Let me start by saying that my first draft of this post started out a whole lot differently than the one you are about to read. Initially my intent was to make a point about unnecessary work being done by internal audit – work we think has to be done because the standards say so. Then I was going to quote the standards and show that many people's perceptions of what is contained in the standards is flawed.
And then I went to the standards to get my support.
And then I found out that my perception of what is contained in the standards is flawed.
And now I am starting over because I stand by my original conviction that, in some areas, we are working harder than we need to. But now I know that only part of the fault lies with ourselves; a part of the fault, dear Brutus, lies in the Standards
One of the responsibilities of internal audit is to "improve an organization's operations" and "improve the effectiveness of risk management, control, and governance processes." (I'm a little gun-shy at this point, so I looked it up. It's part of the definition. It is definitely what we are supposed to do. Feel free to fact check me on this and all future references to the standards.)
I think we have to agree at the very outset that there are far too many internal audit shops (one would be far too many) which miss an important aspect of this definition. Far too many departments forget that a part of effectiveness is efficiency. And so they focus on adding controls rather than finding better ways to achieve the overall objectives. You know as well as I do that there are departments loathe to ever eliminate a step, a process, or a control, even it means the process becomes better. (And let's save all of us just a little bit of face by not bringing up the times we have fallen into that trap.)
But now let's move beyond those (what we hope to be) outliers. Even those of us who understand the full implications of effectiveness and apply them by eliminating unnecessary controls seem to have this innate ability to forget this commonsensical approach to processes when it comes to our own work.
And so we note every dot and record every tittle and pride ourselves in our ability to reconstruct every sneeze that occurred during the documentation of how the random numbers were generated for the random sample to be taken on the fourth set of samples. (An aside: The worst actual example I ever saw of over documentation with an audit group was one that was required to document their research for the cheapest hotels in the travel area where they were going. I'm willing to bet the time spent doing that documentation cost as much as was saved by the cheaper hotel rates.)
Then every dot and tittle is reviewed by a lead auditor or a supervisor or some other direct step up the internal audit chain. And every review of every document must be noted – evidence that the lead auditor or supervisor or direct step up the internal audit chain not only looked to ensure that every dot and tittle has been recorded, but that it has been recorded appropriately and the information contained in that dot or that tittle has then been made a part of the mosaic that resulted in whatever morass of information is used to ensure "something important, profound, or, at the very least, correct" got done.
And then there is generally the additional requirement that each document be reviewed by an even higher power to ensure that there is evidence the lead auditor or supervisor or direct step up the internal audit chain not only looked to ensure that every dot and tittle was recorded, but that it has been recorded appropriately and the information contained in that dot or that tittle has then been made a part of the mosaic that resulted in whatever morass of information is used to ensure "something important, profound, or, at the very least, correct" got done, and, in addition, the processes ensuring that all internal audit policies and procedures have been followed and no errors are extant.
Are you starting to get my point? Are you starting to see that we may be in a state of...oh, for lack of better term, a tad too much overkill? Are you starting to get the point that we are killing ants with atom bombs? (And the sad part is that those atom bombs, while generally killing the ants, often miss the bugs that bring the whole thing down. But that is beside the point.)
For my first quote from the standards, let me pull something which, I believe, supports what I'm trying to say. (There is also some related information in standard 1311. I leave it to you to explore those and see if they impact anything I have to say here.) Standard 2340, "Engagement Supervision" states:
"Engagements must be properly supervised to ensure objectives are achieved, quality is assured, and staff is developed."
Then, in the interpretation of this standard you will find the following:
"The extent of supervision required will depend on the proficiency and experience of internal auditors and the complexity of the engagement...Appropriate evidence of supervision is documented and retained."
I find this to be a well-reasoned and cognizant expression regarding supervision. Let me put it my own way. Figure out how good the auditor is. Supervise appropriately. Document how supervision was conducted.
This is commonsensical. No one is given a free ride. But the amount of work necessary to ensure quality work is allowed. And it does not require babysitting the most talented, intelligent professionals within the organization.
But then, in practice advisory 2340-1, reason begins to spread its tiny wings and fly.
"All engagement working papers are reviewed to ensure they support engagement communications and necessary audit procedures are performed. Evidence of supervisory review consists of the reviewer initialing and dating each working paper after it is reviewed. Other techniques that provide evidence of supervisory review include completing an engagement working paper review checklist; preparing a memorandum specifying the nature, extent, and results of the review; or evaluating and accepting reviews within the working paper software"
Buried deep within this labyrinth of alternatives is the chance for someone to do something right: "Preparing a memorandum specifying the nature, extent, and results of the review." But even this, while it doesn't require the monotonous uselessness of other alternatives, seems to hearken to our slavish need to document the documentation of the documentation.
We are wasting our efforts on work that doesn't matter.
Looks, here's what grinds my gears. If you walked into an operation and found the detail of review we inflict on ourselves, wouldn't one of your first recommendations be to cut some of that shtuff out? Wouldn't you suggest a method (maybe risk-based) for determining where review time is best spent? Might you not suggest that approval of every step – particularly every step taken by professionals who are being paid to use just a modicum more brains than the average planarian – is an incredible waste of time for the professional and for the supervisor?
I know there is discussion about revisiting the standards. I do not know how in depth that review might be nor how involved it might become. However, let me be the first to suggest that a first step is applying common sense.
All I ask – all any of us should ask – is the application of the tiniest shred of sanity to help our profession seem that much more professional.