Where Did This Audit Go Wrong?


Sometimes I start these blog posts and, the next thing I know, what I though was going to be a quick and easy write up takes on a life of its own, becoming an uncontrolled, multi-post behemoth. Other times they contain themselves nicely and fit exactly into the one-post pattern I have planned. The good news is that this post is going to go exactly as I assumed it would when I first started. The bad news is, even before I typed the first word, I knew this one would need a little explanation and will definitely require a number of posts. So, without further ado: Where Did This Audit Go Wrong - Part One.
When you think about an audit, what do you see? Is it a series of risks and tests and interviews and reports? Is it a conglomeration of workpapers? Is it the harmonious gestalt of many individuals' efforts? Is it the cobbled together concepts of auditee, auditor, managers, and executives? Or have you even given the concept much thought at all?
As prelude, I want to tell you two stories. These are based on two audits I oversaw a number of years ago. The names, projects, details, etc. have been changed, altered, and obfuscated to protect the innocent and the stupid. In addition, it will help me refrain from violating any proprietary information rules to which I am probably still bound. If the resulting story is an unintelligible mish-mosh, then I offer my apologies. But I'll try my best.
Audit Story the First: The company was involved in a rather extensive project intended to significantly change the way a primary portion of the business was carried out. Audit was asked to visit sites which were implementing the new project. We identified potential changes that would improve controls when the approach went company-wide. The department thanked us and made the necessary changes.
However, as part of our reviews we began to have concerns about the way the overall project was being managed – issues that might impact the success of the entire project. This included questions about reporting, projections, and even the impact of the company moving forward too quickly. Based on the risks involved, we were given the okay to do a project-level review.
At the conclusion of our review, we gave it a clean bill of health. And, within one year, the project was recognized by all as an abject failure. 
In spite of everything we knew – in spite of the fact that we were sure failure was in the offing – how could we end up with an effective audit opinion?
Well, our opinion was based on the evidence which showed that executive management was being apprised of all necessary data on a timely basis. We also had evidence which showed that this was accurate. What we hadn't taken into consideration was that, although the information was being reported to executive management, that didn't mean they were listening. We also assumed (don't get me started on that word) that facts speak for themselves and did not take into consideration the way they can be colored during delivery.
Audit Story the Second: The structure for oversight of a major function within the company had been in place for as long as I had been an auditor. (That was in the time when slide rules ruled the earth and columnar pads were exploring the fringes of becoming more than sixteen columns.) The function was a major focus of Internal Audit and, over time, we began to see that, with changing times, potentially significant issues might begin slipping through the aging cracks. With that in mind we completed an audit over the oversight and governance of the function. After a fairly extensive review we came up with (you're already ahead of me, aren't you) an effective opinion.
Two years later the issues were becoming so prevalent that the company recognized the numerous flaws in the oversight process and developed a new compliance group to mitigate the risks.
In spite of knowing that potential issues were beginning to fall through the cracks – in spite of having evidence from other audits showing control breakdowns - how could we have an effective audit opinion?
The quick, easy answer is that the auditors fell into the trap of seeing what they were used to seeing. But the blame is more widespread. I knew that issues were falling through the cracks. And I double-checked with the auditors as I saw their results. And I reviewed the workpapers to ensure they had looked at the areas where I saw potential issues. And, at the end of the day, I signed off on it
Here is the fascinating thing. Going back through the audits (and, trust me, we went back through these two audits) we saw that we did everything right – we followed our procedures, we complied with the standards, we did everything by every book we could find, and we reviewed and re-reviewed the workpapers. And yet, in the rearview mirror, both audits were fails.
The answer to that will have to wait because, as I already warned you, this one is going to take some time. I'll continue (at the very latest by the beginning of next week) with why the first step is admitting you have a problem, and eventually talk about what a symphony conductor might have to say about internal auditing.

Posted on Jun 23, 2014 by Mike Jacka

Share This Article:    

  1. I've seen both.  I've seen an audit on IT security (in the wake of the Societe Generale debacle) given a clean bill of health where I was able to access client information in an unsecured drive and I found an individual who still had access to his system in his role 3 years prior which was signed off by his manager as appropriate. 

    I've also been on audits where "management know that something is wrong" but there wasn't anything serious that we found.  Yes, in prior years there was something wrong - it was fixed - and actually they were overcontrolling the risk to the detriment of the business - but management never trusted them or our prior reports.  Giving a clean bill of health is one of the scariest things I did, but it was the correct thing to do.

  1. Great points Kim.

    Far too often auditors are afraid of giving clean audit reports.  In the first place, the question I have heard time and time again, "How does a clean audit report provide any value?"  Coming from the insurance industry, this is a little like hearing "Why do I need insurance if I haven't had a claim?"  It is all about piece of mind.  You have insurance to put your mind at ease about potential accidents in the future; you have a clean audit report to put your mind at ease about the way a process is currently working.

    In the second place, auditor's are far too fearful of being caught in an error.  "What if I give a clean report and something actually was wrong?"  Well, it's not the most ideal situation, but it happens (as my stories indicate.)  And, you know what?  Auditing goes on and is still seen as adding value and is still seen as a partner and is not diminished in the eyes of the stakeholders (unless there are more negative stories than positive.)

    So, while I will continue to use this series of posts to talk about the lessons learned from big mistakes (with any luck, part two should be posted in the next hour or so), you are right to point out that this doesn't mean auditing should avoid clean reports.  If, in  the opinion of the auditor, audit management, and all involved, the control structure is effective, then report it that way.

    Again, thanks for bringing up this point - one that is important enough I'll probably use it as part of the finale in this series.


Leave a Reply