The Biggest Risks in an Internal Audit May Be the Issues You Miss Richard Chambers, CIA, CGAP, CCSA, CRMA, shares his personal reflections and insights on the internal audit profession. For many years, I taught accounting courses during the evenings at a local university.

  

I would often tell my students, “The only stupid question is the one that is never asked — unless the question is, 'Would you postpone the next exam?'” My years as a college instructor coincided with the early years of my internal audit career (which was essentially my day job at the time). Over time, I came to appreciate that in internal auditing, as elsewhere in life, there really are very few stupid questions. The most successful internal auditors are not necessarily the smartest or the most experienced auditors; they are often the most inquisitive.

    

Of course, it also helps to be prepared and to have intelligence, analytical ability, and a host of other attributes that can contribute to overall “audit ability.” But far too often when we miss a finding, it’s simply because we didn’t ask questions when we should have. And I have come to believe that the biggest risk in an internal audit is not citing a finding that doesn't exist — it's overlooking a finding that does exist. If you doubt that the biggest internal audit risk is missing a major issue, consider the following.

   

If you cite an issue/problem in your draft report that does not exist, management often will object vehemently and provide ample evidence that your conclusions are erroneous (that is why I often cite management review of a draft report as one of the strongest quality control steps in the audit). However, if you fail to cite an issue/problem that really does exist, how often does management speak up and say “excuse me, but you missed a major deficiency in my area”? Let’s just say that in more than 30 years, I have never seen it happen. Asking questions is not an absolute guarantee of internal audit success, but it’s almost impossible to have an effective audit without asking questions. We also need to be able to analyze a situation and to advise our internal audit clients appropriately.

  

However, regardless of whether you are assessing risks, planning an internal audit, or performing fieldwork, the process starts with asking well-informed questions. My colleague, Jodi Swauger, describes this as the “Five A’s Formula for Success”: Audit Ability = Asking + Analyzing + Advising. In that order. Is informed questioning really that important? Absolutely! Asking the right questions can be the difference between creating a powerful finding in a few minutes and spending days on fieldwork that only results in finding a problem everyone else already knew about or, worse yet, in missing an issue completely.

   

Recently I talked with an auditor who had spent the previous week combing through contract provisions and painstakingly gathering supporting documents for what he thought would be an important finding. If only he had asked a few more questions at the beginning of the week, he would have been told that because of a series of change orders, many of the provisions in the original contract were no longer valid. The auditor had spent the entire week verifying contract provisions that were no longer in force. In general, the audit was still a success because at the end of the week (and well before the closing meeting), he asked his client to explain what seemed to be numerous discrepancies. But no one will ever know what else might have been accomplished during that lost week if his time had been spent more productively. During World War II it was common to hear the slogan, “Loose lips sink ships.”

   

The same concept sometimes applies to internal auditing: We often are privy to confidential information that should not be shared freely. But when it comes to asking questions, our problem is far more often a matter of “closed lips miss ships!” So next time you are performing an audit and a question comes to mind, remember: When in doubt, just ask. You’ll probably be glad you did.

Posted on Oct 23, 2012 by Richard Chambers

Votes: 0
E-mail me when people leave their comments –

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!

lead