Let me tell you a story.
Back when I first started out, in a time when there were no computers
and mechanical pencils were the instrument of choice and Audisaurus Rex roamed
the land and internal auditors had to construct their own workpapers out of
wood pulp and the tears of recently audited cavepeople, we did a lot of audit
work involving bank accounts. (It seemed to be a preoccupation for internal auditors
Every time one of those audits came up on our schedule, we greeted
it with great joy. Of course, as an auditor, it is always fun to tick and tie
and reconcile and search for adjusting entries and make sure everything is
hunky-dory. But the really exciting thing was to review the bank resolutions to
ensure they included the updated list of those with authority to sign on the
Why, you might ask, would normally sane internal auditors be
so excited with something as mundane and basically inconsequential as updated
Because we knew that leadership was constantly changing, and
the one thing that always fell through the cracks was updating those authorizations.
No discussion of what the consequences were. No discussion
of how the process might be changed to help eliminate this rather minor problem.
Nothing but the finding of a consistent error, the reporting of that error to
the powers that be, and the chortle of auditors who had done their job by
finding something wrong and reporting same.
I often talk about how lucky I was to work with Farmers
Insurance audit when I first started out in the profession — how we were a
forward-looking department that was doing operational audits before such a term
was being bandied about, one that partnered with the business, one that was
respected, and one that, while not always greeted with open arms, at the very
least was welcomed with an extended laurel and a hearty handshake.
Well, that memory about the resolutions recently surfaced (no
idea why; just the firing of a couple of synapses that I had left for dead), and
it reminded me that, while our department did a lot of really good things early
on, we still suffered from the same diseases many other audit departments experienced.
Well, that was a long time ago, and we got better. But that
doesn’t mean everyone in the department always caught on. Here’s another story
Sometime in the 1990s or 2000s (that long ago, does it really
matter which?) we had an auditor who liked to do audits of our claims offices. Good
thing because, every year, we audited 100 percent of our 120 offices. After a while, we
found the unfortunate reason why he liked the work. He would ask employees for
their passwords. After the employee would explain that the password could not
be shared (good for them), the auditor would follow with “It’s okay, you can
tell me; I’m the auditor.” Then, as soon as the person would reveal the
password, the auditor would write them up for inappropriately sharing their
As I say, we got better. And our department got better. And I
like to think the profession got better. But as I visit audit shops, I’ve
learned one thing. They’re still out there.
There are still auditors, and audit departments, and audit
leaders who salivate at the opportunity to find something wrong, even something
as trivial as updated authorizations on the bank account resolution.
Oh, don’t worry, I know it’s not you. I know you would never
do that. And I know you would never trick someone into revealing their password.
And I know you would never focus on financial audits because that’s what you’re
being told to do. And I know you would never issue a report without having an
agreed-upon corrective action. And I know you would never turn down the chance
to perform a consulting engagement because you think it would impair your
objectivity and independence. And I know you would never do anything that would
hinder your ability to provide true value to the operation.
Wait a minute. I’m wrong? Are you trying to say that you
have done a few … maybe, quite a few of those things?
And are you saying it is unfair of me to make a logical leap
from a department that focuses on resolutions or plays “gotcha” with passwords to
one that focuses on financial audits or issues reports with recommendations
rather than agreed-upon corrective action or avoids consulting? Do you feel I’m
dealing in hyperbole when I say such actions keep you from adding true
Sorry, I beg to differ. No doubt, picky findings that focus
on what was done wrong rather than solutions does nothing to show internal audit
is valuable. And tricking people into making mistakes sets the profession back
decades. But, focusing on financial at the expense of operational issues, not getting
agreed-upon corrective action and calling the job done, and not being an
advisor and consultant, as well as a whole litany of other not-so-best
practices, negatively impacts the brand of your internal audit department.
Back when we did those account audits, we thought we were
doing the right thing. We didn’t have a grasp of what the power of internal
audit really could be. And any time you limit the success of your operation —
any time you do not do the fullest work that provides the greatest value — you are
unfairly restricting yourself from achieving the real power of the department.
Take a look at the work you are doing. Better yet, take a
look at what you are not doing. And look at the excuses you have come up with
to keep from doing that work.
Then think about it again. Imagine what you
might be able to do if you quit making those excuses and tried for something
more. Then, go do it … and, in the process, provide more value than any of your customers