On the Frontlines: The Past Informs the Future

However, the business environment is never static. Unexpected challenges emerge, controls evolve, and feedback from stakeholders during audits can influence the course of future actions. Given these factors, auditors must ask themselves: How can we ensure that we are learning from our past audits?

One of the key tenets of the U.K. Financial Reporting Council’s Turnbull Guidance on Internal Control is that “a feedback process should be in place to learn from mistakes and to harness potential improvements and risk reductions.” To incorporate past lessons learned into the next audit plan, internal auditors should consider the following areas:

Feedback from the Field Auditors

The most immediate source of lessons learned comes from audit fieldwork. As audits progress, there is often a disconnect between the initial plan and the reality of the organization's controls, processes, and risk exposure. Auditors should capture any deviations from the plan and document the reasons for such. Some rhetorical questions to consider include:

• What were the surprises during the audit?
• Were controls too rigid to address current risks?
• Did human behavior or organizational culture play a significant role in the audit's outcome?
• Were new auditors involved and what did they observe? Sometimes new auditors have fresh perspectives or observations that may have been overlooked by more seasoned auditors with more familiarity with the process.

Client Feedback and Post-engagement Survey Insights

Client and stakeholder feedback is essential for improving audits. Insights gained before the audit, during fieldwork, and through post-engagement surveys help auditors refine plans. For instance, if multiple departments expressed a lack of understanding of the audit or its scope, this should be addressed in future audits, possibly through improved communication.

Feedback from exit interviews, emails, phone calls, and informal discussions provides valuable perspectives and can reveal unidentified patterns related to the audit process. Informal events, in particular, can provide useful insights into human behavior and rationale, especially if the audit client does not feel pressured or interviewed and is able to provide honest feedback without being “on the record.”

Standard 11.1 Building Relationships and Communicating With Stakeholders states that, “When informal interactions occur consistently, employees gain trust in internal auditors, increasing the likelihood of candid discussions that may not occur in formal meetings.” As such, an open-door policy fosters constructive critique, helping auditors professionally assess and improve on their work.

Human Behavior and Response to Controls

When controls are designed and implemented, the role of human behavior is often overlooked. Humans have unique ways of responding to controls based on their understanding of them. For example, people respond to controls if they 1) understand the controls and 2) understand the consequence of a control lapse. Organizational leadership and culture, employee engagement, and performance management all play a significant role in how well employees and third parties respond to audits.

Involving stakeholders early in the process, educating them about the importance of controls, and creating an atmosphere of accountability can help ensure that controls are more than just procedures to be adhered to. With this understanding in place, auditors can design plans that can adapt to changing circumstances.

Moving Ahead with Agility

While historical information provides us with context, we must be careful not to get locked into rigid planning that makes necessary adjustments cumbersome. Agile auditing encourages auditors to be flexible as new risks or opportunities arise. Internal auditors should embrace more agile auditing practices that allow them to respond quickly to changes as they occur.

By incorporating feedback from fieldwork, understanding the impact of human behavior on controls, and embracing more agile audit methodologies, auditors can create plans that are not only comprehensive but also adaptable to the changing risk environment.