Over time, internal auditors tend to hear about a lot of things that went wrong. Unfortunately, it's not just our clients who make mistakes — I have witnessed more than a few spectacular internal audit failures, and in too many cases the internal audits went wrong for reasons that easily could have been prevented during engagement planning. Some of the biggest blunders often seem to stem from the same few mistakes. In the hope that we can learn from each other's mistakes, I have listed below my take on the most common of these missteps.
- Not setting aside enough time to adequately plan the audit. It's all too easy to postpone audit planning when you're still focused on the previous audit. That's probably why this might be the most common audit mistake of all. What can go wrong if you delay planning until the last minute? I have heard tales of the location scheduled for the audit having been shut down two months earlier, auditors having to stay at a hotel two hours away because no vacancies were available locally, a new technology having been implemented that the team was unqualified to review — the list goes on and on, but you get the idea. If you want to sabotage your internal audit, simply do nothing until just before fieldwork is scheduled to begin. That way, when something goes wrong, you won't have the "safety net" of a few extra days in which to salvage the situation.
- Trying to audit too much (and scope creep). Setting the scope is one of the rare areas where the most diligent auditors tend to run into the most problems. When the initial scope is too ambitious or too open-ended, the risks go way up that the job will take too long or that the auditors will miss important issues that were included in the scope. It's difficult enough to stay on schedule and avoid "scope creep" later in an audit when the scope is well-defined to begin with. When the scope is open-ended, it can lead to crushing work schedules or to unrealistic stakeholder expectations. Either way, failing to limit the scope appropriately might mean that your audit will be viewed as less than successful.
- Not involving the client. Failure to involve your client early and often can be a real "audit killer." Just imagine holding a closing meeting a thousand miles from home during which management says, "You spent three weeks testing that? But nobody even uses that report any more, and that isn't a risk these days because. …"
- Failing to augment the audit team with "functional expertise." Especially if you are a very experienced and confident auditor, you may tend to overestimate your ability to "go it alone" without expert help; so this is an area that occasionally trips up the best auditors in the business. Involving a subject matter expert early in the audit planning process can help ensure you haven't overlooked something vital.
- Forgetting the audit should ultimately add value. We all know that internal auditing is not just about pointing out what's wrong — it's about helping management accomplish its objectives and, at times, helping management identify and take advantage of opportunities that otherwise might have been missed. We need to design audit activities with the potential to add true value — not to design activities primarily aimed at catching small mistakes. It can help to "risk assess" your audit tests: What's the best/worst that could happen if we perform this particular test? If the test can't lead to major findings or recommendations, maybe you are planning to test the wrong things.
- Forgetting to follow the risks. If your "planning" is normally to perform the same audits the same way each year, regardless of risks or changing circumstances, then the odds are good that your results won't be the same as they were last year; they will be worse. You may fail to identify new risks and opportunities — and at best, you will be less likely to add value than in the past. After all, you already gave management recommendations based on last year's tests, and the chances of a truly important new insight or recommendation are lower the second (or fourth) time around. One management official who was later convicted of fraud said, "Internal audit wasn't a problem. I always knew they wouldn't come back for a year, and I knew exactly what they would look at when they returned."
These are just a few of the mistakes that seem to keep undermining promising internal audits. Your list might be different. What are some of the biggest mistakes you have seen that derailed an internal audit?