The Biggest Risks in an Internal Audit May Be the Issues You Miss

Richard Chambers, CIA, CGAP, CCSA, CRMA, shares his personal reflections and insights on the internal audit profession.


For many years, I taught accounting courses during the evenings at a local university. I would often tell my students, “The only stupid question is the one that is never asked — unless the question is, 'Would you postpone the next exam?'”

My years as a college instructor coincided with the early years of my internal audit career (which was essentially my day job at the time). Over time, I came to appreciate that in internal auditing, as elsewhere in life, there really are very few stupid questions.

The most successful internal auditors are not necessarily the smartest or the most experienced auditors; they are often the most inquisitive. Of course, it also helps to be prepared and to have intelligence, analytical ability, and a host of other attributes that can contribute to overall “audit ability.” But far too often when we miss a finding, it’s simply because we didn’t ask questions when we should have. And I have come to believe that the biggest risk in an internal audit is not citing a finding that doesn't exist — it's overlooking a finding that does exist.

If you doubt that the biggest internal audit risk is missing a major issue, consider the following. If you cite an issue/problem in your draft report that does not exist, management often will object vehemently and provide ample evidence that your conclusions are erroneous (that is why I often cite management review of a draft report as one of the strongest quality control steps in the audit). However, if you fail to cite an issue/problem that really does exist, how often does management speak up and say “excuse me, but you missed a major deficiency in my area”? Let’s just say that in more than 30 years, I have never seen it happen.

Asking questions is not an absolute guarantee of internal audit success, but it’s almost impossible to have an effective audit without asking questions. We also need to be able to analyze a situation and to advise our internal audit clients appropriately. However, regardless of whether you are assessing risks, planning an internal audit, or performing fieldwork, the process starts with asking well-informed questions. My colleague, Jodi Swauger, describes this as the “Five A’s Formula for Success”:

Audit Ability = Asking + Analyzing + Advising. In that order.

Is informed questioning really that important? Absolutely! Asking the right questions can be the difference between creating a powerful finding in a few minutes and spending days on fieldwork that only results in finding a problem everyone else already knew about or, worse yet, in missing an issue completely.

Recently I talked with an auditor who had spent the previous week combing through contract provisions and painstakingly gathering supporting documents for what he thought would be an important finding. If only he had asked a few more questions at the beginning of the week, he would have been told that because of a series of change orders, many of the provisions in the original contract were no longer valid. The auditor had spent the entire week verifying contract provisions that were no longer in force. In general, the audit was still a success because at the end of the week (and well before the closing meeting), he asked his client to explain what seemed to be numerous discrepancies. But no one will ever know what else might have been accomplished during that lost week if his time had been spent more productively.

During World War II it was common to hear the slogan, “Loose lips sink ships.” The same concept sometimes applies to internal auditing: We often are privy to confidential information that should not be shared freely. But when it comes to asking questions, our problem is far more often a matter of “closed lips miss ships!” So next time you are performing an audit and a question comes to mind, remember: When in doubt, just ask. You’ll probably be glad you did.

Posted on Oct 23, 2012 by Richard Chambers

Share This Article:    

  1. Very informative and a reminder to all auditors..
  1. I absolutely do agree. Initially i was reluctant to ask questions. But in passage of time i realised that asking questions makes your task  much more easier. 

  1. Thanks for sharing informative thoughts, which are really helpful.

    I do agree that asking question is very important and indeed a major source of gathering intelligence specially in identifying high risk areas and major issues. However, the Internal Auditors should be skeptive of quality and credibility of response and should corroborate it through other audit testing (compliance and substantive). This is important as some time, in the environment where fraud risks exists, there is a chance that these responsive may result in audit team ending in exausting efforts in wrong direction. At the end it is the auditor's  professional judgement that matters.

  1. I am 100% congruent to this idea. Its true "Asking Questions" makes the job easy and more convenient to carry out the detail transactional tests. Moreover, it also provides some informal information which would be more substantial to meet at the conclusion and much more awareness of ground realities which might be in contradictory to the applicable provisions i.e. cited above in the compliance test example of the article.
  1. I agreed 100% on the above.

    The most succesful audit test on identification of an Audit Risk would be Questioning and conducting discussion with the management.

    That would be a real good start to plan the audit and execute it effectively and efficiently.


  1. It is important to have this at the back of your mind and by all means adhere to but it is still vital to seek the facts via trails from other information sources and to have an independent mind.  Asking relevant questions is given and that is what we should do.

  1. I agree with your perspective.. I just have one comment with regard to having management review the draft report.  Consider moving the discussion up-stream one step further. For each scope area or test ask clients to agree to the facts and to verify that the auditor's interpretation of the reports or processes are accurate. Agreement here allows you to create the report based upon the already established findings.  There still may be a few disagreements on the report’s presentation, but much easier than going back and reopening process reviews and test results in multiple areas.

  1. I totally agree. I think the term auditor comes from a Latin (or Greek ) word "audere", to listen.  Listening of course include hearing answers to your questions.

    As an aside , after the very first fraud was made, the first question asked was: "where are you?" (Genesis 3:9)



  1. Practical approach of utilizing audit resources that add value to audit function.



  1.  The premise of missing something 'big' during an internal audit is based on ineffective audit practices which are, themsleves, based on external audit techniques! Internal audit planning which "pushes" audits on an organization will, of course, miss potentially big issues, since everyone's on the defensive! Not only that but auditor behaviours, taught in auditor courses re-inforce this "them and us" approach.

    Effective internal audit planning involves the organizaton's management and encourages a focus on the risks being encountered. When considering this, the opportunities to miss something are diminished significantly.

Leave a Reply