or the regulators) told us to? Do we really have to? Where is the value and where is the risk if we don’t? Can we modify what we do to comply (or confirm, whatever the difference is) at the lowest possible cost?

He closes well:

So, be lazier. Let’s be sure our efforts correspond with the underlying risks. Do no more than that.

Other than again recommending everybody read Auditing that matters, I don’t have much to add except that this good kind of lazy works!

I welcome your thoughts.