Skip to Content

Building a Better Auditor: Be Lazier

Blogs David Dufek, CIA, CFE Apr 08, 2024

As auditors, we often pride ourselves — rightly so — on our attention to detail, and our ability to dig deep. We want to work hard and to provide adequate coverage. I’d argue that there’s room to be lazier — as a catalyst for innovation, smart scoping, and coordinated assurance. Tim Ferriss, author of “The 4-Hour Work Week,” wrote, "Doing less meaningless work, so that you can focus on things of greater personal importance, is NOT laziness." Understanding the difference between this “good” lazy and pure laziness (a dereliction of duty) is vital.

To be clear, I’m not calling for us to leave anything unaudited that is meaningfully or materially risky. Our professional standards and personal ethics demand that we perform sufficient work to opine on the key controls for the most critical risks and objectives. I don’t mean shirking responsibility or cutting corners. What I mean is that we must challenge the dogged pursuit of auditing too much, too often, and at too great a depth.

Auditing too much or too often can lead to diminishing returns. Let's not overcomplicate or overanalyze. Here are some signs you might be overdoing it:

  • You're lost in too many details: If you're spending more time on minor details than the big picture, you might be auditing too much. We do not need to prove every opinion we have.
  • Your findings are redundant: If your work only confirms what's already known without adding new insights, you need to reassess your focus. Don’t fall into the trap of telling management what it already knows. Management has identified an issue? Great! Give them credit, agree to remediation for future follow-up, and move on.
  • You repeat the same audit: Aside from regulatory requirements, if you find yourself doing the same tests in the same way three years after the last audit, have you fallen into habit, rather than auditing based on true risk? And where can you rely on first- and second-line monitoring and testing?

Knowing what not to audit is as important as knowing what to audit. Here's how you recognize when you're not adding value:

  • Auditing immaterial aspects: If it doesn't materially impact the business or customer, it’s not a key control and might not need your attention. If a control failure wouldn’t lead to material impacts, why would we spend time on it?
  • Testing beyond the finding: If you’ve already identified a poorly designed, non-operating, or ineffective control, stop testing further unless you're evaluating remedial actions or substantiating damage.
  • Ignoring Management’s Risk Assessment: Align your auditing with areas of risk — especially second-line partners in risk, compliance, and IT security; otherwise, your efforts might not align with business needs.

Embracing technology is crucial for efficient auditing. Here are signs you might not be using technology sufficiently:

  • You still like pulling paper files: If you still prefer hand-calculation or find yourself pulling too many samples instead of populations, you might be missing opportunities for automation.
  • You think you’re not an analyst: You don’t need to know how to code to use basic technology like Excel or PowerBI. You do need to know enough to allow your computer to do the heavy lifting for you.
  • You don’t plug into what management already uses: Collaboration is key, and modern platforms can facilitate better coordination and innovation. You may need to test the controls around the accuracy of their dashboards, but you don’t need to reperform most calculations.

A Commitment to Excellence

Being the good kind of lazy doesn't compromise your responsibility — instead, it’s a lever to improve your personal performance. Tim Ferriss's philosophy reminds us that doing less meaningless work can lead to greater personal effectiveness. In auditing, this means a more concentrated focus on what’s vital. And moving on from less important work assures that, over the course of a year, you’ll do a greater volume of vital work, too.

As professionals, we should look to our own processes with the same critical eye we use to evaluate management. Where are we lacking efficiency, scalability, and speed? Where are we failing to meet our stakeholders’ needs? In doing so, we should be asking all the ways in which we perform unnecessary work, where we duplicate efforts, and where we haven’t freed ourselves from the practices of 20 years ago. Today’s technology alone affords us the opportunity to be lazy — failure to change our practices is like continuing to rely on paper maps in a world of GPS, or refusing to use spell-check simply because you fancy yourself a good grammarian.

Here's to the art of being "lazy" in auditing — shunning needless complexity, fostering collaboration and innovation, and always maintaining our purpose. By embracing this wisdom, we redefine not just the way we audit, but the way we add value and excellence to our profession. Our outcomes are more important than our efforts, affirming that laziness isn't an excuse but a catalyst for efficiency, innovation, and superior assurance.

So, be lazier. Let's be sure our efforts correspond with the underlying risks. Do no more than that.

David Dufek, CIA, CFE

David Dufek is chief internal auditor for Internal Audit & Risk Consulting at Principal in Des Moines, Iowa.