Can You Audit Your Own Work?

Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years.

 

It's one of those "givens": "you can't audit your own work." This can inhibit an auditor, appropriately, from designing business processes, writing standards or policies, and other activities that should be performed by management.

But is this a "given" that makes sense in every case? Or is it the wrong standard to use?

Let's take a few cases.

1. The IT audit team develop a continuous auditing program that identifies potential duplicate payments. The program is then turned over to management, who use it as a detective control. (Some would call this continuous monitoring.)

Is there anything wrong with this? Can internal audit perform an objective review of accounts payable when one of the key controls is a program they developed?

My answer is YES. While internal audit developed the program, management has assumed responsibility for it now — including the responsibility for ensuring it is appropriate to the task. (I would consider asking a different auditor to review the duplicate payment control than the individual who developed the program.)

2. Internal audit participated as a controls and security consultant during a major IT project. (I call this a pre-implementation review.)

As the system and related business processes were designed and implemented, internal audit assessed and advised on internal controls and security. They may have recommended specific improvements, even to the point of sharing best practices and security measures other companies have used.

Can internal audit perform an objective audit of the business processes (including the new computer system) a year after go-live? YES. Internal audit participated and made recommendations, but management was responsible for the adequacy of the internal controls and security decisions. The CAE might consider using different people to audit the live system, but generally that is not necessary.

3. Internal audit recommends improvements in internal control and audits the same area a year later.

Let's assume that management accepted all of internal audit's recommendations and has made the changes precisely as proposed. Does this affect internal audit's ability to audit the upgraded system? Aren't they in effect auditing what they had previously recommended? Can they perform an objective audit in the second year?

My answer is YES. While internal audit made recommendations, management retains responsibility for deciding what actions to take.

4. Internal audit assesses the design of controls as adequate in year 1, then audits the same area a year later.

Can internal audit be objective and re-assess the design of controls that it found adequate the prior year — even if the controls are the same and the business has not changed?

Strangely, this may be the most "risky" proposition. Management will be — rightly — upset if the controls found adequate in year 1 are found less than adequate in year 2. But, the right attitude and awareness by the audit team can ensure they remain objective and assess the design as if it was their first time.

5. Management asks audit to provide examples of, or even to draft, a corporate policy.

Sometimes, management asks the internal audit team for help drafting a policy. A great example is the corporate code of ethics. The internal audit team provide management with copies from prior employers, or from 'best practice' studies. Perhaps they edit a draft based on those examples.

If management adopts the policy, can internal audit perform an objective audit of the area (including the adequacy of the policy) a year later?

My answer is YES. Internal audit may have drafted the policy, but management has the responsibility for accepting it. They retain responsibility for the system of internal controls. Now, I would worry about the risk of the audit department's draft not being adequate and ensure there is a good review process within IA. But, with the right attitude we should be OK.

"What then is the "right' standard?

I prefer to exercise judgment and ask whether internal audit can be objective in performing the audit engagement. I would consider changing the members of the audit team if that would improve both the perception and reality of objectivity.

But, I would not adopt a strict rule of "you can't audit your own work" because our "own work" includes audit recommendations and prior year assessments.

By the way, I recommend reading the IIA Practice Guide on Independence and Objectivity. It recognizes even a repeat audit (examples 3 and 4 above) as threats to objectivity.

Do you agree that it is better to use judgment and assess whether you can be objective, than to use a rule of "you can't audit your own work"?

 

Posted on Dec 28, 2011 by Norman Marks

Share This Article:    

  1.  Norman-

    I concur!! It is all about exercising sound judgment in the approach used. It is my believe that as much as possible, management should leverage IA's vast operational, financial and technology risk knowledge and expertise. 

  1. I fully agree that as long as internal audit remains in a guiding "consultant" role, and the final decision and responsibility on what gets implemented remain with management, I can not see why we would not be allowed back at a later stage to assess the adequacy of the controls, policies or procedures implemented.
  1. Great job applying some common sense to the IIA standards.  I feel our profession at times take too literal a view of what Internal Audit can and cannot do, to the detriment of providing value to the organization.

  1. Norman:

    Once again, you have asked a great question of substance. This issue deserves serious consideration as an internal auditor’s independence and objectivity can be easily compromised (either in fact or in appearance) in any of the scenarios you describe. 
    As a practical matter, every internal auditor needs to continually assess themselves in this regard. If an audit finding caused the termination of an employee in the prior year, and the same auditor is back to re-audit that same issue, is the auditor completely independent and objective? What if the employee assigned to remediate the audit issue is a close friend of the auditor? 
    My feeling is that, as human beings, internal auditors are constantly challenged with meeting the independence and objectivity standards. I recommend that, when in doubt, Chief Auditors develop a network of serious audit professionals and consult their peers when confronted with these issues. As in any such matter, document the results and the factors that led to your decision. In your 2nd example on the IT issue, you would want to document WHY you think that using the same auditor who consulted on the IT project to later audit it is the correct approach. Have you position reviewed by respected industry peers and document their agreement with your position.
    Taking these extra steps is, in my opinion, critical in order for auditors to assure themselves that they have taken all the necessary precautions and upheld the professional standards.
    Great conversation! Best wishes for a Happy New Year!
    Chris
  1.  Norman, I fully agree with the principle and exmaples from your article.  With a small IA dept, we have situations such as this, and others.  The key to me is to disclose the involvement of IA to the users of our work, so that they are aware of the potential objectivity/independence issue.

    Happy Holidays!

  1. well this is really damn true and owesom sharing of knowledge.

     

    regards,

    muhamad aimen

    internal auditor,

    mahmood group of industries

  1. Norman, Is it alright for Internal Audit to be involved in awareness of Fraud policies approved by management? What does the Standards guide us on this?
  1. Nkamula, thank you for the question. I would look to the role of the internal audit function related to fraud as expressed in its charter. Some organizations have a greater role than others.

    Having said that, I believe it is management's responsibility to develop, communicate, and train employees on all corporate policies, including any directly related to fraud. Internal audit is an expert in this area and should provide, IMHO, consulting service support - advising on content, etc.

  1. Good articl Norman, and very valid points.

    My question here is that if the IA is being asked to  review a draft policy and to initial it after review for go ahead, would this affect the objective and independant role of an IA? Is it a good practice to add a line in the policy to clarify what was the role of IA in drafting that policy, as a limitation or restriction?

  1.  Asham, if IA is being asked to review a draft I am going to assume they didn't prepare the draft. I would not initial it, but provide my comments in a memo, which explains the purpose and scope of my review.

Leave a Reply