Internal audit

Avoid the Seven Deadly Sins of Internal Audit

Internal auditors should embrace the concept of ‘value and fit.’

July 12, 2012

What makes an internal auditor effective? Some say it’s about technical skills such as accounting, industry knowledge, or regulatory awareness.

Others say it’s about “soft skills” or people skills: how you manage employees, your professional image, or the strength of your relationship with your boss.

Both of these skills are critical, but they alone do not determine the effectiveness of an internal auditor. The key differentiator is the concept of “value and fit”—the value of internal audit and how this fits in with the organization.

Often, the concept of “value and fit” is threatened by a familiar group of factors or “sins” that, sadly, are replicated among many internal audit functions. During our discussion of these factors, we will also lay out some concrete strategies to overcome them.

Following are the seven deadly sins of internal audit.

1. Ineffective planning

In the hierarchy of internal audit activities, risk assessment and planning are right at the top. If we fail at these activities, everything else that follows is meaningless.

It doesn’t matter if we have the best audit staff, the most advanced technology, or the most impressive audit reports. If we don’t choose the right areas to audit based on risk, we certainly won’t be successful at what we do—auditing the wrong area in the right way doesn’t help our cause.

A good internal audit plan:

  • Is risk-based;
  • Relies on multiple sources of input; and
  • Uses technology to support the audit process.

The most important of these elements is the risk-based aspect. An effective risk-based assessment tells us what area of the organization to audit so our audits are targeted, specific, and efficient.

2. Being self-centered

Internal auditors sometimes believe their function is the most important one in the company. And why not, for surely marketing, operations, and finance feel the same way about their functions!

Unfortunately, studies show that such chauvinism is sadly misplaced. According to a Forbes Insights Global Survey, only 44% of executives and audit committees believe internal audit helps their organization achieve its business objectives.

Even fewer—37%—say they involve internal audit in key business decisions and strategy.

If we, as internal auditors, want a seat at the table, we need to understand that what we do (ensuring good processes and controls) may help the company achieve its objectives—but it isn’t the company’s end goal. Too often, internal auditors engage in “perfect world” or best practice discussions that lead nowhere.

We must also understand that management is truly interested in governance, risks, and controls, but not in theoretical discussions. Members of senior management and the board have told us time and again they want a professional opinion, as well as practical advice that can be implemented in the here and now.

For us to fill that need, we need to:

  • Understand the organization’s objectives, as well as macroeconomic and industry risks;
  • Make sure that our solutions support the organization’s objectives; and
  • Ensure that the benefits of our solution outweigh the costs.

We also need to work closely with other internal auditors in the company, as well as stakeholders such as the risk and compliance management department, to ensure that internal audits provide optimal value.

3. Losing the truth

We, as internal auditors, deal with many complex issues. What seems like a significant issue at the beginning of an audit could turn out to be trivial at the end, and vice versa.

The road from discovery to conclusion is long and winding. Facts are revealed slowly and in pieces.

Many internal auditors get into trouble by refusing to budge from the conclusions they make early on in the auditing process. They don’t want to be seen as people who continuously change their mind.

But we lose credibility if we hold onto outdated positions that are no longer supported by facts and circumstances. We can, and should, change our minds when new facts are brought to light.

The ability to adapt to changing circumstances is the hallmark of a seasoned business executive. Inability to change, on the other hand, oddly is the main point of many internal audit findings.

NEXT: Ineffective communication

4. Ineffective communication

Internal auditors love details. We tend to believe that the more information we convey, the better the chances are of it being understood completely.

Unfortunately, the board and management team simply don’t have the capacity or time to understand all of the details. They’re looking for expert advice, not reams of data.

Effective communication is all about identifying common themes and issues across audits, consolidating them, and then presenting them in a concise and specific format.

Here are a few guidelines:

  • Get to the point or the “newspaper headline.” For example, there was a fraud in Branch A.
  • Develop a thesis for why this condition exists. For example, the fraud was due to collusion among treasury employees in Branch A.
  • Back up your thesis with selected data. For example, the fraud stemmed from three transactions of $500 each, occurring in January, October, and December of this year.

5. Failing political science

Politics is a process by which groups of people make decisions. So how does that apply to auditors?

Well, anyone who deals with “improvement” must understand the decision-making process. We need to make sure the decisions that are made will stick. And we need to know where to go for solutions to be implemented quickly.

Essentially, understanding the politics in our organization will allow us to formulate workable solutions that will get implemented. The key to understanding organizational politics is to ask the following questions:

  • Where are decisions made?
  • Who makes the decisions?
  • How are the decisions made?
  • Who ignores the decisions (and gets away with it)?
  • Who overturns decisions?

6. Inability to negotiate

As internal auditors, we think of ourselves as the governance, risk, and control experts. We certainly are, but negotiation is a big part of our job. We deal with solutions to problems, and every problem has more than one solution.

Therefore, we need to take into account the opinions of people who are most familiar with problems: Management.

Simply stated, negotiation is a difficult skill to acquire. It really can’t be taught—it must come from experience.

Knowing when to stand by your decisions and when to compromise requires a vast database of prior experiences. Just like a stalk of wheat, if you’re too stiff, you’ll break, but if you’re too soft, you’ll get trampled on.

The trick is to bend with the wind, but still snap back and gain your rigidity when you have to.

Here are a few tips on effective negotiation:

  • Focus on the end goal, not how to get there;
  • Understand the other side’s position;
  • Make the other side work—demand suggestions that help solve the problem; and
  • Don’t compromise on the wrong issue, especially when it relates to morality, fraud or ethics.

7. Destroying credibility

The internal audit profession is built on the concept of an independent assessment. If assessments have no credibility, they lose their value. And if they lose their value, then the value of internal audit to the organization is also lost.

Building credibility is an ongoing process that requires:

  • Making judgments and voicing opinions based on actual audit testing and documentation;
  • Failing to be swayed by, or act upon, rumors or “inside” information;
  • Not discussing audit results except with those who need to know;
  • Presenting issues only that you have personally reviewed; and
  • Forming an opinion only on data which has been verified.

Let's return to our original concept of “value and fit.” If internal auditors want to understand this function’s value how it fits in with the organization, we require, first and foremost, a solid base of technical skills and regulatory knowledge.

Second, we need the ability to translate this knowledge into effective and pragmatic solutions that people will buy into. And third, we need to demonstrate credibility and integrity.

Apart from shifting our mindset and acquiring the right skills to implement the “value and fit” concept and avoid the seven sins, we can also use some help on the technology front to better provide value to the organization.

Boards and management want an internal audit function that can help the organization attain its objectives. This can be achieved with the right combination of skills and technology.

By developing more structured audits, communicating more effectively with stakeholders across the enterprise, and providing practical and beneficial solutions to business issues, we, as internal auditors, can avoid common pitfalls, and attain our full potential.

Michael Bechara is managing director of Granite Consulting Group Inc., and former chief audit executive of EDO Corp.; and Gaurav Kapoor is chief operating officer for MetricStream.