Internal Auditor’s blogs reflect the personal views and opinions of the authors. These views may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers’ employers or the editors of Internal Auditor.

The Olden Days Aren't That Old​

Comments Views

Let me tell you a story.

Back when I first started out, in a time when there were no computers and mechanical pencils were the instrument of choice and Audisaurus Rex roamed the land and internal auditors had to construct their own workpapers out of wood pulp and the tears of recently audited cavepeople, we did a lot of audit work involving bank accounts. (It seemed to be a preoccupation for internal auditors back then.)

Every time one of those audits came up on our schedule, we greeted it with great joy. Of course, as an auditor, it is always fun to tick and tie and reconcile and search for adjusting entries and make sure everything is hunky-dory. But the really exciting thing was to review the bank resolutions to ensure they included the updated list of those with authority to sign on the account.

Why, you might ask, would normally sane internal auditors be so excited with something as mundane and basically inconsequential as updated resolutions?

Because we knew that leadership was constantly changing, and the one thing that always fell through the cracks was updating those authorizations.


No discussion of what the consequences were. No discussion of how the process might be changed to help eliminate this rather minor problem. Nothing but the finding of a consistent error, the reporting of that error to the powers that be, and the chortle of auditors who had done their job by finding something wrong and reporting same.

I often talk about how lucky I was to work with Farmers Insurance audit when I first started out in the profession — how we were a forward-looking department that was doing operational audits before such a term was being bandied about, one that partnered with the business, one that was respected, and one that, while not always greeted with open arms, at the very least was welcomed with an extended laurel and a hearty handshake.

Well, that memory about the resolutions recently surfaced (no idea why; just the firing of a couple of synapses that I had left for dead), and it reminded me that, while our department did a lot of really good things early on, we still suffered from the same diseases many other audit departments experienced.

Well, that was a long time ago, and we got better. But that doesn’t mean everyone in the department always caught on. Here’s another story for you.

Sometime in the 1990s or 2000s (that long ago, does it really matter which?) we had an auditor who liked to do audits of our claims offices. Good thing because, every year, we audited 100 percent of our 120 offices. After a while, we found the unfortunate reason why he liked the work. He would ask employees for their passwords. After the employee would explain that the password could not be shared (good for them), the auditor would follow with “It’s okay, you can tell me; I’m the auditor.” Then, as soon as the person would reveal the password, the auditor would write them up for inappropriately sharing their password.

As I say, we got better. And our department got better. And I like to think the profession got better. But as I visit audit shops, I’ve learned one thing. They’re still out there.

There are still auditors, and audit departments, and audit leaders who salivate at the opportunity to find something wrong, even something as trivial as updated authorizations on the bank account resolution.

Oh, don’t worry, I know it’s not you. I know you would never do that. And I know you would never trick someone into revealing their password. And I know you would never focus on financial audits because that’s what you’re being told to do. And I know you would never issue a report without having an agreed-upon corrective action. And I know you would never turn down the chance to perform a consulting engagement because you think it would impair your objectivity and independence. And I know you would never do anything that would hinder your ability to provide true value to the operation.

Wait a minute. I’m wrong? Are you trying to say that you have done a few … maybe, quite a few of those things?

And are you saying it is unfair of me to make a logical leap from a department that focuses on resolutions or plays “gotcha” with passwords to one that focuses on financial audits or issues reports with recommendations rather than agreed-upon corrective action or avoids consulting? Do you feel I’m dealing in hyperbole when I say such actions keep you from adding true value?

Sorry, I beg to differ. No doubt, picky findings that focus on what was done wrong rather than solutions does nothing to show internal audit is valuable. And tricking people into making mistakes sets the profession back decades. But, focusing on financial at the expense of operational issues, not getting agreed-upon corrective action and calling the job done, and not being an advisor and consultant, as well as a whole litany of other not-so-best practices, negatively impacts the brand of your internal audit department.

Back when we did those account audits, we thought we were doing the right thing. We didn’t have a grasp of what the power of internal audit really could be. And any time you limit the success of your operation — any time you do not do the fullest work that provides the greatest value — you are unfairly restricting yourself from achieving the real power of the department.

Take a look at the work you are doing. Better yet, take a look at what you are not doing. And look at the excuses you have come up with to keep from doing that work.

Then think about it again. Imagine what you might be able to do if you quit making those excuses and tried for something more. Then, go do it … and, in the process, provide more value than any of your customers thought possible.

Internal Auditor is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this blog post

comments powered by Disqus
  • Your-Voices-Recruitment-January-2022-Blog-1
  • Fraud-Virtual-Conference-January-2022-Blog-2
  • IT-General-Controls-Certificate-January-2022-Blog-3