Imagine you have just completed an audit. The details are not important. All you need to know is that the department is composed of professionals — individuals whose jobs require them to be self-directed, critical thinkers who understand the business and communicate effectively.
You have identified two potential problems. First, every action taken by each professional in the department is subject to review by that individual’s superior. Subsequent to that review, the department conducts a second set of reviews to ensure the work is correct and that the first review was completed.
Second, considerable rework occurs before the department publishes any results. A disproportionate amount of time is scheduled on all projects simply for the publication process. Moreover, the rework results in significant delivery delays.
Anyone with a modicum of internal audit skills should see these processes are the result of an overemphasis on controls. The first question an auditor should ask is whether the cost of those controls matches the cost of the related risk. Next, why not streamline the process by removing some (if not all) of the reviews? And third, what is the root cause of the constant rewriting?
Have you guessed where I’m headed on this one? Procedurally, how much of the audit documentation you create has to undergo a first and second round of approvals? (Hint: The answer is probably all of it.) How many rewrites did your last audit report go through? (Hint: If you answered fewer than five, I’m not sure I believe you.)
It is internal audit’s job to evaluate the efficiency and effectiveness of processes, ensure risks are managed appropriately, and ultimately, help the organization achieve its objectives. We expend enormous foot-pounds of energy toward that end. And yet, how much effort do we put into self-analysis? How much time do we spend auditing ourselves?
Are you able to explain how the internal audit department’s objectives align with the organization’s objectives? Can you articulate the risks to the audit department’s achievement of its objectives? Can you identify the controls that ensure those risks are managed appropriately? And perhaps most importantly, when was the last time you took a good, hard look at your processes to see where gaps might exist or (much more likely) where those process might be overcontrolled?
If internal audit wants to ensure true credibility with its stakeholders, we must look inward — we must evaluate our own policies and procedures. And in so doing, we will surely see that we are as guilty of reportable issues as anyone we audit. Quite simply, internal audit must cast the beam from its own eye before it can see clearly enough to cast out the mote from the client’s eye.