The Key to Credibility Is Specificity

“It's the little details that are vital. Little things make big things happen.” —John Wooden


The Idea: A lot has been said about details. “The devil’s in the details.” “Don’t sweat the small stuff.” “Retail is detail.” “Measure three times before you cut once.” Details are sometimes relegated to the domain of small minds and non-strategic thinkers. Not for me. Details are the currency of internal auditors who seek to be valued business partners. Trusted. Credible.

The Execution: Flying at 30,000 feet is great for airplanes, but it doesn’t do a lot to enhance the reputation of internal auditors. We need to understand how things work as well as or better than our auditees in order to gain their trust and provide the insights we want to be known for.
Don’t just prepare a process narrative; develop a flow chart — to at least a midlevel — “so that you can easily see the flow of information and materials, branches in the process, opportunities for infinite loops, the number of process steps, inter-departmental operations, and more,” as described in this article by Nicholas Hebb.

There is so much information available to internal auditors, whether from peer networking, online research, old-fashioned books and reference manuals, or conversations with subject-matter experts — use these to create your risk assessments and work programs. Case in point: My company is upgrading its enterprise resource planning system. I sit on the steering committee to advise and evaluate on project and program risks. I’ve never been part of an Oracle R12 technical upgrade, so I went online to enhance my understanding of what this actually entails. I found the Oracle R12 implementation guide — quite a hefty tome when printed out — and read it. Wrote notes in the margin for follow up. Highlighted key steps to validate data post-upgrade. The questions I was able to ask the program manager about our implementation plan knocked his socks off. He was a bit amazed I’d gone to those lengths and depths to really get into the … you know. Boom!: credibility.

I like to share audit risk assessments and testing approaches with auditees to:

  1. Verify we correctly understand their process.
  2. Get their sign off that we’ve identified the control activities they will be evaluated against.

Generic audit programs and risk assessments are an invitation to death by a thousand questions. If you’ve done the hard work up front to get into the details, to really know how things work, and document meaningful [SPECIFIC] risks and controls, data interfaces, and configurations, it is very difficult for your work to be second guessed. And that feels pretty great. You’re on the road to credibility.

Posted on Feb 25, 2014 by Carolyn Saint

Share This Article:    

  1. Agreed! I think sharing the audit risk assessments and testing approaches is something  more audit shops should do.  A lot of times we guard that information like it's top secret, when it is a really valuable piece of not only getting buy in from the auditee but also helping them understand why we're doing what we're doing so that they can help us strengthen our process.

  1.  Trenicia--you're absolutely right!  Thanks for commenting.

  1. Carolyn, you are right about understanding detail, especially when implementing computer systems. I would add, 'Involve the people who understand the detail'. This will include line managers, supervisors and clerical staff. When I was implementing Oracle Financials, we set up a test system, put terminals (this was some time ago!) on the managers' and supervisors' desks and taught them how to use the system. They also went through the operating manual ( which listed the procedures around the input and output screens) line by line before the system went live. The auditor's responsibility is to check that this is being done and understand sufficient detail to ask questions plus, just as important, understand the answers.

Leave a Reply