The Best Tools for Risk and Audit Practitioners

Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years.


Almost everybody has excellent tools for risk monitoring and internal auditing, but as with any software solution it is necessary to learn how to use them well. These tools don't come with a user manual.

They are not sold by Microsoft, SAP, or Oracle.

No, they are built in capabilities:

  • Our eyes
  • Our ears
  • The spaces in between

I can walk into a warehouse and by being alert to signs of neglect and poor operations I can quickly identify likely risk and control issues. I may see boxes scattered around between instead of in storage racks, or layers of dust on inventory (OK, I may have to use another tool — my fingers — to measure the dust), or employees that appear either to have too much or too little work. I can see posted operational metrics, and by checking the dates of the last entries and reading notes of the last team meeting see whether they are being maintained and discussed.

I can listen to employees and management talk — about their operational problems, their feelings about the company and their managers, and their working conditions.

The space between the ears and eyes has to be trained but then has extraordinary capabilities for analyzing and interpreting what you see and hear.

Use these tools, and use them all the time. Nobody says you can only use them when you have an "official" audit or risk assessment in progress. If you see, hear, and understand there to be an issue, take action now. It may be necessary to start an official engagement to perform additional testing, assessment, etc. But, usually that will just confirm what your brain has already concluded.

Keep these tools finely honed and trained. They can be wonderful, as long as you don't let that other "capability" (your mouth) get in the way — when all you hear is the sound of your own voice.

Posted on Sep 12, 2012 by Norman Marks

Share This Article:    

  1. My prediction is that everybody will recognize this as a problem with their staff and peers. How many will recognize this as an area for self-development, I wonder.

  1. Fully agree. Also like the statement: you have one mouth and two ears, use them in that same proportion.
  1. Good recommendation and will get people thinking but may not encourage tools that you need for what your eyes cannot see - ie: bid data

  1. Excellent points, and this post made me think about an interesting article I read in last Sunday’s “New York Times” about the on-going debate over how much risk stock brokerages are creating computer-driven high frequency trading operations. Proponents of implementing more controls over those H.F.T. systems point to Knight Capital last month losing more than $400m in just minutes due to a computer glitch. When we work with our customers’ risk management teams, we try to emphasize the role humans must play in information monitoring and controls. Automated controls are more effective than manual processes for catching information errors, but humans should be the ones deciding the next courses of action. The Times’ article by Nathaniel Popper is “Searching for a Speed Limit in High-Frequency Trading,” on
  1.  Great post.  Sometimes that other capability “your mouth” can get you into trouble.  Observation and inquiry is very important in our profession.  However, inquiry really means (1) ask good questions and (2) listen, listen, listen.

    Your example of checking for dust in a warehouse really resonates with me.  I remember having one client that was relying on a security camera to protect some of its assets.  While walking through the area, I noticed the camera was pointed down.  Ordinarily, this is no big deal.  Maybe the cleaning crew knocked it down on accident.  However, there was dust on the camera, indicating that it had been down for some time.  After further investigation, it was determined that employees had been stealing for quite some time.

    I recently wrote a few articles about observation and inquiry that may be worth a read.

  1. Norman you make a great point and open an important topic.  We do a lot of  chain of responsibility (COR) audits in the Transport and Logistics sector, and our standard procedure is to start with a complete "process walk-through" at the site - usually large distribution centers.  This is where finely-honed observation skills are applied, and like you, we can come to an early assessment of what is really going on in the place. On one occasion our auditor noticed a truck driver having trouble reversing into a loading dock and on enquiry, found the driver a) was unlicensed; b) had not been inducted at the site!  We could have written our report at that point.

    The important topic you have raised is that there appears to be a growing reliance on "GRC" systems that are based on transactional analysis rather than humans checking on other humans and on processes.  This has been picked up by other commentators to your blog.  When corporations and regulators place their trust in machine based compliance mechanisms, disaster is only a matter of time and opportunity.

  1. I would add : and the space above your eyes and ears ( Your brain )

Leave a Reply