Sometimes I start these blog posts and, the next thing I know, what I though was going to be a quick and easy write up takes on a life of its own, becoming an uncontrolled, multi-post behemoth. Other times they contain themselves nicely and fit exactly into the one-post pattern I have planned. The good news is that this post is going to go exactly as I assumed it would when I first started. The bad news is, even before I typed the first word, I knew this one would need a little explanation and will definitely require a number of posts. So, without further ado: Where Did This Audit Go Wrong - Part One.
When you think about an audit, what do you see? Is it a series of risks and tests and interviews and reports? Is it a conglomeration of workpapers? Is it the harmonious gestalt of many individuals' efforts? Is it the cobbled together concepts of auditee, auditor, managers, and executives? Or have you even given the concept much thought at all?
As prelude, I want to tell you two stories. These are based on two audits I oversaw a number of years ago. The names, projects, details, etc. have been changed, altered, and obfuscated to protect the innocent and the stupid. In addition, it will help me refrain from violating any proprietary information rules to which I am probably still bound. If the resulting story is an unintelligible mish-mosh, then I offer my apologies. But I'll try my best.
Audit Story the First: The company was involved in a rather extensive project intended to significantly change the way a primary portion of the business was carried out. Audit was asked to visit sites which were implementing the new project. We identified potential changes that would improve controls when the approach went company-wide. The department thanked us and made the necessary changes.
However, as part of our reviews we began to have concerns about the way the overall project was being managed – issues that might impact the success of the entire project. This included questions about reporting, projections, and even the impact of the company moving forward too quickly. Based on the risks involved, we were given the okay to do a project-level review.
At the conclusion of our review, we gave it a clean bill of health. And, within one year, the project was recognized by all as an abject failure.
In spite of everything we knew – in spite of the fact that we were sure failure was in the offing – how could we end up with an effective audit opinion?
Well, our opinion was based on the evidence which showed that executive management was being apprised of all necessary data on a timely basis. We also had evidence which showed that this was accurate. What we hadn't taken into consideration was that, although the information was being reported to executive management, that didn't mean they were listening. We also assumed (don't get me started on that word) that facts speak for themselves and did not take into consideration the way they can be colored during delivery.
Audit Story the Second: The structure for oversight of a major function within the company had been in place for as long as I had been an auditor. (That was in the time when slide rules ruled the earth and columnar pads were exploring the fringes of becoming more than sixteen columns.) The function was a major focus of Internal Audit and, over time, we began to see that, with changing times, potentially significant issues might begin slipping through the aging cracks. With that in mind we completed an audit over the oversight and governance of the function. After a fairly extensive review we came up with (you're already ahead of me, aren't you) an effective opinion.
Two years later the issues were becoming so prevalent that the company recognized the numerous flaws in the oversight process and developed a new compliance group to mitigate the risks.
In spite of knowing that potential issues were beginning to fall through the cracks – in spite of having evidence from other audits showing control breakdowns - how could we have an effective audit opinion?
The quick, easy answer is that the auditors fell into the trap of seeing what they were used to seeing. But the blame is more widespread. I knew that issues were falling through the cracks. And I double-checked with the auditors as I saw their results. And I reviewed the workpapers to ensure they had looked at the areas where I saw potential issues. And, at the end of the day, I signed off on it.
Here is the fascinating thing. Going back through the audits (and, trust me, we went back through these two audits) we saw that we did everything right – we followed our procedures, we complied with the standards, we did everything by every book we could find, and we reviewed and re-reviewed the workpapers. And yet, in the rearview mirror, both audits were fails.
The answer to that will have to wait because, as I already warned you, this one is going to take some time. I'll continue (at the very latest by the beginning of next week) with why the first step is admitting you have a problem, and eventually talk about what a symphony conductor might have to say about internal auditing.