​​​The Key to Credibility Is Specificity

Comments Views

“It's the little details that are vital. Little things make big things happen.” —John Wooden


The Idea: A lot has been said about details. “The devil’s in the details.” “Don’t sweat the small stuff.” “Retail is detail.” “Measure three times before you cut once.” Details are sometimes relegated to the domain of small minds and non-strategic thinkers. Not for me. Details are the currency of internal auditors who seek to be valued busi​ness partners. Trusted. Credible.

The Execution: Flying at 30,000 feet is great for airplanes, but it doesn’t do a lot to enhance the reputation of internal auditors. We need to understand how things work as well as or better than our auditees in order to gain their trust and provide the insights we want to be known for.

Don’t just prepare a process narrative; develop a flow chart — to at least a midlevel — “so that you can easily see the flow of information and materials, branches in the process, opportunities for infinite loops, the number of process steps, inter-departmental operations, and more,” as described in this article by Nicholas Hebb.

There is so much information available to internal auditors, whether from peer networking, online research, old-fashioned books and reference manuals, or conversations with subject-matter experts — use these to create your risk assessments and work programs. Case in point: My company is upgrading its enterprise resource planning system. I sit on the steering committee to advise and evaluate on project and program risks. I’ve never been part of an Oracle R12 technical upgrade, so I went online to enhance my understanding of what this actually entails. I found the Oracle R12 implementation guide — quite a hefty tome when printed out — and read it. Wrote notes in the margin for follow up. Highlighted key steps to validate data post-upgrade. The questions I was able to ask the program manager about our implementation plan knocked his socks off. He was a bit amazed I’d gone to those lengths and depths to really get into the … you know. Boom!: credibility.

I like to share audit risk assessments and testing approaches with auditees to:

  1. Verify we correctly understand their process.
  2. Get their sign off that we’ve identified the control activities they will be evaluated against.

Generic audit programs and risk assessments are an invitation to death by a thousand questions. If you’ve done the hard work up front to get into the details, to really know how things work, and document meaningful [SPECIFIC] risks and controls, data interfaces, and configurations, it is very difficult for your work to be second guessed. And that feels pretty great. You’re on the road to credibility.

​The opinions expressed by Internal Auditor's bloggers may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers' employers or the editors of Internal Auditor. The magazine is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this article

comments powered by Disqus
  • IDEA_CaseWare_May 2020_Blog 1
  • Galvanzie_May 2020_Blog 2
  • IIA CIA LS_May 2020 Blog 3