Over the years, one of the practices I have followed in writing my blog is to open the year by sharing five New Year's resolutions that every internal auditor should make. As I noted last year, these are not the typical resolutions about losing weight or exercising more — although some of us could certainly benefit from such resolutions as well.
Instead, the resolutions that I propose are designed to enhance the quality of our performance as internal audit professionals. They are simple resolutions that are powerful enough to enhance our value, but so painless that keeping our resolutions changes from a mere possibility to a probability.
1. Plan More and Audit Less
One of the Achilles' heels for internal audit departments is the amount of time it takes to complete the average internal audit engagement. The problem typically stems from deploying endless audit steps and an undisciplined report writing process. The impact of these poor habits can be mitigated significantly by better planning at the outset of the engagement. Too often, we are in such a hurry to begin the audit that we rush to develop an audit plan/program so that we can get started. But conducting an audit from an inadequate plan is like taking a road trip with an unfinished map. Without a solid plan, you are bound to take wrong turns and circuitous routes throughout the engagement. I've found that the keys to effective planning are to: (1) identify the key operating objectives; (2) identify the key risks that will inhibit achievement of these objectives; (3) assess the risks; (4) determine the audit objectives based on the risk assessment; and (5) document the audit steps necessary to test control effectiveness related to each objective.
2. Communicate for Impact
Recipients of internal audit reports are often exasperated by the length of the reports, the amount of needless information that's included, and the difficulty of navigation. As auditors, we have trouble being succinct. We like to tell people "how to build a watch" when maybe all they really want is to know the time. We also tend to shy away from using graphics, but often a picture truly is worth 1,000 words. Essentially, we have to do a better job of cutting to the chase — communicating succinctly and in an impactful way that will compel the reader to take action.
3. Empathize More and Gloat Less
Too often we tend to take pride in the fact that we found problems or deficiencies in an area we audited. But if we put ourselves in the shoes of the people we're auditing, we might see things a little differently. In fact, we might realize that they want the same things we do: to do an effective job, to deliver quality, to be service oriented, and to pursue excellence. There just might be extenuating circumstances that impair their ability to do so. One of the things that I think internal auditors always could do better is to demonstrate empathy when we're doing the audit work. Certainly, that doesn't mean that we don't communicate the issues that we discover, but there's no point in diminishing the value of other professionals to try and make ourselves look better.
4. Embrace Technology
We have to recognize that our resources are limited, and they're not likely to grow significantly in the coming years. Yet, our stakeholders' expectations continue to grow. One of the ways that we can become more productive and add greater value to our organizations is by leveraging technology — using data mining and analytics tools and techniques and taking advantage of audit management system software to help with documentation of our work and the planning and communications of the results of that work. These tools can be tremendous "capacity multipliers" for internal auditors.
5. Enhance Industry/Business Knowledge
As I've observed before, our stakeholders often are concerned that we don't understand the business well enough to be conducting audits of operations, business risks, and strategic risks. One way that we can become more effective in auditing those areas and enhance their confidence in us is by acquiring and demonstrating an in-depth knowledge of the business and the industry. We have to become students of our own organizations. We need to become more proficient in identifying key risks and threats that face our industries. We can do this by joining industry associations, partaking in industry trade publications, doing Web-based research, and seeking out other resources to enhance our knowledge. We also need to have a better understanding of the issues that face our business. Every internal auditor should analyze any information they can obtain on the organizations they work for, including information released to regulators and investors (such as 10-K filings in the United States) and other publically available information as well as resources available to management within the company/organization itself.
These are only a few of many New Year's resolutions that might be appropriate for internal audit. In keeping with The IIA's motto, Progress Through Sharing, please share any additional resolutions that you believe internal auditors should make as the New Year gets underway.