In my most recent blog post, I attempted to make the point that
auditors often conduct tests when they don’t need to. In particular, I was
discussing the situation where people have already admitted to not doing things
correctly. Except in rare instances, I’m not sure any additional testing — specifically evaluating
transactions, etc. — is warranted. They are doing it wrong, you have the issue,
now get to work on solving the problem.
I got a very interesting response to this post. The
individual asked, “If a person is proven to be diabetic, do you mean to say that there is no longer a need
for a periodic blood test? This is required even if the diabetes is in control
in order to ensure it is controlled and, if not, what intervention is required.
Similarly, testing is required to ensure things are operating correctly or to
prevent them from not operating correctly.”
I don’t think
this response refutes the point I was trying to make. But within this response
are some interesting ideas that speak to issues and realities internal auditors
must face when determining how to perform their work.
Let’s me start by getting this one out of the way first. Of
course you test. Diabetes is a serious illness and, once recognized, you have
to ensure it is kept in check. To stop verifying the illness is under control is
foolhardy, putting the patient at unnecessary risk.
And therein lie the interesting points.
First, as noted, it is a serious illness. Which means that
improper control over the risks related to having diabetes has serious
And, so it is with any audit work we do. In deciding whether
and how much to test, we have to take into account the risk associated with the
process, function, or operation. If a failure would mean the end of the
company, then constant testing — by internal audit or someone else in the
organization — is definitely warranted.
But I would contend that internal auditors fall too easily
into the trap of conducting series after series of tests — even when the risk
isn’t there. It is always easy to conduct a couple more tests, it is something
we are comfortable with, and we are not — let me emphasize that — not, not, not,
not, not comfortable with the idea that something might slip through the
During a recent IIA members' webinar regarding COSO’s new
ERM framework, one of the presenters made a very salient point: Auditors’ risk tolerances are often much less than management’s.
And that is not a good thing. What we might consider an
extra layer of being careful is nothing more than a waste of valuable
We need to understand how much risk the organization is
willing to accept, and then test to that risk tolerance. If we are testing
further than that — if we are trying to provide more assurance than management
needs — then we are wasting our, our stakeholders’, and everyone else’s time.
In addition, we have to constantly ask what we mean when we
say test. No matter what audit we are conducting, we have to perform tests
sufficient to achieve the objectives of the audit. That may mean interviews,
that may mean reviewing procedures, or it may mean diving in with analytics and
doing a 100 percent 10-year historical analysis of past transactions.
But, as I noted above, auditors’ risk tolerance is not very
high. And that means we often do the 10-year analysis when all that is
necessary are confirmative interviews.
And then there is one other thing. An assumption within the
original response to my post was that diabetes had already been diagnosed and
actions were being taken. “Do you mean to say there is no longer a need for
periodic blood tests?” That, my friends, is follow-up. And nothing in anything
I wrote was talking about follow-up work.
Follow-up work, just like any other part of audit work,
should be determined based on the risk involved — including risk tolerance
and risk appetite. This will drive the amount of testing required in conducting
follow up work. If the organization has diabetes, then a lot of work is needed;
if it only has a cold, well, then, maybe not so much.
But here’s an interesting thing. How often do we actually
talk about follow-up work? How often, as a profession, do we dive deeply into
concepts around the time we spend, the issues we face, and the effect on our
audit work of follow-up work? And how often is it discussed in your audit department?
I may be wrong, but I can’t remember reading or hearing much
about it over lo these many years, other than it is something we should all do.
So, maybe that’s my big takeaway from this person’s comment
about audit testing and diabetes. I still stand by the fact that internal
auditors need to take a closer look at the work they do — balance time and
value against the potential risks — to determine how much testing is too much. But
I now wonder if we are spending enough time discussing how, after we do all that testing, we make sure
things are getting better.
Maybe it’s time to spend a little more time talking about