Internal Auditor’s blogs reflect the personal views and opinions of the authors. These views may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers’ employers or the editors of Internal Auditor.

No Written Procedures! What Will You Do?​​

Comments Views

Recently, there was an interesting discussion that came up on The IIA’s official LinkedIn group. The question was asked:

​​An organization has no regulations, policies, and procedures in place. What can internal audit use as criteria to conduct the audit? Do you rely on the system description that management will be providing, being cognizant of the fact that the description provided by management may not be adhered to?

As generally happens in these discussions, the internal audit audience provided some good, well-thought-out answers including discussions about documenting existing processes, determining the controls that would be needed, and identifying potential risks. Good answers from a group that knows their profession.

However, in all those responses, I was struck by the one thing that wasn’t talked about — the client. Not once did anyone bring up the idea that, whether or not those criteria — those policies and procedures — were in writing, they should be agreed upon with the client before the audit even got started. Actually, in asking the question the person came close to the solution. “Do you rely on the system description that management will be providing?” But the conversation veered away from that hint at correctness.

It’s a trap any of us with more than a little workpaper dust under our fingernails has fallen into — assuming we know what the acceptable criteria are. Here’s an example.

An auditor completes his testwork. He determines that there is a 20 percent error rate. He knows that this is not a good thing. He double-checks his calculations and reviews the specifics with the client. Everyone agrees that the 20 percent error rate is correct.

Time to discuss the issues. However, the client brings the proceedings to a grinding halt. “There’s no problem here.” Nonplussed, the auditor counters, “We found a 20 percent error rate.” The client shrugs his shoulders and says “So what? I’m happy when we get below a 30 percent error rate.” And the auditor is suddenly confronted by the realization that his assumptions may be wrong. And that, ultimately, he failed because he hadn’t talked with the client.

(As an aside, sometimes it can be the other extreme. We performed an audit and found a 95 percent compliance rate. We said everything was fine. In fact, achieving 95 percent represented a significant improvement for the group and was actually almost unattainable. An impressive feat. We had been ready to issue a clean report. Instead, we were forced to report an issue because executive management had decided that effectiveness was only achieved when there was 100 percent compliance.)

So, the first action when coming across an organization or department that “has no policies and procedures in place” is to find out what the client believe those policies and procedures should be. With an agreement on what should be going on, internal audit now has something to use in measuring hopes against reality.

Mind you, almost every internal auditor reading this is also saying to themselves “Let me tell you what. I’m definitely gonna write ‘em up for not having any procedures.”

Hold on there, Knievel. Before you jump to that conclusion, it may not be the problem you think it is. Allow me to quote from COSO’s Internal Control–Integrated Framework — the section on “Deploys [control activities] Through Policies and Procedures.”

Policies and procedures are often communicated orally. Unwritten policies can be effective where the policy is a long-standing and well-understood practice, and in smaller organizations where communications channels involve limited management layers and close interaction with and supervision of personnel.

The upshot: The lack of written policies and procedure, in and of itself, may not be a problem. Once again, the answer lies with the client. Do those in charge know what policies and procedures should be followed? Do those who have to follow the policies and procedures understand them? And do those individuals actually follow them?

Yes, written policies and procedures are a good thing and always worth bringing up. But their absence is not, necessarily, a reportable issue. Doesn’t matter if there are policies, doesn’t matter if there are procedures, doesn’t matter if everyone just does what they want to do. For internal audit to go in and do an evaluation, there must be agreement with the client on what those criteria are

Again, (and again and again and again and again) it all comes down o communicating and gaining agreement with the client. We cannot assume anything (in this case, assuming we know what the criteria are that we will be using in our audit). Maybe it shouldn’t be surprising, but, even when discussing the most basic of audit concepts (in this case, the 5 C's of any issue), the need to understand, work with, and develop relationships with clients is fundamental to success.​

Internal Auditor is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this blog post

comments powered by Disqus
  • Your-Voices-Recruitment-January-2022-Blog-1
  • Fraud-Virtual-Conference-January-2022-Blog-2
  • IT-General-Controls-Certificate-January-2022-Blog-3