For several hundred years, auditors have been reviewing business functions. As processes evolved, the Industrial Revolution eventually led to widespread use of the basic audit activities we perform today, and the ubiquitous tick mark has been around ever since. In fact, one might argue that the tick mark is the most common symbol of our profession. But the time has come to let it go. In today's world, where internal audit is often tasked with oversight of an organization's entire risk management process, if you or your directors are concerned about tick marks, you're spending far too much time mired in meaningless details. In fact, if you're allocating more than 1 percent of your time to making tick marks or reviewing others' tick marks, you're doing it wrong.
At first blush this might sound like a severe statement. But considering the breadth of risks that influence the bottom line, it's safe to say that the minute issues explained by tick marks are certainly not keeping the CEO, chief financial officer, or audit committee up at night. For the profession to move forward and for internal audit to play a truly valuable role across the enterprise, practitioners need to remove the blinders and shift attention away from futile tactics.
According to the definition of internal auditing, we are charged with the responsibility to "add value and improve an organization's operations" and "improve the effectiveness of risk management, control, and governance processes." Nowhere in that definition does it say, "Internal auditing helps an organization foot, sum, agree, tie, and recalculate its financial information to confirm the accuracy of the financial statements." By that standard, the vast majority of tick marking we are doing — and thus by extension, the manual review of detailed, line-item information — is an enormous waste of time.
Why not instead take the lead in designing new operational capabilities, then relentlessly focus on areas of material risk to achieving strategic organizational objectives? With that mind-set, internal auditors would be able to deliver valuable results worthy of executive management's attention that, in turn, could help transform the perception and careers of practitioners. Moreover, the means of obtaining information to deliver value-added recommendations cannot reside in the realm of outdated processes. In every case I have encountered where a detailed analysis including tick marks is deemed necessary, there is a far faster, more robust way to answer the underlying risk or control question by using more sophisticated testing methods.
Tick marks stand out as a hallmark of our profession — one that beautifully illustrates how we are exceptionally equipped to operate in a world that no longer exists. We have historically been perceived as behind-the-scenes and under-the-radar. To deliver transformational value, we must step away from the endless array of detailed audit documentation that is built on a foundation of obsolete practices.