Recently, there was an interesting discussion that came up
on The IIA’s official LinkedIn group. The question was asked:
An organization has no regulations,
policies, and procedures in place. What can internal audit use as criteria to
conduct the audit? Do you rely on the system description that management will
be providing, being cognizant of the fact that the description provided by
management may not be adhered to?
As generally happens in these discussions, the internal
audit audience provided some good, well-thought-out answers including
discussions about documenting existing processes, determining the controls that
would be needed, and identifying potential risks. Good answers from a group
that knows their profession.
However, in all those responses, I was struck by the one
thing that wasn’t talked about — the client. Not once did anyone bring up the idea
that, whether or not those criteria — those policies and procedures — were in
writing, they should be agreed upon with the client before the audit even got
started. Actually, in asking the question the person came close to the solution.
“Do you rely on the system description that management will be providing?” But the
conversation veered away from that hint at correctness.
It’s a trap any of us with more than a little workpaper dust
under our fingernails has fallen into — assuming we know what the acceptable
criteria are. Here’s an example.
An auditor completes his testwork. He determines that there
is a 20 percent error rate. He knows that this is not a good thing. He double-checks
his calculations and reviews the specifics with the client. Everyone agrees
that the 20 percent error rate is correct.
Time to discuss the issues. However, the client brings the
proceedings to a grinding halt. “There’s no problem here.” Nonplussed, the
auditor counters, “We found a 20 percent error rate.” The client shrugs his shoulders
and says “So what? I’m happy when we get below a 30 percent error rate.” And the
auditor is suddenly confronted by the realization that his assumptions may be wrong.
And that, ultimately, he failed because he hadn’t talked with the client.
(As an aside, sometimes it can be the other extreme. We
performed an audit and found a 95 percent compliance rate. We said everything was
fine. In fact, achieving 95 percent represented a significant improvement for the
group and was actually almost unattainable. An impressive feat. We had been
ready to issue a clean report. Instead, we were forced to report an issue
because executive management had decided that effectiveness was only achieved when
there was 100 percent compliance.)
So, the first action when coming across an organization or
department that “has no policies and procedures in place” is to find out what the
client believe those policies and procedures should be. With an agreement on
what should be going on, internal audit now has something to use in measuring
hopes against reality.
Mind you, almost every internal auditor reading this is also
saying to themselves “Let me tell you what. I’m definitely gonna write ‘em up
for not having any procedures.”
Hold on there, Knievel. Before you jump to that conclusion,
it may not be the problem you think it is. Allow me to quote from COSO’s Internal
Control–Integrated Framework — the section on “Deploys [control activities] Through
Policies and Procedures.”
Policies and procedures are often
communicated orally. Unwritten policies can be effective where the policy is a
long-standing and well-understood practice, and in smaller organizations where
communications channels involve limited management layers and close interaction
with and supervision of personnel.
The upshot: The lack of written policies and procedure, in
and of itself, may not be a problem. Once again, the answer lies with the client.
Do those in charge know what policies and procedures should be followed? Do
those who have to follow the policies and procedures understand them? And do those
individuals actually follow them?
Yes, written policies and procedures are a good thing and
always worth bringing up. But their absence is not, necessarily, a reportable
issue. Doesn’t matter if there are policies, doesn’t matter if there are
procedures, doesn’t matter if everyone just does what they want to do. For
internal audit to go in and do an evaluation, there must be agreement with the
client on what those criteria are
Again, (and again and again and again and again)
it all comes down o communicating and gaining agreement with the client. We cannot
assume anything (in this case, assuming we know what the criteria are that we
will be using in our audit). Maybe it shouldn’t be surprising, but, even when
discussing the most basic of audit concepts (in this case, the 5 C's of any
issue), the need to understand, work with, and develop relationships with
clients is fundamental to success.