Six Common Mistakes That Will Derail an Internal Audit

Richard Chambers, CIA, CGAP, CCSA, CRMA, shares his personal reflections and insights on the internal audit profession.
 
 
Over time, internal auditors tend to hear about a lot of things that went wrong. Unfortunately, it’s not just our clients who make mistakes — I have witnessed more than a few spectacular internal audit failures, and in too many cases the internal audits went wrong for reasons that easily could have been prevented during engagement planning. Some of the biggest blunders often seem to stem from the same few mistakes. In the hope that we can learn from each other’s mistakes, I have listed below my take on the most common of these missteps.       
  1.  Not setting aside enough time to adequately plan the audit. It’s all too easy to postpone audit planning when you’re still focused on the previous audit. That’s probably why this might be the most common audit mistake of all. What can go wrong if you delay planning until the last minute? I have heard tales of the location scheduled for the audit having been shut down two months earlier, auditors having to stay at a hotel two hours away because no vacancies were available locally, a new technology having been implemented that the team was unqualified to review — the list goes on and on, but you get the idea. If you want to sabotage your internal audit, simply do nothing until just before fieldwork is scheduled to begin. That way, when something goes wrong, you won’t have the “safety net” of a few extra days in which to salvage the situation.
  2. Trying to audit too much (and scope creep). Setting the scope is one of the rare areas where the most diligent auditors tend to run into the most problems. When the initial scope is too ambitious or too open-ended, the risks go way up that the job will take too long or that the auditors will miss important issues that were included in the scope. It’s difficult enough to stay on schedule and avoid “scope creep” later in an audit when the scope is well-defined to begin with. When the scope is open-ended, it can lead to crushing work schedules or to unrealistic stakeholder expectations. Either way, failing to limit the scope appropriately might mean that your audit will be viewed as less than successful.
  3. Not involving the client. Failure to involve your client early and often can be a real “audit killer.” Just imagine holding a closing meeting a thousand miles from home during which management says, “You spent three weeks testing that? But nobody even uses that report any more, and that isn’t a risk these days because. …”
  4. Failing to augment the audit team with “functional expertise.” Especially if you are a very experienced and confident auditor, you may tend to overestimate your ability to “go it alone” without expert help; so this is an area that occasionally trips up the best auditors in the business. Involving a subject matter expert early in the audit planning process can help ensure you haven’t overlooked something vital.
  5. Forgetting the audit should ultimately add value. We all know that internal auditing is not just about pointing out what’s wrong — it’s about helping management accomplish its objectives and, at times, helping management identify and take advantage of opportunities that otherwise might have been missed. We need to design audit activities with the potential to add true value — not to design activities primarily aimed at catching small mistakes. It can help to “risk assess” your audit tests: What’s the best/worst that could happen if we perform this particular test? If the test can’t lead to major findings or recommendations, maybe you are planning to test the wrong things.
  6. Forgetting to follow the risks. If your ”planning” is normally to perform the same audits the same way each year, regardless of risks or changing circumstances, then the odds are good that your results won’t be the same as they were last year; they will be worse. You may fail to identify new risks and opportunities — and at best, you will be less likely to add value than in the past. After all, you already gave management recommendations based on last year’s tests, and the chances of a truly important new insight or recommendation are lower the second (or fourth) time around. One management official who was later convicted of fraud said, “Internal audit wasn’t a problem. I always knew they wouldn’t come back for a year, and I knew exactly what they would look at when they returned.”
These are just a few of the mistakes that seem to keep undermining promising internal audits. Your list might be different. What are some of the biggest mistakes you have seen that derailed an internal audit?
 

Posted on Apr 16, 2012 by Richard Chambers

Share This Article:    

  1. Richard;

    In my experience the biggest mistake made on audits is not starting with a request to see management's assessment of the risks to the area being audited or, if internal audit has asked and there is no documented risk assessment, not making it the first major finding of the audit. This finding should be repeated on every audit and every year as long as management refuses to do effective risk management. 


    Internal audit departments need to do everything they can to convince clients that management owns responsibility to manage risk and control and they also own primary responsibilty to periodically and visibly evaluate whether it produces and an acceptable level of residual risk to the company and the board.  More and better traditional auditing can actually demotivate work units to assume responsibility for learning how to complete and wanting to complete demonstrable risk and control assessments.

    Your points above are all largely premised on IA continuing to act as a company's primary risk and control analyst/reporters.  A large percentage of IIA training materials continue to be based on this paradigm. This needs to change.   IA departments should report on the reliability of the processes management uses to manage risks and the reliabiltiy of management's reports to the board on the organization's residual risk status.  If there is nothing to report on the company won't need a very large IA function.

    The CSA movement started in the late 1980s. It has been over 30 years and true progress is still limited.  The IIA needs to help speed up the transition to management owned risk and control assessment and reporting.

  1. Managing staffing resources and meet the audit plan based on business risk within the given constraints are not considered easy and simple for any auditors including experienced or non-experienced auditors. Business risk increases astronomically and not just incrementally when business itself is undergoing heavy staff turnover and mismatch in strategy & communication of that strategy by senior management to local internal auditors. Internal auditors mandate is not complete just because management took time to express their interest many years ago about having a mission statement for audit or written audit committee charter. The solutions are plenty and no one size fits all for all audit risk here. 

  1. These are great comments to share with the auditee before each audit!  Auditees can be intimidated by the audits - or, at the very least, unfamiliar with the auditing process and the intended outcomes.  Imagine turning these questions inside out and empowering the auditee: 1.  When we contact you to plan, here's why we need you to respond.  If there's something WE should know way ahead of time, please tell us.  2.  If we start going down a rabbit trail - no matter how interesting - please call a time out and remind us that it's not in scope.  Maybe we'll do another audit or get you help another way.  3.  When we ask you to be involved, we mean it.  Talk to us.  4.  If you think the audit team is in over its head, tell us.  We can find specialists to help us out.  5.  We're here from Internal Audit and we're here to help you.  No, really.  We mean it.  Where can we help you the most?  6.  You know your business better than we do.  What keeps YOU up at night? 

     

  1. I agree with all your points, Richard, but would however like to add, in relation to point 5, that what to me appears to have been presented as a subsidiary mandate of internal auditing, is to me the main mandate of internal auditing.

    I look at the fundamental purpose of internal auditing as being to "help an organisation to accomplish its objectives". We do that through, the nature of internal auditing, assurance (evaluating) and consulting (contributing to the improvement of) directed at, the scope of internal auditing, governance, risk management and control PROCESSES.

    Adding value and improving the organisation's operations are to me included  in the phrase "help an organisation accomplish its objectives".

    The IIA definitions of assurance activities, consulting activities and added value all seem to support my view.

    I certainly hope that the definition of internalauditing will be revisited soon, if only to correct the sequence of the PROCESSES but also to clarify the concepts of fundamentalpurpose, nature and scope of internal auditing.

     

  1. Richard --

    Once again you are right on target with very helpful coaching ideas for audit pratitioners to ponder and implement.  I particularly agree with your advice to "involve your client early and often."  Building effective relationships with business partners is a key factor in better understanding business processes and ultimately, adding value through audit work.  Such business relationships also address a core competency emphasized in The IIA's 2010 Global Internal Audit Survey: Understand the Business!

  1. Thanky ou for the insight for future audits and diagnosis of some past audits.  All your points are so true.  Several audits in my past experience that were extremely difficult  and challenging (but still accomplished) came to mind.  The "missteps" you pointed out account for some of these difficult audits.  I have had assignments to execute audits that were already planned, the audit programs written, and the team chosen prior to my receiving the assignment,  These audits were not entirely derailed but they did not meet my expectations.

    When an audit is not adequately planned, the members of the audit team, while meeting the challenge to compensate for holes in risk assessment, system information, speicialized knowledge, and audit strategy, become victimized.  They experience  lost time in interviews, data gathering, and audit program adustments that must be justified to audit management.  Then, to make up time, they work overtime to complete testing  because time was used for  "planning" type activities resullting in overall mediocre performance of a tired frustrated team.  However, if all the energy was spent in true 'fielwork" activities, with proper planning, these audits may have produced outstanding value-added results. 

  1. The pointed out mistakes are valid in an organisation where the org has reached maturity toward the IA function.

    Most of the organisation / people working in it carry different (perhaps a traditional) impression about IA. Many a times the Board is not clear as to what are their expectations from the IA activity. They view IA more from compliance & assurance view point and rather than 'add value' / 'consulting' perspective. 

    There is a need to convey the current message of the meaning "IA" and some what standardise deliverables under IA.

  1. When the objectives are not clearly defined, then this can completely derail the audit. I've also noticed that sometimes we go fishing, that is, we come up with an objective but depending on what we find during our fieldwork, we modify it. Setting the right foundation up front is key to a successful audit. As part of planning, we should also consider all the risks that we will potentially encounter and how to address them. We should also involve key internal staff, such as legal and other experts, so that we will have this covered as well in our test plan.

Leave a Reply