GUEST BLOG
Over my long career, I have often heard, in one form or another, the phrase: “You just can’t audit that!”
The first time I heard it came when I was an internal audit manager for a financial institution. The senior vice president for human resources said she was a big supporter of internal audit, but my team and I couldn’t audit her area. I asked why and she explained that since none of us in internal audit had any experience working in HR, we didn’t have the competence (my word) to perform an audit of HR.
I was able to get her to give us a chance. We might not have been experts in running HR, but we were experts in processes, risks, and controls. When I asked where she had a problem, she pointed me to one that had been troubling her for months. I had one of my team (who had recently completed a class in operational auditing) perform the audit. He soon identified the process problem to her great surprise. She was so impressed she wrote both of us a letter of commendation and took me to lunch, even letting me drive her Cadillac!
Years later, when I was leading the internal audit team at Tosco, one of the IT managers told me I couldn’t audit their very old financial system. “It’s just too complicated,” he said. I had fun with that, as I was able to read the COBOL code and identify a number of their coding errors. Internal auditors can easily be underestimated.
A more serious situation arose when Tosco started trading in derivatives to hedge its commodity purchases and sales, with an occasional speculative position taken under the close supervision of the CEO. This was a significant source of risk to the company, and I knew that none of the current staff had the necessary experience or training to audit the related processes. We could audit for compliance with policies and procedures, but we wouldn’t know whether they were the right ones for the business.
I hired an expert to lead the first audit with me as his assistant and pupil. He was a former manager of trading operations and now specialized in consulting and performing such audits or reviews. I added my audit expertise, and we got the job done. Our main issue was the need for upgraded policies and procedures, both to provide discipline over the trading and to ensure appropriate accounting. Over time, I got specialized training myself, weaned the consultant off the payroll, hired people with experience auditing trading operations, and built a strong competency within the team.
Bring in an Audit Ringer
I have taken this approach many times, hiring an individual with experience in the business operation to supplement the team. For example, I did it with audits of sales contract management, procurement, the tax department, and white hat hacking. One technique used by many chief audit executives, including me, is to borrow subject matter experts from the business (in a different area to ensure there are no conflicts) and use them as guest auditors, adding experience and insight to the audit team.
The most recent challenge came in the last week, when my good friend Alexei told me that internal auditors didn’t have the competency to perform an effective audit of risk management. I disagree, but the cynical Norman wants to ask him a question first: “Alex, how many organizations have effective risk management, what you would call RM2, where company leaders agree it is helping them make quality decisions and take the right level of the right risks for success?”
I think he will reply that it’s a small number.
What Are We Managing?
Most organizations are managing a list of risks instead of managing the business. They fail to recognize in their program that sometimes you need to take more risk to achieve success. Instead, they believe that every risk needs to be managed or mitigated.
So cynical Norman thinks that auditing risk management and reaching an opinion on its effectiveness at the great majority of organizations is very easy! It is quickly evident that risk management is a compliance activity at that organization; most if not all executives fail to see much value in it to them or the business.
The internal auditor should conclude that risk management is not effective in helping leaders run the business. The far more difficult question to answer is why. The internal auditor adds value when he or she can point to the changes necessary to bring it to an acceptable level of maturity.
In other words, it is insufficient to audit for compliance with risk management policies and procedures when those procedures are not helping the organization succeed in doing anything other than manage a list of risks.
I and many others hold the Certification in Risk Management Assurance (CRMA) issued by the Institute of Internal Auditors. Does that certification automatically mean that we have the experience and competence to audit risk management? No. (I have the ability based on my experience, not because I have a CRMA). I know of several auditors (whom I will not name) who hold the CRMA but have never audited risk management and I doubt they have a sufficient understanding of effective risk management to do it well.
But that doesn’t mean it can’t be done and done well. It just takes people who appreciate what effective risk management looks like, understand the business, and can use their common sense.
If the internal audit team doesn’t have individuals with the required experience and understanding, they can bring on a consultant to help them. For example, a company could hire Alexei or one of my other friends around the world! (Although I helped one audit team with high-level advice—including to use the maturity model in Risk Management for Success—I am trying to be retired so won’t take on any projects of length).
Hard but Not Impossible
There are other areas where an internal audit may be a challenge, even for the largest internal audit department.
Last week, for example, I met an old friend in San Francisco. She is a CAE for whom I have great respect. I mentioned that I thought auditing “talent management” (how you ensure you have the right employees to run the organization for success) is hard. She thought it was easy, as her company has many processes to address the risk and need. Her team can audit those processes.
I see it differently. When I lead my SOX Masters training, we talk about the fact that the attendees’ companies all have processes for hiring, training, performance reviews, and so on—yet none of them would want to rely on them to ensure that every control is performed by competent individuals. Rather than test controls in those processes, we rely on walkthroughs and tests of specific controls where we assess the experience and knowledge of the individuals performing the key controls.
The difficult question to answer in an audit is whether the processes implemented by the business provide reasonable assurance that its objectives will be achieved. While hiring programs may provide reasonable assurance that individuals with the potential to excel are hired, when they turn out to be less than stars it is difficult to change them out. It’s a sad reality.
Talent management is also inextricably linked to the ability of management to lead and inspire excellence. Can it be audited? I believe it can, but it’s not always that easy. You can audit for compliance with policies and procedures. But auditing for effectiveness requires more judgment and experience. You have to be able to assess whether those policies and procedures are the right ones, providing reasonable assurance that the related risks will be managed at an acceptable level. This is where specialized expertise and experience comes in handy.
A similar situation arises with cybersecurity. My friend and I disagree on this as well. She is correct that there are processes and policies that we can audit against. But how can you reach an opinion as to whether the right level of security is in place for the business and its risks—especially when threats and hacker techniques are changing all the time?
With the right people and the right approach, I think you can audit pretty much everything. I was able to audit creativity in the Marketing function at one company, believe it or not. 
What do you think? (Please provide your feedback in the Comment section below)
Norman Marks is an internal audit and risk management expert and author of the blog, “Norman Marks on Governance, Risk Management, and Audit.” He is also the author of several books, including World Class Risk Management, Risk Management in Plain English: A Guide for Executives, and Auditing that Matters.
I couldn’t agree with you more Norman! A good Internal Auditor should be able to audit pretty much anything, albeit some more specialist areas may of course require relevant training/qualifications or more likely experience. I’ve always said that my job as an Internal Auditor isn’t necessarily to be the subject matter expert (although I may be by the end of an audit), but to be the expert in breaking things down and doing the research etc. to see and understand what’s working and what isn’t and what can be improved; to see the wood for the trees; to ask the daft and challenging questions; to be the conduit between departments to encourage the sharing of data, knowledge, and best practice, etc.; etc.
Great article! This happens all the time. In my experience, it has been other auditors that tell me we can’t audit something. Then I show them how we can.
Hi Norman, thank you for sharing these thoughts. I agree with the general theme of the article. Fortunately, I just re-entered an internal audit role for a Global bank, and I will keep this article’s pointers in mind.
Anyone who tells me this, tells me I must audit that area. When someone says it (e.g., fraud) can never happen there, it will happen there! Agree with you, co-sourcing and learning from the arrangement is a great way to build our own expertise. We can audit almost anything.