You Don't Have to Be a Clown to Audit the Circus

Richard Chambers, CIA, CGAP, CCSA, shares his personal reflections and insights on the internal audit profession.

Over the past two years, I have heard executives complaining with increasing frequency that “internal auditors just don’t understand the business.” My sense is that some of these complaints are legitimate while others originate from business unit managers who simply don’t want internal auditors probing around in their areas of operation.

As I have observed before, many internal auditors were brought into their organizations in recent years to help with enhanced internal audit coverage of financial controls. Many who made up this new generation of internal auditors had little background in their company or its industry. They were proficient in Sarbanes-Oxley related audit support, but had little — if any — experience in auditing operational risks. So, it’s understandable that rebalancing internal audit coverage to include a broader portfolio of risks has exposed some practitioners’ limited knowledge of the business.

A recent IIA Audit Executive Center survey disclosed a number of effective strategies to help internal auditors acquire and enhance their business acumen. Almost 90 percent of those responding to the survey indicated that a means of acquiring more collective knowledge of the business was “internal development of existing personnel,” such as:

  • Subscribing to industry periodicals or other literature — 75 percent.
  • Training focused on industry risks or issues — 69 percent.
  • Partnering inexperienced staff with more experienced staff — 69 percent.
  • Chief audit executive (CAE) participation in industry-focused CAE groups or events — 55 percent.
  • CAE frequently, but informally, benchmarks/networks with peers — 49 percent.

I am also confident that — as a profession — we will navigate any temporary gaps in knowledge of the business. But make no mistake: There will always be managers within the business who believe their business units are too complex or sophisticated for a mere internal auditor to understand. They will push back on internal auditing’s risk assessments that indicate their areas of responsibility warrant internal audit coverage. They will dispute findings in audit reports on the basis that we don’t know what we’re talking about.

During my career, I have debated more than a few disgruntled managers who wanted to keep my staff out of their area of operations on the basis of lack of expertise. With very few exceptions, I was successful in refuting their assertions. On those occasions where there was some validity to their concerns, I typically secured the necessary expertise by cosourcing with a third party. My advice to any CAE faced with such circumstances is to hold your ground and navigate the concerns as appropriate. As one of my colleagues once cleverly responded to a business unit that doubted internal auditing’s ability to assess his operations: “You don’t have to be a clown to audit the circus.”
 

Posted on Mar 28, 2011 by Richard Chambers

Share This Article:    

  1. Great article in these times of professional diversifying into non-financial realms

     

    Regards

     

    Dennis Davie

  1.  

    Great. I will start using the sentence "You don’t have to be a clown to audit the circus”
     

  1. I have found the best way to navigate these debates is to speak the manager's language wherever possible, staying within the COSO framework.  Seek to understand the key business objectives;  then agree on the key risks that threaten those objectives, and determine which controls management has in place to address those risks.  Stick to that formula, and you can audit anything from the janitor's closet to NASA's Space Program. 

  1. Excelent articulo!!! To overcome barriers to the auditor and make consciousness of the importance of gain knowledge

  1. Good blog and three additional points

    Know the strategic plan cold-inside out (as Jerry indicates above business objectives). Everything must be related to the strategic/business objectives

    Make sure your facts/findings are 100% correct before you go into any exit meetings. I have lost a few issues over the years primarily because the facts were incorrect. In addition to it being embarassing, it put our team on the defensive for a couple of future audits

    Most importantly, give the auditee credit in the audit report for what they are doing right. It costs nothing and builds tremendous goodwill

  1. An interesting and valid point as far as it goes. But be careful.   I don't  think the auditors job is to do audits. I can agree that you don't have to be a clown to audit the circus. I can't agree that an auditor or anyone else who does not know the circus business can add value to it, let alone provide assurance on what matters most. As a former CAE, I have come to hold the view that in order to add value, auditors must understand business value. That means they must understand where the true economic value of the circus business lies, how value is added and what can destroy it. Usually that will take the auditor far away from their comfort zone, often far away from financial balances and financial controls, right into the lion's den so to speak.

  1. Good points Bruce.  I am an ardent believer that internal auditors need to understand the business.  My only point is that sometimes management officials believe that their area of responsibilities are too complex for a mere auditor to comprehend.  Have seen this with the legal function, human resources, and even IT among others.  We need to be prepared to push back when we believe their views are unfounded.

  1. If you are hearing "...internal auditors just don’t understand the business" with increasing frequency by company executives, then that should be a wake-up call.  You also mentioned the newer auditors who have little, if any, operational experience.

    The pieces of the puzzle are there.  Time to put them together.

    The optimal solution is to have an experienced audit staff of varied backgrounds who possess the institutional and operational knowledge and experience necessary to understand the business.  One may co-source a specialty skill, but it near impossible to contract a third party to come into your business and gain a thorough understanding of the operational risk and culture in a short term engagement.  Over the years, the best auditors I have observed are those with years of experience in the operational side of the business who come into auditing with that wealth of knowledge.

    Bottom line, our profession is all about credibility.  No, you don't have to be a clown to audit the circus, but it helps if you are able to recognize elephant dung when you see it.

  1. This is a very valid way of putting when people say - you are not experienced in the field. Sometimes, coming from outside may even make more sense to audit to ensure all areas are covered and looking at things from out of the box.

  1.  

    Auditors do not have best knowledge of every business and this should not be expected. Auditors should have a good understanding of business and their objectives. This is adequate to perform a good audit.

  1. Risk management (a/k/a business continuity/COOP) practitioners here the same story and, like Mr. Chambers, I agree that the practitioner need _not_ be an expert in the operations of each functional unit covered by a plan/audit.

    What the practitioner _must_ be is an expert interviewer (that includes expert listening) . It's been my experience over some 14 years that functional unit staff _generally_ are delighted to explain the purpose of their unit and how it works. A good interviewer knows when to follow (or sometimes create) a tangent to uncover information that might not be entirely flattering, but is critical to the organization's well-being.

    As a risk management practitioner, I look at auditors-with-open (or at least curious) minds as allies. In a bottom line analysis of things, we both have the same basic goal.
    BTW, if any auditor - internal or otherwise - wants to learn how to audit a risk management (BC/COOP) plan, just ask; I'll gladly share what I know about my profession.
  1. Dear Richard Richard Chambers, this has been one of my farvorite quotes, thanks to you and more so when I heard you quote it during one of your recent speeches at an IIA event. I recently used this quote to motivate non-audtitors to join the IIA since some of them out there when asked why they are not joining they say the IIA is only for internal auditors but I tell them in my opininion one needs not to be an internal auditor to be an IIA member just like your famous quote “You don’t have to be a clown to audit the circus.” 

  1. Violet - thank you for the kind words.  More importantly, thank you for your IIA recruitment efforts.  Many of our members operate in other areas of their enterprise.  It is important to know that we are also champions for stronger internal controls, effective risk management, and good corporate governance.

  1. So true! That's a situation one always faces when entering to a new company, but as you mention that's just an excuse to take us away from their business. Instead they need to worry about the risky situations they will find sooner than later!

  1. Does an auditor have the obligation to tell a company whose industry they are not familiar with that they lack the expertise?

Leave a Reply