Norman Marks on Governance, Risk Management, and Internal Audit

I am taking the title of today’s blog post from a comment by Richard Berry on a LinkedIn post by my friend, Richard Chambers. The post is about Richard’s latest video, Episode 3: Are follow-up audits a waste of time?

I believe Richard is asking the wrong question. He should be asking whether there is reasonable assurance that internal audit is getting any recommendations and action items right. Are they the right thing to do for the business, and has management not only agreed (which may be token) but actually embraced the change as being in their best interests?

I realize there is a need to be reassured that all our work has resulted in the change we believe in. But is the answer in a follow-up audit, or in listening to management and working with them instead of preaching to them?

As you would expect, Richard makes several excellent points in the video. In particular, he tells us that the draft update of the Standards provides alternatives to the traditional mandated follow-up: essentially a second audit of the same area that focuses on whether the recommendations (that were agreed to by management) had been completed by the scheduled date. It focuses on outcomes, completion of the action, rather than process.

When I first became a Chief Audit Executive, so many years ago, I would have a separate engagement that followed up on all the open management action items. I didn’t perform a second audit, and unless I had reason not to, I accepted management’s word that the actions had been taken.

I believed then and believe now that was a better approach than a repeat audit to confirm action items, and it would comply with the updated Standards. (See Standard 15.2 in the draft update.).

But I stopped soon afterwards.

When I presented my audit plan for the next year to the audit committee, they asked why I was doing it! I said it was common practice and encouraged by the IIA Standards.

They put me straight!

Taking action is management’s job – and they should take ownership of getting it done.

They told me to stop and work with management so they can track the status of necessary actions.

They were right!

We have better things to do.

This is how I responded on Richard’s LI post, with added wording:

I think the draft Standards gets this wrong.

1. If the auditor has been working well with management, listening collaboratively and actively, instead of preaching (telling rather than talking), then management should embrace the change as in their best interests. Sadly that is often not the case.

A world-class auditor listens to management.

Instead of telling them what the finding and risk is, work with them to agree on the facts, the implications for the business, and what (if anything) should be done.

Far too few auditors listen. Perhaps they are so proud of their work, findings, and recommendations, that they are not open to hearing that they are wrong. Perhaps they aren’t mature enough to understand that sometimes the risk needs to be taken (accepted, if you prefer).

The world-class auditor is able to not only agree with management on what should be done, but also get to where management sees it as in their best interests to embrace the need for change.

When management owns and believes in the change, it will happen.

2. Management should have a follow-up process, since these are risks that matter to them. This was brought home to me by audit committee members.

When there is a risk office, these risks and corrective actions can be included in their assessment, etc.

If they are IT-related, a task should be entered into their change management system.

If management owns and wants to make the change, they will make it happen. Let them follow up.

Why not include in the audit report the agreement that not only will management take the agreed action, but will also follow up and report on status?

3. Follow up only where the risk justifies the time. Resources are limited.

There is so much to audit we can’t afford to waste a minute of our valuable time.

Only follow up in any form where the risk to enterprise objectives is high.

4. Track the level of failure. Every time an agreed action is not taken (forget recommendations), that is a failure of internal audit! Management may still be doing what is right for the business.

If things are so bad that management is not implementing many of the agreed action items, that may or may not indicate a lack of attention to internal control. It may reflect a lack of auditing skills: identifying a true business risk and working with management to effect the necessary change.

If 90% of action items in a report are not completed on time, that is a 10% failure rate! Unacceptable!

Audit to find the root cause rather than following up on the symptoms.

5. Focus on outcomes: appropriate controls to run the business.

The outcome we should be concerned about is whether the system of internal control provides reasonable assurance that risks (including opportunities) to enterprise objectives are at desired levels.

Focus 125% of our time on the more significant sources of risks to enterprise objectives. If one of those sources of risk is management’s lack of attention to internal controls, there is a serious problem that needs to be discussed with the board.

But is that really the case?

I don’t believe the Standards should mandate (or even recommend) follow-up audits. You don’t have to “monitor management’s progress toward the completion of action plans” (Principle 15) to have an effective and efficient internal audit department.

What do you think and why is it the best use of our limited time?

Have you answered my poll about the Standards? Please do so as the results will be shared with IIA leadership.