Unfortunately, that’s true…. even in 21st century audits and auditors could be ‘productive’ enough to be called a pain in the a**.
And it’s not because that’s a perception that precedes us, it’s also because it’s a reputation that follows us when we work our a** off to earn it! Agreed that’s not all of us but sadly most amongst our fraternity. And that’s when we are simply called or known as the “auditor”, you might prefix a slang to it if you prefer, like clients of such auditors do!
The internal audit profession is rife with so called ‘professionals’ who do not embrace change in anything and everything they do. In a reverse order these things are:
- In their own performance evaluation.
- In their reporting.
- In their engagement review and extraction of findings.
- In their engagement conduct.
- In their engagement planning / approach.
- In their audit planning.
- In their determination of risk and audit universe.
- In their overall thought process about the internal audit function.
So, who are these auditors who help us earn such undesirable yet, as we will see later in this blogpost, fathomable reputation? I’ll use their characteristic approach to distinguish them from the professional internal auditors who are in a minority!
Let’s use the list above.
|
Activity |
A Typical Auditor’s Approach |
|
Performance Evaluation |
No Key Performance Indicators. No objective evaluation mechanism. No understanding of why an objective mechanism is needed. Instead, just negotiating with management / board for good appraisals. |
|
Reporting |
No engagement nature specific reporting format. No information on implications, probable causation (where relevant) and report ratings. Spiced up reporting. Standard one size fits all reporting! |
|
Engagement Review & Draft of Findings |
No review of engagement work program requirements compliance. No review of engagement objectives fulfillment. Not allowing divergent / deviating findings. No cost benefit analysis of findings. Extracting insignificant findings. Extracting typical recurrent findings. Always extracting non-compliances even in differing nature of engagements. Always extracting clerical findings relating to missing marks on documents such as sign offs, dates, etc. |
|
Engagement Conduct |
Not conducting the engagement with an open mind. No agility in approach towards new data and information-based revelations during the engagement. No flexibility to adjust the work program requirements. Not aligning the ongoing conduct to engagement objectives. Not open to evolving objectives. No consideration of potential red flags. Utilizing pre-engagement bias. Fixated to a defined work program script or an undocumented approach that doesn’t align even with minimum desired objectives. Standard assurance-based conduct even in advisory engagements. Largely using inquiries as core audit procedure. Going for easy, obvious and known anomalies. |
|
Engagement Planning |
Not defining and agreeing the minimum engagement objectives. Not documenting the minimal set of procedures required to fulfill objectives. Not identifying the required information and data sources and how these would be modelled and analyzed in various forms. Not specifying what would qualify as fulfillment of objectives and what would qualify as a finding both significant and insignificant. No transactional walkthroughs to document latest understanding of the state of processes. Executing the engagement on verbal instructions and understanding obtained. Planning with the objective of identifying issues (tunnel vision). Planning to incorporate allegations. Copying planning / approach from older or dissimilar engagements. Adopting the previous risk assessment and process flow understanding. |
|
Audit Planning |
No risk assessment of areas identified for auditing. No different methodology mapped audit engagements. No revised risk assessments. No Board approved risk-based internal audit plan. Brought forward audit planning on a Year-on-Year basis. Planning without consulting management and Board. Planning without identifying and reviewing changes in the business operating environment. |
|
Determination of Risk & Audit Universe |
Not Knowing Your Client No documented Risk Universe No Internal Audit Charter / No Board approved Internal Audit Charter No documented Audit Universe / non-aligned audit universe Generalized understanding or Larger Industry / sector-based understanding instead of entity specific understanding. Copying other advisors / consultants risk determinations. |
Certainly, the list of typical approaches is inconclusive and certainly converse of everything written above is true about a professional internal auditor’s (atypical auditor’s) approach.
Summarily these reflect the overall thought process of a typical auditor, not a professional internal auditor, incompetence being the typical auditor’s core distinctive trait!
Let’s have a look on the typical auditor’s conduct examples I had to experience myself as a user of services offered by entities experiencing pain in the a** audits:
- Insisting on having a document stamped when we know we could have a stamp made representing anything or anyone.
- Insisting on having a document fingerprinted when we know that the fingerprint won’t be read / matched!
- Insisting on filling redundant forms to fulfill documentation requirements.
- Insisting on procuring multiple redundant records to fill check in the box requirements.
Experiencing stuff like this, it’s hard to comprehend, if the world of risk is ever changing, shifting and more appropriately morphing, how come the auditor’s response to it in terms of identification, assessment and evaluation and mitigation could remain static?
We need to contemplate if we as auditors want to be triggers for improvement and evolution or simply a pain that could only be hurtful, because eventually amputation is the answer when painkillers have run their course!
I recently came across a Job Description in an advertisement for an internal auditor required. For the first time I noticed something entirely surreal in it amongst all the typical copy and paste responsibilities-based descriptions, as usually the JDs carry DOs and not DONTs.
This one required the applying candidate to not believe in hearsay while discharging the duties as internal auditor. It means both. One, that this is how auditors are perceived in general and two, that someone called it out so that a capable and professional resource could be hired!
Time for serious introspection my fellow brethren!