Internal audit wastes so much time on policies, documentation, and more!
For years now, I have been preaching (sorry) about the need for internal auditors to cut out any activity that doesn’t create value for its customers in management and on the board.
This is an essential element in the great discipline, originally used in manufacturing by Toyota, called Lean.
James Paterson (formerly the CAE at AstraZeneca) has written a very useful book, Lean Auditing: Driving Added Value and Efficiency in Internal Audit. (Richard Chambers and I both contributed our thoughts.)
Paterson explains some of the principles in an article for the ACCA:
The overall aim of lean is to maximise customer value while minimising waste.
…key points include:
- specify value from the perspective of the end customer and always ask: would a customer pay for what is being done?
- pay careful attention to what really happens in an organisation (called Gemba or Go Look See)
- aim for a flow of valuable work and a greater understanding of waste (Muda) such as waiting, rework, duplication etc., as well as unevenness of workloads (creating lulls) as well as points of overburden (that create bottlenecks)
- create a culture of discipline to perfect and streamline processes and drive constant improvement through clear measures and other techniques (eg just in time, automation and error proofing).
Let’s think about this great Japanese word, “muda”.
The Lean Enterprise (and others) define it as: “Any activity that consumes resources without creating value for the customer”.
Applying the concept of muda to internal auditing can help eliminate “wasteful practices”: practices that consume our scarce time and resources without creating equivalent value for our customers.
So let’s consider practices that seem to be ingrained into internal auditors around the world.
Some of these may be challenging and cause outrage.
I will start with one of the first requirements in the IIA’s draft Global Internal Auditing Standards (GIAS)[1]:
Annually, internal auditors should obtain at least two hours of continuing professional education on ethics to enhance their awareness and understanding of their ethical responsibilities.
Why?
Do we really believe our CAE and staff need this? If so, we have a major problem.
This is muda. Wasted time and effort that could be spent on delivering real value.
GIAS also says in Standard 1.3:
The chief audit executive should develop and implement a methodology to ensure that internal auditors abide by laws and regulations relevant to the industry and jurisdictions in which the organization operates.
Evidence of conformance can be found, according to the draft GIAS:
- Documented methodologies for handling illegal or discreditable behavior among internal auditors and legal or regulatory violations by individuals within the organization.
- Supervisory review notes in workpapers or documentation of conversations between internal auditors and their supervisors that address concerns about illegal or unprofessional actions.
Why?
If the company doesn’t already have a Code of Conduct or similar, we have a problem. Demanding that the CAE develop a formal methodology is a waste of time.
Standard 2.1 says:
The chief audit executive must provide policies, procedures, and training to support and promote objectivity.
OK, I think I have said enough about GIAS (some will say it’s more than enough).
So let’s turn our attention now to audit working papers, a favorite target of mine. They are required by the draft GIAS (Standard 12.3 and elsewhere) which also dictates that the working papers must be reviewed and approved.
Why?
Where is the value?
That is the key question.
There are some organizations where working papers are required by regulators. There are some projects, such as investigations, that may be subject to litigation and need to be carefully documented. And there are some audits that are relied upon by the external auditors, especially for SOX compliance.
OK.
But for the majority of organizations and audit projects, they should be considered an optional practice and not mandatory.
Do them if and when there is value, and only to the extent that there is value.
If you think you need them to help you perform the next audit, think again. Are you really repeating the same audit every year? Won’t the risks, processes, and perhaps the controls have changed by the time you return to this area?
If think you need them as evidence that you did the work, answer this question: who is going to sue you?
We are not the external auditors.
If think you need them to supervise your people, there is some value. But only review the working papers to confirm they did quality work and leave aside checking that they have nice working papers that are to your standards.
Severely question the value of updating the working papers after your review if you are satisfied the work has been done, just not well documented.
Some people have a totally different view. They love their working papers!
Yellowbook-CPE.com[2] has a beautiful graphic including a statement that if the work is not documented, it is not done.
Nonsense!
I don’t review working papers to find out whether the auditor did the work and came to an appropriate opinion.
I ask questions and listen to the answers.
If I have junior staff performing tests of controls, I may review their working papers and use that review as a training exercise. But I limit my review to what adds value.
When I have experienced staff, I rarely check their documentation. Where’s the value? If I can’t trust them, they shouldn’t be on my team.
My challenge to every CAE is to eliminate all muda – even if that means nonconformance with IIA Standards!
Would we pass an operational efficiency review?
I welcome your comments.
====================================================================
[1] Standard 1.1: Considerations for Implementation and Evidence of Conformance
[2] A training organization run by Leita Hart-Fanta, CPA, CGFM, CGAP
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
fvds
Great content
Great point. When I became an audit manager I inherited a huge roomful of file cabinets containing past years audit files. I added a table and chairs to the room and used it as a conference room. No one ever disturbed a meeting to look at old files. I eventually had them destroyed along with everything stored off site. In particular, I insisted that all audit programs and checklists be destroyed immediately. Only reports were kept after Audits were completed. The belief that audit files are a legitimate audit work product is sadly mistaken.
what about peer review?
Where is the value in a peer review? If it is by somebody you respect for their internal audit thinking, and is operational in nature, then there can be value. If its about conformance with IIA Standards?????????
Seems like you have some sort of ax to grind with the IIA. My understanding is that compliance with their standards is voluntary so if you don’t agree then don’t follow their standards. Oh but wait…that would mean that you couldn’t state that you performed your audits in compliance with generally accepted auditing standards 🙄 So those who would like to rely upon your work (and understand what that phrase means) could or would probably not do so. I know many Audit departments who choose not to comply with IIA standards particularly in the area of independence so non compliance is not abnormal. However, those doing so understand that they can not hold themselves out as being compliant with the standards of professional practice. The IIA is the regulator of our profession. We don’t have to agree with what they require we simply have to comply if we VOLUNTARILY want to be part of the “gold standard” for the profession. If you don’t like the rules then work within the framework provided to invoke the change you desire to see.
I have been active with and within the IIA for more than 30 years. I continue to press the IIA’s Standards Board here and in direct communications to upgrade their Standards.
I just completed my renewal of my IIA certification. It requires that I attest to completing 2 hours of ethics training, and that any work I have done was in conformance with the Standards.
I just hope that leadership of the IIA pays attention and that they don’t publish updated Standards (GIAS) that lead us backwards rather than forwards.
Really need to understand
Perfectly articulated in the process of ensuring control mechanisms creating more NVA is not so good. Value stream mapping and identify NVA and improvement of process with sufficient automation is the key to success http://www.nnco.info
Draft report v1 V2 V3 v4 etc… Probably the greatest non value add, non lean activity that IA teams frequently do. Communicate results effectively and quickly…. (IIA – clear, concise, constructive, complete, timely, accurate, tailored to recipient, objectively)
I wish everyone pulse understand that in this field, what a waste of time.
I have 3 words for you external Auditor reliance. Perhaps you are aware that one of the many ways Internal Audit adds value is when the external Auditor is able to rely on our work thus making their work more efficient and of less cost to the organization. They cannot place reliance on work if we have not followed the standards of professional practice especially relative to workpapers. I understand your view point but it seems a little short sighted. It’s kinda like saying a surgeon shouldn’t count sponges as he knows how many he should have. Some things that seem to “waste” time to some are a matter of performing as a professional to others.
Thanks for reminding me that the EA may rely on some of our work. However, those audits are a small percentage (usually) of our work.
Agree to your most of the points.
However I feel that even though your experienced team is capable enough to work without documentation; having your all process documented will help largely in case of automation/ digitisation.
Surely management does the automation/digitization of any existing process – and they should have the process documentation.
An internal auditor atleast a professional one must follow all SA. One SA is literally has documentation in the name…………
I don’t understand. What is SA?
Ethical Awareness: Ethics is a crucial aspect of any profession, including internal auditing. Continuous education on ethics helps auditors stay updated on ethical standards and best practices, ensuring they make ethical decisions in their work.
continuing professional education on ethics for internal auditors is essential to maintain professional standards, mitigate risks, and uphold the credibility of the auditing profession, rather than being a waste of time.
Thought provoking as always Norman. First, apologies for the anonymous comment, not my style, but as I have a vested interest in the Stds, I think only appropriate not to ID myself.
I fully agree with your first 2 points regarding IIA’s draft Global Internal Auditing Standards (GIAS) 1.3 and 2.1 and the requirement for 2 hours CPD on Ethics.
But I also respectfully challenge a few statements and I’ll explain why, from my perspective:
1. “If I can’t trust them, they shouldn’t be on my team.” – I have always told management , and I am sure many other professionals have, that trust is not a control. Why should we be different and not apply quality control because we trust people.
2. “… if the work is not documented, it is not done. Nonsense!” – do we as independent assessors of the effectiveness of controls not ask for and require documented proof or even visually observed evidence from management to confirm that controls are working. Surely we don’t just trust management to tell us a control is working? In fact, don’t we often ourselves tell management, if it’s not documented it’s not done?
I don’t disagree with the sentiment that we need to be lean, but perhaps the middle ground lies in having a clear supervisory review policy (there, I said the word 😉) that defines a (lean) process of what our minimum evidence / documentation standards are, aligned to the size, complexity and staff profile of the organisation. Not all workpapers need review and sign off, but certain key evidence needs thorough documentation and review, e.g. the RCM, or conclusions substantiating the audit opinion.
I’ll DM you in case you want to continue the dialogue off line – like you, I am concerned with several elements of the GIAS and actually have the best interest of the profession, and in fact the IIA at heart.
Good challenge, Anonymous!
Let me challenge you back!
Do you believe that ethics training improves the likelihood of ethical behavior? I have led or supervised multiple investigations where fraud was committed by people who have not only received training, signed the Ethics policy, but also passed every test for multiple years.
However, I do believe that training that includes open discussions of real ethical challenges can be useful.
I recommend books by Professor Barbara Ley Toffler, including “Managers Talk Ethics” (https://www.thriftbooks.com/w/managers-talk-ethics-making-tough-choices-in-a-competitive-business-world_barbara-ley-toffler/2424532/#edition=2200851&idiq=23760572).
But this is training that helps auditors understand the ethical challenges of all managers in the organization! It is not limited to their own ethical behavior.
Do I need formal documentation to know something is done by the “auditee”? No. Even the PCAOB recognizes that we just need evidence, and our common sense, to know it is done. If I ask the right questions of management, I can gain reasonable assurance something was done. When I ask the auditor what they have done and what they found, I can tell whether they did the work.
COSO ICF recognizes that not every policy or procedure needs to be formally documented!
My challenge is to challenge every hour spent on every audit, and especially on administration of the department.
If there is a good reason to do it, and it adds value to our customer, then do it.
But think about it first. Is there a good reason, other than “we have always done it that way” or “the Standards require it”?
Thank you for shedding light on this crucial aspect of internal audit. Your insights into the time-consuming nature of policies, documentation, and administrative tasks resonate deeply with many professionals in the field. It’s refreshing to see someone address these challenges and advocate for a more streamlined and efficient approach. Looking forward to reading more of your thought-provoking content!