“It's the little details that are vital. Little things make big things happen.” —John Wooden
The Idea: A lot has been said about details. “The devil’s in the details.” “Don’t sweat the small stuff.” “Retail is detail.” “Measure three times before you cut once.” Details are sometimes relegated to the domain of small minds and non-strategic thinkers. Not for me. Details are the currency of internal auditors who seek to be valued business partners. Trusted. Credible.
The Execution: Flying at 30,000 feet is great for airplanes, but it doesn’t do a lot to enhance the reputation of internal auditors. We need to understand how things work as well as or better than our auditees in order to gain their trust and provide the insights we want to be known for.
Don’t just prepare a process narrative; develop a flow chart — to at least a midlevel — “so that you can easily see the flow of information and materials, branches in the process, opportunities for infinite loops, the number of process steps, inter-departmental operations, and more,” as described in
this article by Nicholas Hebb.
There is so much information available to internal auditors, whether from peer networking, online research, old-fashioned books and reference manuals, or conversations with subject-matter experts — use these to create your risk assessments and work programs. Case in point: My company is upgrading its enterprise resource planning system. I sit on the steering committee to advise and evaluate on project and program risks. I’ve never been part of an Oracle R12 technical upgrade, so I went online to enhance my understanding of what this actually entails. I found the Oracle R12 implementation guide — quite a hefty tome when printed out — and read it. Wrote notes in the margin for follow up. Highlighted key steps to validate data post-upgrade. The questions I was able to ask the program manager about our implementation plan knocked his socks off. He was a bit amazed I’d gone to those lengths and depths to really get into the … you know. Boom!: credibility.
I like to share audit risk assessments and testing approaches with auditees to:
- Verify we correctly understand their process.
- Get their sign off that we’ve identified the control activities they will be evaluated against.
Generic audit programs and risk assessments are an invitation to death by a thousand questions. If you’ve done the hard work up front to get into the details, to really know how things work, and document meaningful [SPECIFIC] risks and controls, data interfaces, and configurations, it is very difficult for your work to be second guessed. And that feels pretty great. You’re on the road to credibility.