I recently visited a couple of theme parks with some auditor friends. Even on vacation, our audit brains were on.
When the lines for early park hours were confusing and unevenly distributed, we identified opportunities for better communication and efficiency. When markers on the ground were difficult to see, we identified opportunities for floor lighting that would promote stronger compliance with social distancing rules. And while we genuinely enjoyed ourselves and had an amazing time, we identified 20 or more recommendations for improved efficiency or stronger controls during our three-day trip.
I find myself making mental audit recommendations nearly every day — when I'm grocery shopping, driving, or even eating at a restaurant. My husband has learned to ask me to turn my audit brain on when he needs me to perform a detailed review and to turn it off when I'm spending unnecessary energy identifying opportunities for people or businesses that have no idea that they're under "audit." When I hear complaints about a situation or notice apparent process breakdowns, my brain immediately starts churning and developing potential solutions.
Auditors have been trained throughout our careers to look for and identify gaps. I've always said that if you know a process is broken, unleash the auditors on it. And while our ability to easily identify gaps in risk mitigation as well as opportunities for improvement makes us great assets and change agents, we sometimes fail to identify the positives in our focused search for issues.
I'm currently mentoring a new auditor, who sometimes asks me to review her audit report drafts. While she has an impressive ability to identify deviances from standards, I noticed that her first audit reports often painted a bleaker picture than the actual situation.
In one report, she identified a significant deficiency requiring immediate remediation. When I walked through the finding with her, it became apparent she hadn't considered compensating controls. She had documented a control design failure that would enable misappropriation of cash. However, when we discussed the preventive and detective controls in place, we realized it would require a perfect storm of multiple unlikely events and collusion with a key employee for theft to occur. Moreover, the theft would be immaterial, and the perpetrators would need to have a helicopter waiting outside the building as detection would be immediate.
I've found throughout my career that auditors sometimes look specifically for the negative (issues) instead of looking objectively at the entire picture. One of auditors' greatest fears is missing a significant finding, so we apply laser focus to identifying issues and forget to identify positive changes or strong practices in place. When we do identify a deviance from policy, we may be tempted to immediately document it as an issue and move on. However, we earn greater credibility by taking the time to understand why the deviance exists and whether it results in an unacceptable level of residual risk.
In my audit group, we've seen fewer audit findings over the past few years as our clients have implemented recommendations, improved controls, strengthened first- and second-line functions, and considered risk on the front end of process changes. While it's been wonderful to see improvements in the control environment, at times we've been tempted to feel that our decline in audit findings represents a decline in our value. We've had to remind ourselves that providing assurance that positive changes have been implemented and are effective is equally important as calling out gaps in the process.
We've also shifted our reporting process to better represent the big picture. In past audit reports, we focused on the issues and their potential impact. It was assumed that anything not specifically called out as an issue was operating effectively.
However, we have realized that to better represent the full breadth of our audit observations, we need to provide more positive statements of assurance. As we adopt this total picture mindset, we're less likely to blow minor findings out of proportion, which destroys auditor credibility. We're also better equipped to portray audit observations in context as well as share identified best practices with other areas of our organization.
As auditors look forward, providing assurance on the positives rather than only pointing out gaps is critical. As we actively seek out and report on audit clients' strengths and not just their weaknesses, we will increase the value we provide and truly earn our role as trusted advisors.
Jami Shine, CIA, CRMA, CISA, CRISC, is the corporate and IT audit manager for QuikTrip Corp. in Tulsa, Okla.
Want to be a part of Your Voices? Click here to learn how to contribute a blog post.