Norman Marks on Governance, Risk Management, and Internal Audit

One of the most powerful words for an auditor is one of the shortest: “why”.

We should always ask an individual performing a control why they are doing it.

Even if we know why, if the individual doesn’t know why that can affect their ability to perform the control properly, on a consistent basis.

If their answer surprises us, it’s an explanation that is different from our understanding, it should be a learning opportunity – for us as well as them.

We should never accept an answer of “because they told me to do it this way,” or “because that’s the way we have always done it.”

Yet, when I ask internal auditors why they do things the way they do, I get those answers:

• Because that’s the way we have always tested a control.
• Because the IIA Standards tell us to.
• Because the regulators require it.
• Because the external auditors require it.
• Because the audit committee expects us to.
• Because my manager told me to do it.
• Because that’s the way it was done last year.
• Because it’s in the audit plan.
• Because it’s in the audit program.
• Because I heard it was required at an IIA conference.
• Because it’s accepted “best practice”.
• Because it’s in the budget.
• I don’t know.

None of these are good answers.

None of them will survive further investigation.

For example, the IIA Standards do not require a formal audit report. But why do we still do it? Where’s the value? Why do we still do it and spend a lot of time on it?

The audit committee may expect you to do things the way they were done before because they haven’t been shown a different, possibly better way. Show them, don’t assume anything.

Just because the directors sometimes ask for more detail doesn’t mean you have to include more detail (stuff they don’t need to know) in every audit report.

You may have been told the regulators or external auditors require something, but have you asked them and shown them an alternative?

The regulators may expect an audit report, but why do they need all the detail when they can see the workpapers? Ask them and show them a better way both for them and for you.

The external auditors may say they need something, but if they are not relying on it……

We should only do something if it adds value, and that value is to our customers in top management and on the board.

Our mission is to provide assurance, advice, and insight on the more significant sources of risk to the objectives of the organization.

Do what is necessary to achieve that mission, no more.

I have heard of companies that spend as much time writing, reviewing, editing, rewriting, etc. etc. an audit report as they do in the field.

Every hour saved is an hour that can be used to audit something.

The CAE and their team should ask:

• Why are we building an annual audit plan when we know it is 90% likely to change? Where is the value? If it’s in supporting the annual budget, what’s the least I can do? If it’s to meet the needs of the audit committee, explain alternatives like continuous or rolling plans. Why not adopt one of those techniques?
• Why are we spending so much time on workpapers? Where is the value? Do we need thorough and detailed supporting documentation for every engagement, especially when management agrees with our results? Is there really a regulatory or external audit requirement? What’s the least we can do?
• Why are we spending so much time on quality assurance? Is it really adding value? Is it changing the results of the engagement? Is it red tape that impairs staff morale?
• Why are we testing to many transactions? At what point do we, as professionals, have reasonable assurance that a control is or is not being performed consistently? We are not external auditors.
• Why are we auditing this? Is it truly a risk that matters? Is this a control that, it if it fails, would represent a serious risk to the business?
• Why are we not auditing that?

Why?

Why?

And Why not?

The more we ask, the better the answers and the more insight we should have on how we can deliver most value, the right value, at the lowest cost to our customers.

I am not saying that you shouldn’t write an audit report; I am saying that you should only when the person you expect to read it will believe that there is more value to their reading it than the time it takes (for them, and for you in writing it).

I am not saying that you shouldn’t prepare workpapers, but only do so to the extent that the value (honest value, where it saves time and money in the future) significantly exceeds the cost.

Why do anything if you cannot see and believe that the value to the organization and your customers exceeds the cost?

I welcome your thoughts.

By the way, I thank Jose Gabriel Calderon and his team for sharing a copy of Thing Again by Adam Grant. It’s a book about unlearning, something many practitioners need to do. I congratulate Jose for his willingness to listen to and try new and challenging ideas.

I also recommend that internal auditors study the Lean Methodology. Consider Lean Auditing: Driving Added Value and Efficiency in Internal Audit by James Paterson.