Last month, I had the opportunity to speak to the El Paso chapter. During one of the breaks, a couple of auditors from the El Paso Independent School District told me they had a new slogan for their internal audit department.
“We know CPR!”
I gave them a quizzical look because they seemed to think I should know what they were talking about. After a few seconds (minutes/hours/days) of embarrassed pausing, they said, “We were listening to what you said.”
I hate when people do that … listen to me.
But that was the hint I needed to realize what they were talking about.
In my presentations, I will often drift from the main point. (I know readers of these blog posts will be surprised that such drifts might occur. What? I’m shocked — shocked — to find that gambling is going on in Casablanca.) (See what I mean.) During the El Paso presentation that was ostensibly about report writing, I had drifted into one of my favorite topics — the areas in which internal auditors are (should be) experts.
It all started because we were discussing how internal audit can build relationships with clients no matter how hostile those clients may be at the outset of the audit. I asked how many had ever heard a client say, “You’ve never worked in [insert department name here]. You can’t understand our operations. How can you be any help?”
If it wasn’t a 100 percent, unanimous response from the crowd, it was darned close. (And, I’m willing to bet that almost every one of you reading that question responded with a knowing chuckle, a slow head shake, or a quiet cry.)
We talked about how best to respond to such attacks. And then we got to the crux of this particular biscuit. Internal auditors never know as much about the area under review as those being reviewed. So what expertise do we bring to the project that those working within the department do not have?
I’ll let you muse on that for a second while I grab some Reese’s we have left over from Halloween. (Actually, we pull them all out before we start giving the candy away. So, every one of the Reese’s we buy winds up being “left over.”)
Okay, time’s up. Here is my opinion.
The first area of expertise for internal auditors should be easy to figure out. We are experts in controls. The focus of much of our training and the emphasis for most of our work relates to ensuring the appropriate establishment of controls. We may not understand the details of how a department does its job, but we do understand how controls work, how they should be implemented, and how they fit into existing processes. Let’s drive the value home just a little bit more; we understand how controls can be established to effectively and efficiently reduce risks related to the achievement of objectives.
The second area of expertise should be just as obvious (there was even a hint in the previous paragraph), but I find a lot of auditors don’t think about it immediately. We are experts in risk. If we are to understand how controls should be established over risks, then we also have to understand risks — how they are defined, how they impact objectives, and how they can be best mitigated. When responding to the hostile client, we have to explain to them our role is to work with them, combining our knowledge of risk with their knowledge of the organization, toward identification of the most significant risks to their objectives.
The final expertise does not always spring as Athena-like from the minds of most auditors. We are experts in processes. While we do not know every process that exists, we understand how processes work, how to make them better, how to identify control weaknesses within the processes, and how to ensure processes effectively and efficiently work toward the achievement of objectives.
Here’s a great example of this process-expert thing. When I worked with Farmers Insurance, there was no one in internal audit who understood the actuarial function well enough to even think about completing an audit over the area. Anyone who knows insurance knows that actuarial is a fundamental key to the organization’s success, so it was an area that could not be ignored. Therefore, rather than us trying to learn the intricacies of that inordinately complicated subject, we counted on the external auditors to provide assurance regarding the actuaries in general and actuarial computations specifically.
However, one time we did perform an audit of the actuarial function — an audit of the processes within the department. We didn’t need to know the calculations under the numbers, we didn’t need to know the algorithms that drove the decisions, we didn’t even need to know how those decisions were ultimately made. All we had to know was how their process worked and then apply our knowledge of processes to the work they were doing.
It was an incredible success where, afterwards, the client spoke numerous times about the great job internal audit did in helping them become more efficient and effective. And for identifying ways to strengthen controls.
So, what does this have to do with CPR? (Maybe you’ve figured it out already.)
What the auditors from the El Paso Independent School District recognized was that they were, indeed, experts in controls, processes, and risks. And they had decided it was time that their clients understood that, in any situation, the internal auditors were using CPR to help make things better.
Every auditor should be an expert in CPR. Every auditor should understand the concepts behind controls, processes, and risks; embrace them; and then sell them. Because the sooner our clients understand that we are not trying to be experts in their field, the quicker we can move forward to providing the CPR that will help keep them alive.