Can You Audit Your Own Work?
Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years.
It's one of those "givens": "you can't audit your own work." This can inhibit an auditor, appropriately, from designing business processes, writing standards or policies, and other activities that should be performed by management.
But is this a "given" that makes sense in every case? Or is it the wrong standard to use?
Let's take a few cases.
1. The IT audit team develop a continuous auditing program that identifies potential duplicate payments. The program is then turned over to management, who use it as a detective control. (Some would call this continuous monitoring.)
Is there anything wrong with this? Can internal audit perform an objective review of accounts payable when one of the key controls is a program they developed?
My answer is YES. While internal audit developed the program, management has assumed responsibility for it now — including the responsibility for ensuring it is appropriate to the task. (I would consider asking a different auditor to review the duplicate payment control than the individual who developed the program.)
2. Internal audit participated as a controls and security consultant during a major IT project. (I call this a pre-implementation review.)
As the system and related business processes were designed and implemented, internal audit assessed and advised on internal controls and security. They may have recommended specific improvements, even to the point of sharing best practices and security measures other companies have used.
Can internal audit perform an objective audit of the business processes (including the new computer system) a year after go-live? YES. Internal audit participated and made recommendations, but management was responsible for the adequacy of the internal controls and security decisions. The CAE might consider using different people to audit the live system, but generally that is not necessary.
3. Internal audit recommends improvements in internal control and audits the same area a year later.
Let's assume that management accepted all of internal audit's recommendations and has made the changes precisely as proposed. Does this affect internal audit's ability to audit the upgraded system? Aren't they in effect auditing what they had previously recommended? Can they perform an objective audit in the second year?
My answer is YES. While internal audit made recommendations, management retains responsibility for deciding what actions to take.
4. Internal audit assesses the design of controls as adequate in year 1, then audits the same area a year later.
Can internal audit be objective and re-assess the design of controls that it found adequate the prior year — even if the controls are the same and the business has not changed?
Strangely, this may be the most "risky" proposition. Management will be — rightly — upset if the controls found adequate in year 1 are found less than adequate in year 2. But, the right attitude and awareness by the audit team can ensure they remain objective and assess the design as if it was their first time.
5. Management asks audit to provide examples of, or even to draft, a corporate policy.
Sometimes, management asks the internal audit team for help drafting a policy. A great example is the corporate code of ethics. The internal audit team provide management with copies from prior employers, or from 'best practice' studies. Perhaps they edit a draft based on those examples.
If management adopts the policy, can internal audit perform an objective audit of the area (including the adequacy of the policy) a year later?
My answer is YES. Internal audit may have drafted the policy, but management has the responsibility for accepting it. They retain responsibility for the system of internal controls. Now, I would worry about the risk of the audit department's draft not being adequate and ensure there is a good review process within IA. But, with the right attitude we should be OK.
"What then is the "right' standard?
I prefer to exercise judgment and ask whether internal audit can be objective in performing the audit engagement. I would consider changing the members of the audit team if that would improve both the perception and reality of objectivity.
But, I would not adopt a strict rule of "you can't audit your own work" because our "own work" includes audit recommendations and prior year assessments.
By the way, I recommend reading the IIA Practice Guide on Independence and Objectivity. It recognizes even a repeat audit (examples 3 and 4 above) as threats to objectivity.
Do you agree that it is better to use judgment and assess whether you can be objective, than to use a rule of "you can't audit your own work"?
Posted on Dec 28, 2011 by Norman Marks
Share This Article: