Drive-by Auditing: Don't Be Guilty of "Hit and Run"

Richard Chambers, CIA, CGAP, CCSA, CRMA, shares his personal reflections and insights on the internal audit profession.

 

I have written extensively over the years of the need to improve the timeliness of internal audit results. Nothing undermines the value of an internal audit more than delivering the results when it is too late for management to correct a problem or too late to avoid further fraud, waste, or mismanagement.

If lengthy untimely audits are one extreme, the other is what I call “drive-by” internal audits. These are so-called internal audits in which either canned internal audit programs or checklists are used to facilitate a quick audit or report. In the financial services and retail industries, branch or store audits are sometimes conducted in this manner.

Don’t get me wrong — drive-by audits can provide important assurance on internal control effectiveness and compliance matters. They also can serve as fraud deterrents. However, their use does not always conform with The IIA’s International Professional Practices Framework, and they rarely provide management in the area subject to audit with real value. I have seen the technique used throughout my career, and I often thought of these engagements as “inspections” rather than true internal audits.

To avoid being guilty of ineffective drive-by auditing, I offer five litmus tests by which you can assess your approach:

  1. Is the engagement the result of an annual or ongoing risk assessment process? Drive-by audits often are cyclical. “We are going to audit you this year whether you need it or not.”
     
  2. Is the audit program or engagement plan itself developed based on risk? IIA Standard 2201: Planning Considerations mandates that in planning the engagement, internal auditors must consider significant risks to the activity, its objectives, resources, and operations. Drive-by audits often are conducted from canned audit programs with little consideration given to risks in the specific business unit or activity where the audit is being conducted.
     
  3. Is the same audit program being used at each drive-by location? As indicated above, the audit program should be tailored to the risks of the specific unit. However, there is an even greater risk of using canned programs: Management will quickly ascertain the areas subject to audit and ensure they are ready for the audit. Even if new audit programs are used each year, I have seen instances where management from the first business unit subject to the annual audit cycle signal all of their colleagues subject to subsequent audits on “what the auditors are looking at this year.” Naturally, that undermines the effectiveness of the entire audit process.
     
  4. Does the final audit report offer recommendations or simply provide findings and/or observations? Although rare, some drive-by internal auditors don’t even attempt to develop customized recommendations for corrective actions in response to findings or noncompliance cited in the audit report. The final report is nothing more than a list of transgressions noted. Then the auditor is off to the next location. This is not only a drive-by internal audit, it also would be classified as a “hit and run.”
     
  5. Does the audit process and final report add any value for operating management? Sadly, the answer to this question for drive-by audits is often “no.” The reports often are very clinical with no indications of management accomplishments, insight on operations, nor opportunities for improvement beyond “these things are not in compliance — correct them.”

As with all of my blogs, my views on drive-by auditing are my own personal thoughts and do not constitute official IIA guidance. However, I would encourage any internal auditor who might be conducting canned inspection-type audits to reexamine your approach. Use the five questions above to reengineer your internal audits into more risk-based, client-focused engagements.

As always, I welcome your thoughts on this important topic.

Posted on Aug 2, 2012 by Richard Chambers

Share This Article:    

  1. Richard i  must confess that some of us auditors are guilty as charged when it comes to this kind approach despite its demerits.

    However,  when one is under intense presure to deliver, drive or hit and run audit comes in handy at least to give the client certain assurance no matter how insignificant.

    Thank you

     

  1. Richard i  must confess that some of us auditors are guilty as charged when it comes to this kind approach despite its demerits.

    However,  when one is under intense presure to deliver, drive-by or hit and run audit comes in handy at least to give the client certain assurance no matter how insignificant.

    Thank you

     

  1. While I fully agree with Richard that drive-by and hit and run auditing are dangerous, I have a different definition for both terms.  All too often in my career, I've seen auditors who just don't know how to close the loop on their audit work.  They either don't:

    1) understand how to develop and execute audit tests related to key risks,

    2) don't complete their work,

    3)  don't properly investigate the audit exceptions. 

    In my view, this drive-by auditing approach is far more dangerous than using a standard audit program or issuing a marginally late report.  The best way to manage these auditors is to supervise them and review their work, as is required by the IIA's Professional Standards.  As they gain proficiency over time with their jobs and learn "how to audit", things should improve.  If they don't, it is most important to help them find another job where their skills are better suited.  Now that is where many CAEs and companies fail. 

    Back to your critique of standard audit programs, I was a one-man Corporate Audit function at a steel manufacturing and processing company early in my career. I must say that our standard, full-scope, audit program was constantly growing/evolving and lengthy.  Was it bullet-proof and did it address every conceivable risk area for the company?  No.  But, I rarely had a chance to breathe for my full-scope audits.  And I did do a good job of raising a variety of non-program related issues based on my discussions and work with local management over time.  (Unfortunately, I could not sell ERM or risk based audit to executive management as they thought I was an over-zealous kid whenever I broached the topic.)

  1. To my understanding, audit program just use as a guide for new auditor, the important things the programs must address the significant risks to the company.

    For audit recommendation, partnership auditing is important, where any practical suggestions by auditee which add value to the organization should be included in the audit report. We can start the sentence like we have discussed the above audit issues with the management and they agreed to take the following appropriate corrective actions:-

  1. good read.. we have tried this style of audit. By doing this sometimes our reason is to quickly higlight the major weakness or irregularity in the process. quick reporting = quick actions. Yes, it may not be in the guidelines for IIA but i think internal audit needs to be flexible and creative. Not limited to the lines of rules and policies.

  1. If store audits do not conform with IPPF and are more like inspections, I still prefer the name audit. We have people performing store audits who are comfortable with doing the same evaluation every day and I'm glad they are. I doubt if your statement about the added value being rare is true. Perhaps, to your opinion the use of the word audit may only refer to more challenging engagements.

    Here's my examination using your five questions:

    1. Yes, it's a cycle, but  general and region managers request the store audits and pay for them;

    2. Yes, our stores have standard procedures and risks. I think there is nothing wrong with having the risk assessment of our audit program performed just once a year;

    3. Yes. If just the chance of a store audit will have store managers comply with standard procedures, the number of store audits can be reduced and the store audit will add value even more efficiently;

    4. In essence, observatiosn. Discussion of audit results is up to region managers. Store audit will perform true follow up audits for only a few stores. Every quarter patterns of audit findings are discussed with region management to determine the appropriateness of controls audited and if procedures need to be adjusted;

    5. Added value for store managers is not the report, but the discussions and the explanations themselves during the day. Added value for region managers is the report itself and frauds identified.

     

  1. Dear Richard,

    Your Five Litmus Tests are quite elaborate and I can only agree. However, it should be noted that certain Drive by- Audits are as result of client perception gaps. Often times clients expect intaernal auditors to focus on traditional areas of risk such as procurement and cash management in a way that the area has been audited traditionally. Unless one invests in reducing the perception gap, deviation may be taken as  incompetence even by fellow professionals in the field. There are areas that one just audits (even contrary to the actual risk position on the risk matrix) just to provide assuarance to an expectant management.

    I am aware of organisations that do not even subject some functions to an effective risk assessment owing to management expectation (in not demand) that such functions be audited regardless of the risk assessment. In such situations, the auditor does not appreciate the need to spend resources customising the audit program to inexistent risks. Obviuosly the same audit program is used repeatedly and the resulting report carries no significant recommendations, but management is assured of compliance to existing policies and procedures. Surely Is there no value in such assurance? Is this not one of the objectives under the Coso Framework? Would it be worth pursuing new frontiers unknown to management before satisfying their traditional expectations?

  1. Dear Richard, I do share your views and ideas. I work in a highly regulated aviation industry (Ethiopian Airlines) and extensive use of checklist characterizes the order of our activity. To curb most of the limitations of the use of audit checklists, however, we have a structured: Divergent reporting system; we have a dynamic check and balance system which triggers timely corrective/preventive action for management. Our role is to evaluate the adequacy of the check and balance system in timely triggering the deviations and evaluate the effectiveness of the system in helping management solve the deviation. Audit checklist revision system; the standards used as audit checklist undergo continuous revision pursuant to change in regulatory requirements and our organization's needs and capabilities. Management continuously revises its operating standards and we revise our audit checklists. Improvement system; we have a structured management evaluation and review meetings to ensure the appropriateness of the divergent reporting system and management's corrective action. In short, internal audit must be as dynamic as the management and/or Internal audit must catalyze the management system.
  1. As Audit Director for a 40-store department store chain, I rely on the assistant store managers to do what are essentially check-list audits.  They have value as a deterrent (as you suggested), help make sure that stores are in compliance with regulations and company standards, and help alert me to problems.

    That said, I forwarded your article to all 40 assistant managers and challenged them to come up with better audits or a better overall approach. I told them that nothing is off the table.  We'll see if they can come up with some innovative approaches!

     

  1. In medio stat virtus.

    In my opinion the audit test approach should be aligned to the specific risks/controls in scope. Processes highly standardised and (supposed to be) controlled by procedures-policies-systems are ideal for checklist approach. I do not see any deskilling issue for the audit. My former experience from the process engineering has taught me how difficult could be the design of a sound test checklist.

    Strategic management decisions, less tangible processes or simply more affected by exogenous factors are only auditable after a complete/exhaustive preliminary risk-based analisys. Likely, current audit program will be changed with respect the previous.

    Timeliness of reporting and recomendations is out of question in both cases. 

Leave a Reply