Condition
This attribute describes the current state of an audit area. It presents the objective facts in enough detail for readers to understand while still being concise.
However, there are conditions everywhere auditors look. For example, an employee sitting at her desk is a condition, but it won’t be part of an audit issue. The disciplined thought process always begins when an auditor observes a condition, compares it to the criteria, and they don’t match.
Criteria
The criteria states what should be. Auditors should understand how to identify when a condition is not what it should be, but it’s good to know exactly what and how solid the criteria is. For example, laws, regulations, and established policies and procedures are very solid.
There are instances, however, in which policies and procedures are outdated, or employees have found a better way of accomplishing their objectives. In those instances, the auditor should recommend changing the policy or procedure.
Often, the auditor’s criterion is a control principle, such as segregation of duties or appropriate authorization. Although these are valid criteria, the client might not understand them and may need more explanation.
Clients might argue that they mitigate the risk in another way, in which case the auditor should listen with an open mind and consider whether the client has an effective compensating control. If it is not effective, the auditor should explain why to the client.
Sometimes the criterion is the way it was done previously. In cases where the auditor has a better idea of how it should be done, he or she should suggest it to the client. For the most part, auditors are good at dealing with the criteria attribute.
Effect
The effect is the “so what” attribute because it clarifies the harm that has been or could be caused by the condition. This attribute is what separates the good and the not-so-good auditors. Inexperienced auditors who see that the condition does not match the criteria will leap to the conclusion that it is a reportable audit issue — even when it is not.
Take, for example, a lead auditor at a bank who fell into this trap. The bank used 12 internal checking accounts to do business with vendors and other banks, but it had not reconciled three of the accounts in more than six months. During the exit conference, the bank president seemed surprised but did not comment on it. In a final review of the audit report draft before sending it to the bank president, the audit manager asked the lead auditor a question she could not answer: “What’s in those accounts?”
It turned out that one account had a balance of $252.63, which had not changed in more than six months and another account was a clearing account that cleared to $0 at the end of each business day. The third account was a zero-balance account the bank had not gotten around to closing yet. If the auditors had released the report with the comment about the unreconciled accounts, the bank president would have discovered what was in the accounts. The insignificance of the finding would have risked internal audit’s credibility.
A key part of the disciplined thought process is auditors asking themselves and the client, “So what?” Auditors should continuously ask this question until they know exactly how much harm has been done or could be done by the condition. For example, a retail store puts its daily cash received into a night depository in a sealed bag. The next day, two bank employees open the mail, prepare a deposit slip for the cash, and sign a log showing that they did it together. One day, they did not sign the log, “So what?”
- They are out of compliance with their procedure. “So what?”
- There’s no audit trail. “So what?”
- There’s no accountability. “So what?”
- One person could have opened the mail alone and stolen some of the cash. “So what?”
- The total cash in the depository can be over $3 million. “Thats what!”
In this case, a store reported to the bank that a certain day’s deposit did not appear on its bank statement, even though it was put in the depository. However, the bank said it never received the deposit. When the case went to court, it was revealed that the store’s employees had signed the log on the day in question, but the bank’s employees hadn’t, costing the bank $240,000 plus court costs.
Auditors should keep asking, “So what?” until they know concretely what harm has been or could be done by the condition. If it’s real harm and they make clear what the harm is, their client will be able to devote the appropriate resources to correct it.
Cause
Of the five attributes, cause is the most important. It is also the attribute that internal auditors most often do not address as well as they should. Many auditors complete all their testing before developing their audit issues and don’t have enough time to get to the root cause. When this happens, they may have sacrificed more than half the potential value of the audit.
It’s better to determine the cause of conditions and skip the testing of less risky areas if time runs short. Similar to asking the “so what” question about the condition, for the cause, auditors should ask “why?” For example:
- Certain information on this computer report is not accurate. Why?
- The program did not treat this kind of information differently, as it should have. Why?
- The programmer missed it during the last program change. Why?
- The programmer was not informed that this kind of information should be treated differently. Why?
- IT did not consult with the end-user of the information before completing the program change. Why?
- Consulting with the end-user is not called for in the program change process. Why not?
The answers to all these questions lead to the final answer that no one thought about the accuracy of the report’s information when the change process was created 15 years ago. The auditor could have stopped after the first why and recommended that the program be changed to treat this kind of information appropriately. That would fix the condition, but the same thing could happen with other program changes. Stopping after the fifth why would prevent the same thing from happening in the future, but the answer to the sixth why brings into question the entire program change process. The recommendation should be that this process be revised based on the current best practice.
The rule on identifying the root cause is that correcting it should prevent future instances of the same or similar occurrences. For example, updating the change process will affect every program change in the future, and several other weaknesses in the process may be identified by revising it based on the current best practice. Now, that is a far more valuable recommendation.
Recommendation
The purpose of the recommendation should always be to correct the root cause, not just the condition. The IIA practice guide distinguishes between condition-based and cause-based recommendations. Sometimes fixing the condition is sufficient, but the best internal auditors always keep asking why until it is clear that nothing more should be done or something far more important emerges.
By rigorously asking “so what?” and “why?” several levels deep, internal auditors can greatly increase the value their work adds to the organization.