A few years ago, I provided training for a large internal audit department. How large? The only individuals involved in the training were the supervisors and managers, and there were about 30 people. Yeah, a big department.
The week-long training did not go exactly as expected. There was a plan, there was a schedule, and there was content, all intended to fill the allotted time with knowledge, learning, and the earning of CPEs. And we accomplished those objectives.
However, at least twice the conversations evolved into broader topics. Such diversions occur. And they are actually an indication that things are going well — that people are thinking about what they are hearing and working toward broader applications.
In this case, though, these particular diversions revolved around problems being experienced within the department. In one instance, an entire afternoon was spent in discussing, complaining, and the airing of grievances. There was an underlying dissatisfaction that, for some reason, training brought to the surface.
Afterwards, the person in charge of the training said she felt those discussions had been as valuable as anything we had accomplished. She wondered if I would be willing to talk to internal audit leadership about the things I had seen and heard. I agreed and wrote some notes.
Time has passed. Much time has passed. Did I hear from the executives? Did you hear from the executives? Did anyone hear from the executives? No subsequent call; no subsequent email; no subsequent conversation. I have no idea what happened. But here I sit with my notes and no executives with which to speak.
I do not like to let things go to waste. So, I feel it is a good time to share. Because, as I review this list, I have a feeling there are lessons here that every one of us can take back to our departments. Maybe it was worse in this audit shop; maybe it isn't. All I know is that the issues I saw are issues I have seen elsewhere. (There is nothing new under the sun … or in the audit department.)
Following are my "Notes for a Meeting that will Never Happen."
Why So Many Rewrites?
From the auditors' perspectives, report rewrites are haphazard and capricious. Changes often are made with no explanation and can actually result in rewrites that match what was provided prior to subsequent changes. The consensus is that most rewrites are based on the style of the individual reviewer and there has been no direction on what reports should look like.
Audit leadership needs to articulate a consistent style and approach to be used in all audit reports. All reviews should be based on this style and be consistent among reviewers. It should also be noted that many reviewers are doing the actual rewrites. This should be discontinued; no one learns from someone else rewriting the report.
Finally, there should be an overall edict that no change can be requested unless the reviewer can explain why the change is needed. And "I don't like it" is not a reason.
Set in Stone
There is no flexibility allowed in plans, schedules, and the content of individual audits. The auditors feel they are not allowed the freedom to accomplish their audit work in the most effective and efficient manner. Once an audit is scheduled, it will be completed no matter what additional circumstances arise. And once work on the audit has begun, there can be no alterations to the initial purpose and objective, nor can there be any deviance from the assigned hours. If something significant is found and more time is needed, that time will not be allotted. If the initial work on the audit reveals the work can be completed more quickly than originally planned, the auditors are instructed to do additional work to fill the time.
Leadership must realize that nothing will go as planned, whether planning occurred over a year ago when the schedule was first developed or as recently as the beginning of the audit. Changes should not only be allowed, but encouraged.
New Procedures Take Time
The department has done an excellent job of developing and documenting policies and procedures that help ensure evidence of a professional internal audit department. However, in some instances the amount of documentation may be overkill. In addition, the new procedures are adding extra time to the audits — time for which allowances have not been made. Combined with the previous issue regarding flexibility, this is negatively impacting the effectiveness of audit work. Further, the reasons for some of these changes have not been explained to the staff. This has resulted in them filling out forms without understanding the underlying reasons for their existence.
There needs to be a reevaluation of these new procedures to determine what is really needed and how they are meant to support the work of the department. In addition, additional training should be provided that focuses on why certain documentation is required, not just how to do it.
The Regulators Are Not in Charge
The regulators are not the final say in how internal audit should complete its work. In discussions about why certain tasks were being completed during audits, auditors often said that the regulators had required it. There are instances where specific steps must be taken in support of regulation-related work. However, discussions revealed instances where this did not appear to be the situation — where "the regulators told us to do this" felt like a fallback answer. Why are regulators so involved in internal audit's work and why are they telling them what to do?
Internal auditors need to quit reacting like audit clients who respond, "I'm doing this because the auditors told me I have to." There should be reviews into any process or steps completed because "the regulators told us we have to do it." Of a greater concern is how often this reason was provided. Leadership should take a closer look at the relationship between internal audit and the regulators, reinforcing the department's independence in these situations.
Don't Be the Second Line
Internal audit is far too involved in doing work that should be completed by members of the second line of defense — in particular, compliance, finance, and risk. It appears that, in the past, internal audit picked up much of this work because those departments lacked the resources and knowledge to complete their tasks. Internal audit became the stopgap to ensure all necessary coverage was accomplished. However, this continues to happen, and internal audit has become the de facto second line of defense, negatively impacting objectivity and independence. In addition, this has depleted internal audit's resources, resulting in a significant portion of internal audit's assurance work being contracted out to third-party consultants.
The duties of the second line of defense should be returned to those departments. If the knowledge and resources are still an issue, the third-party contractors currently being used by internal audit can be reallocated to the second-line departments. In addition. Internal audit can take a leading role in upskilling the departments, providing insights regarding their roles and how they can be best accomplished.
More Risks Than Resources
As noted, there is more work than the internal audit staff can handle, resulting in a significant expenditure on and use of external resources. A significant cause (as noted above) is internal audit doing work that should be completed by second-line departments. However, the overallocation of internal audit resources raises serious concerns about the department's ability to perform effective risk assessments, including the associated allocation of resources. It is not the role of internal audit to provide assurance on every risk; rather, it can only provide assurance on the highest risks as limited by its available resources.
Leadership needs to reevaluate its risk assessment and audit planning process. It also needs to provide the board and executives a more realistic picture of what internal audit can accomplish.
What Is Internal Audit's Role?
Finally, the audit staff cannot say what it is the department is meant to accomplish. Yes, they have a general idea based on the department's purpose and objectives. But when asked what it is they are meant to achieve, they cannot articulate it. This seems to be the impact of the problems identified above — the auditors are unclear how or what they are supposed to report; they are doing work that is not internal audit's responsibility; they are unclear how audits wind up on the schedule, how the hours are allocated, and what the reasoning is that allows for no change; and, while they can talk about risk and its impact on the organization, there is no clear link between those risks and the work internal audit is completing.
Leadership needs to determine what the department is trying to accomplish and then be able to articulate that purpose to the staff in a way that allows them to get the work done that needs to be done.
Well, there you have it. A reminder: These are notes with some extra words, not a full-fledged report. (And I should also note that, after rereading this, yeah, it is a little boring. Do we all write like this when we get all businessy? I think I'm seeing part of the profession's problem. Anyway …)
These notes have been developed from memories of what I experienced a number of years ago. There's a chance they do not reflect what was actually occurring. But, then again, they may be completely accurate. And, even worse, they may represent the truth of what is going on in your department. You have to ask yourself, what would someone see if they spent a week training your department? What discussions might occur, what arguments might happen, and what dissatisfactions might surface?
And what might you discover that was directly under your nose all along?