For the last two days, we’ve been reviewing an issue of The Internal Auditor from August 1987 with the intent of determining how much things have changed in internal auditing over the last 25 years, as well as how much they’ve stayed the same. In the first two posts we discussed the advertising, a recurring column, and one of the articles. The discussions wound up primarily focusing on the impact of computers on the business and internal audit. So, it’s time to move on to other things by looking at three more articles.
First is one titled “Practical Audit-risk Analysis.” Face it: this is a title that any of us could imagine seeing in today’s magazine, and one we would look forward to reading. The struggle of determining the risk areas that deserve coverage within individual audits is always a challenge. In fact, today I was talking to someone who facilitates seminars for the IIA, and she mentioned how often, when people want training on risk assessment, what they really mean is assessment at the individual engagement level. Most audit shops have built their own systems, but everyone is always on the lookout for a better way to slice this particular loaf of bread.
The next article is titled “A Commonsense Approach to Operational Auditing.” I have to admit I was really surprised to see this article. I didn’t think there was that much discussion about operational auditing going on in the 80s. But the profession had changed, and operational auditing was becoming an important part of the way internal auditors approached their mandate to provide assurance. The article serves as a very good introduction to operational auditing, as well as sharing one approach to its implementation. The one drawback I see is that the author’s outline of the process starts with “Determination of the Audit Objectives.” Yes, this is an important part of any audit. However, more important in operational auditing is determining the objectives of the process or operation under review.
Another thing worth mentioning about this article: It reinforces my point that, even though a lot has changed, the basic approaches, skill sets, etc. of internal audit are still very much the same. Here are the steps outlined in the article: Gain a working knowledge of the area, Develop an audit plan and schedule, Document the understanding of the operation, Test to obtain evidence controls are operating as planned, Identify missing controls, Evaluate the controls, Report the results. It is what we did then. It is what we do now.
The final article is titled “Rebuilding the Universe.” I can’t say that it was this specific article, but somewhere around this time, I read an article about audit universes. Our company was just breaking free from the chains of completing cycles of audits. I brought the article to the attention of my staff, and we discussed how it might impact what we did. Within a couple of weeks, we received instructions from Home Office on how we would be developing an audit universe. The next time I met the VP, I thanked him for helping me look like I knew what I was doing.
This particular article spells out how, after the breakup of the Bell Systems, the audit department for Northwest Bell was forced to re-evaluate the way they did their work and approached audits. This meant (as the article title indicates) rebuilding the audit universe. In their case, they found that a focus on internal business cycles provided them the best overview. Once again, we see an audit shop struggling with the same issues we face today: How do we come to grips with constantly changing environments in such a way that our audit plan has a meaningful impact?
There is one more article I want to address. But, I’m going to save that for tomorrow’s installment.