Thank You!

You are attempting to access subscriber-restricted content.

Are You Ready to Experience Everything Internal Auditor (Ia) Has to Offer?

Don't Miss the Forest for the Trees

​Auditors who focus on findings misunderstand the purpose of their work.

Comments Views

​Findings, observations, opportunities for improvement — regardless of the term used, some auditors define themselves by how many they can produce on each audit. Even experienced auditors often are reluctant to issue audit reports without this information, with some going out of their way to find at least something to include, even if it's trivial.

But these practitioners are missing the forest for the trees. The errors or omissions identified during an audit should not be the focus of our work. Instead, auditors should fix their attention on what those errors say about the effectiveness of underlying controls and the strength of the overall control environment.

Internal auditors are responsible for assessing internal controls that contribute to the accomplishment of organizational objectives. According to The IIA's Definition of Internal Auditing, internal auditors do this by "bringing a systematic and disciplined approach to evaluate and improve the controls of the organization." Well-designed, operationally effective internal controls result in a higher likelihood that organizational objectives will be met.

Manual controls will always produce errors, regardless of how well they are designed, because of the human factor involved in their execution. Internal auditors should bear this in mind when encountering isolated or minor errors. Of course, higher-than-expected error rates could indicate that controls are not operating as effectively as intended — either because they are poorly designed, or the person performing them needs additional training. Manual control activities are performed by employees trained to carry out this function and therefore tend to be the source of many control failures. And because controls can be designed as preventive or detective, errors and omissions identified during an audit are those for which either there were no preventive controls in place or the preventive controls were ineffective. That should be the auditors' focus, not the errors themselves.

Internal auditors risk losing credibility with their primary stakeholders, and any hope of becoming their trusted advisor, when they consistently report on trivial issues that could be addressed outside of a formal audit report. If the impact of the audit observation does not pass the "so what?" test, it should not be included in the report. Ultimately, the audit committee wants to know that management is on track to meet its objectives — information on the effectiveness of the internal control system provides that assurance. If auditors are not speaking to the board and audit committee about the effectiveness of that system, they are not fulfilling their responsibility to their primary stakeholders.

The errors, omissions, or areas of noncompliance that auditors detect when reviewing transactions are not an end in themselves; they are the means to an end. When engagements are performed correctly, the end consists of providing information that both management and the board can use to increase their effectiveness and better position the organization for success.

Michael Lewis
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Author



Michael LewisMichael LewisMichael Lewis, CIA, CISA, is a senior internal auditor at Cru in Orlando, Fla.


Comment on this article

comments powered by Disqus
  • IIA GRC_July 2020_Premium 1
  • AuditBoard_July 2020_Premium 2
  • IDEA_July 2020_Premium 3