Building a Better Auditor: 'Tell Me Something I Didn't Know'
Blogs Hillel Judasin, CISA Feb 21, 2023
The idea of internal audit achieving the status of “trusted advisor” has been written and lectured about frequently in recent years. Authors and speakers have suggested many attributes auditors should have and behaviors they should exhibit in their quest, all of which are important. I’d like to elaborate on the importance of being business-oriented.
Let’s start with this premise: Internal auditors are supposed to identify unknown risks that, if actualized, would prevent the organization from achieving its business objectives. We do this by auditing processes, assessing inherent risk, and testing the controls to inform executives that the level of residual risk is within the organization’s risk appetite.
Generally speaking, department leaders in the audit organization devise a list of processes, functions, departments, technologies, and regulations that require review. The auditors assigned to an audit project are charged with learning about the processes being performed and the design of controls that management perceives are integrated into those processes. While we may want to believe otherwise, the topic of “risk” is addressed later. The risk statements are often “backed into” and tests are conducted out of context with the entirety of the processes, department, and organization. (Evidence of this claim can be seen in risk statements that are really “negative controls,” meaning the risk is that the control does not exist.) The problem is what happens next.
A test of transactions or something similar reveals some amount of deviation from the expected result. Timing of an approval was late or missing, a document was not in the file folder, a transaction was processed even though it was greater than the level of authorization, a login-account remained active when it was no longer needed, amounts were not summed correctly, a reconciliation was not performed, etc. All of these could allow someone to perpetuate an action that could inflict damage on the organization — or not. The word risk is usually used to describe the terrible outcome from the missing control. To figure out what the risk is, the questions typically asked are: How much damage? What are the odds of it happening? When answered correctly, the report should explain which control did not function as expected and what could go wrong as a result.
There really is nothing wrong with this approach and you would be considered a good auditor if you practiced your audits this way, but I am not sure that you would be labeled a trusted advisor. I believe that there are several activities you can do that will promote you from good auditor to trusted advisor. One of these actions can be labeled, “Tell me something I didn’t know.”
An Epiphany
I can’t say I planned it this way at the time, but in hindsight, the following illustrates one activity a trusted advisor performs. A few years ago, in advance of releasing a report that revealed some serious issues, my team and I met with the CEO to explain what we saw. We were concerned for the audited department’s ability to support the organization’s objectives. At the conclusion of the meeting, the executive thanked us and added, “You told me something I didn’t know.” As an auditor, that’s probably the greatest compliment I could ever receive. It is the ultimate fulfillment of our mission to inform the CEO of risks to the organization about which he was unaware.
From time to time, my team and other teams had similar encounters. While we enjoyed the feeling of achievement when those words were spoken, the overall effect was even better. The CEO, other executives, and senior managers began to see internal audit not as nitpicky bean counters who only write pointless findings, but as a practical, business-oriented group with a panoramic view of the organization and a level of independence that allowed us to freely voice our concerns. At some point, the CEO and other executives started coming to internal audit to ask how we felt about a process or organizational change they were thinking about implementing. The questions were not merely about controls, but our view of the topic in the context of the entire organization.
Of course, not every audit reveals significant findings. Most are routine and even mundane. Those findings are important to report with an appropriate contextualized risk level. The question is what to do with findings that don’t add insight or value to anyone reading them. In that case, it might be better to convey our ideas to management “verbally” and not in an audit report, especially if the so-called-finding is really a suggestion to management for a more efficient practice.
In conclusion, to achieve the status of trusted advisor, it’s not always about what we tell the CEO — but what we don’t tell the CEO.