Skip to Content

​On the Frontlines: Implementing Positive Auditing

Blogs Francisco Aristiguieta, CIA Feb 10, 2021

Or better yet, to consider why you take a loved one to the doctor for a wellness check. Is this just a requirement? An errand? Or is it because you want the peace of mind of hearing that "all is going well, and if there is something not going well it will be found and resolved"?

This is not very different from what internal auditors do:

  • We stay up to date with our industries — to find out "what bug is going around."
  • We have periodic "client meetings" — to listen for symptoms in the conversation, even asking, "Does anything hurt?" or "What is keeping you up at night?"
  • We make "walk-throughs" — to "examine" the conditions.
  • We use analytics — to look under the hood for common conditions, ailments we fought before, and conditions that the patient may have missed or dismissed because it didn't keep him or her up at night.

Internal auditors use all this information to perform risk assessments to determine if we need to perform an audit, the same way a general doctor may decide to refer us to a specialist for a deeper dive. The analogy doesn't end there. The deployed auditor will find what is not going well, recommend corrective actions, and follow up on completion, just as the specialist says, "Take these and call me in the morning." Even when all is better than we had expected, auditors are likely to find and recommend potential improvements, just as a doctor may advise a patient to "remember to eat well and exercise."

So what is the point of this analogy? Besides giving you a way to explain what you do the next time there is a bring-your-parent-to-school day, this analogy should trigger your memories about a doctor you have liked and a doctor you have not liked. Consider what made these doctors likeable or unlikable and decide if this is something you can mimic in your day-to-day work. This can help auditors create a model for implementing positive auditing.

Next time you have an audit client meeting, will you say, "Hello, you look better," "Hello, how is the diet going?" or "You know, you are still overweight"? Will you be a doctor who only spends two minutes per patient? Will you be the doctor who only talks about what is going wrong? Can you deliver bad news without killing the hope of how it can get better? At the end of the conversation, will you make practical recommendations or will you stick to vague clichés?

In summary, will your audit clients respect and seek your advice, or fear and avoid the waste of time of meeting you?

The answer to this question may depend on how you implement your understanding of positive auditing. If you force yourself to say something nice, it may not be meaningful. If you ignore the progress and focus on what is still left to do, you may seem unnecessarily harsh or rude. If you place too much emphasis on the progress, it may dilute the need to keep the ball rolling until resolution. If you don't know what to do, clients will notice, decide you are wasting their time, and stop collaborating.

So what can we do to be more positive?

Returning to the analogy, think of your risk assessments and audits as a doctor visit and decide what would you want your doctor to do and try to do that. For your conversation with the client, consider:

  • How have previous visits been? Can you adapt to the client's style? Is this a "just give me the news" patient, an "I know better than you" patient, a "don't sugar-coat-it" patient, a patient dealing with a known condition, an impatient patient, or someone who likes to share all his or her observations for you to consider whether they are relevant.
  • Is there something in the client's mind that he or she would want to share? A problem or risk the client has identified recently and is monitoring? What has the client done about it so far? Also revisit your preparation notes — did you already know about this? is it consistent with your understanding of the client's business?
  • What was the condition last time you met? Would it make sense to refresh this and ask about progress in that area? If you ran labs (analytics), can you bring up observed changes or progress on this condition?
  • From old audits and benchmarks, what are typical problems in this patient group (business area)? Should you ask about these at this meeting? Has the client seen these problems? How are they controlled or monitored?
  • From staying up to date, what are new problems of this patient group (business area)? Is there any reason to think it may be exposed to these new risks? Would the business benefit from hearing about this?
  • What analytics or other tests would you recommend from what you are hearing? Should internal audit perform them or should we wait until a better time?
  • Are the actions and recommendations meaningful enough to trigger action, but small enough that the action can be taken? As you recommend what to do, would the client prefer home remedies or brand medicines? Consider your full spectrum of remedies: self-development, process improvement teams, white papers, and external consultants.
  • What should the business watch for until next time? Can you give the client a "clean bill of health" from this visit? What is the next step and who should make it? When should you meet again?

Some people like their doctors, others avoid them at all costs, and frankly, no one likes getting blood tests or other invasive examinations. Regardless of what we think of the doctor, we complete the recommended exams and labs because we know our doctors have our best interest at heart and they have committed above all to "do not harm."

If internal auditors can show our clients this is also our philosophy, then they will be more open to talking to us about their symptoms and changes, tell us how they work around them, and ask us for help. They may even finally give us a seat at the table to discuss what changes they have in mind.

In one phrase, we would have successfully implemented our positive auditing approach: fair, approachable, and truly helpful — like a good doctor.

Francisco Aristiguieta, CIA

is responsible for internal audit analytics at Citizens Property Insurance Corp. in Jacksonville, Fla.