Internal Auditor’s blogs reflect the personal views and opinions of the authors. These views may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers’ employers or the editors of Internal Auditor.

To Test or Not to Test​​

Comments Views

In my most recent blog post​, I attempted to make the point that auditors often conduct tests when they don’t need to. In particular, I was discussing the situation where people have already admitted to not doing things correctly. Except in rare instances, I’m not sure any additional testing — specifically evaluating transactions, etc. — is warranted. They are doing it wrong, you have the issue, now get to work on solving the problem.

I got a very interesting response to this post. The individual asked, “If a person is proven to be diabetic, do you mean to say that there is no longer a need for a periodic blood test? This is required even if the diabetes is in control in order to ensure it is controlled and, if not, what intervention is required. Similarly, testing is required to ensure things are operating correctly or to prevent them from not operating correctly.”

I don’t think this response refutes the point I was trying to make. But within this response are some interesting ideas that speak to issues and realities internal auditors must face when determining how to perform their work.

Let’s me start by getting this one out of the way first. Of course you test. Diabetes is a serious illness and, once recognized, you have to ensure it is kept in check. To stop verifying the illness is under control is foolhardy, putting the patient at unnecessary risk.

And therein lie the interesting points.

First, as noted, it is a serious illness. Which means that improper control over the risks related to having diabetes has serious consequences.

And, so it is with any audit work we do. In deciding whether and how much to test, we have to take into account the risk associated with the process, function, or operation. If a failure would mean the end of the company, then constant testing — by internal audit or someone else in the organization — is definitely warranted.

But I would contend that internal auditors fall too easily into the trap of conducting series after series of tests — even when the risk isn’t there. It is always easy to conduct a couple more tests, it is something we are comfortable with, and we are not — let me emphasize that — not, not, not, not, not comfortable with the idea that something might slip through the cracks.

During a recent IIA members' webinar regarding COSO’s new ERM framework, one of the presenters made a very salient point: Auditors’ risk tolerances are often much less than management’s.

And that is not a good thing. What we might consider an extra layer of being careful is nothing more than a waste of valuable resources.

We need to understand how much risk the organization is willing to accept, and then test to that risk tolerance. If we are testing further than that — if we are trying to provide more assurance than management needs — then we are wasting our, our stakeholders’, and everyone else’s time.

In addition, we have to constantly ask what we mean when we say test. No matter what audit we are conducting, we have to perform tests sufficient to achieve the objectives of the audit. That may mean interviews, that may mean reviewing procedures, or it may mean diving in with analytics and doing a 100 percent 10-year historical analysis of past transactions.

But, as I noted above, auditors’ risk tolerance is not very high. And that means we often do the 10-year analysis when all that is necessary are confirmative interviews.

And then there is one other thing. An assumption within the original response to my post was that diabetes had already been diagnosed and actions were being taken. “Do you mean to say there is no longer a need for periodic blood tests?” That, my friends, is follow-up. And nothing in anything I wrote was talking about follow-up work.

Follow-up work, just like any other part of audit work, should be determined based on the risk involved — including risk tolerance and risk appetite. This will drive the amount of testing required in conducting follow up work. If the organization has diabetes, then a lot of work is needed; if it only has a cold, well, then, maybe not so much.

But here’s an interesting thing. How often do we actually talk about follow-up work? How often, as a profession, do we dive deeply into concepts around the time we spend, the issues we face, and the effect on our audit work of follow-up work? And how often is it discussed in your audit department?

I may be wrong, but I can’t remember reading or hearing much about it over lo these many years, other than it is something we should all do.

So, maybe that’s my big takeaway from this person’s comment about audit testing and diabetes. I still stand by the fact that internal auditors need to take a closer look at the work they do — balance time and value against the potential risks — to determine how much testing is too much. But I now wonder if we are spending enough time discussing how, after we do all that testing, we make sure things are getting better.

Maybe it’s time to spend a little more time talking about follow-ups.

Internal Auditor is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this blog post

comments powered by Disqus
  • Idea-September-2020-Blog-1
  • Galvanize-September-2020-Blog-2
  • CIA-September-2020-Blog-3