Any of you who have taken one of my seminars with me knows that I pretty much call things as I see them. In other words I take an edgy approach to the subject matter of auditing, which I believe to be one of the finest professions in the world. What I get edgy about is when auditors or anyone connected to the practice of auditing do not use the best tools available, don’t keep pace with the times or simply don’t do their job as it should be done for any number of reasons. Not the least of which is political, the worst reason of all.
To help me in bringing these key audit lessons to life, I have had a number of friends created by my sister in law Jaq Van Cleef based upon my specs to help reinforce the subject matter and the keys to success in auditing and risk management in the 21st Century not the 19th.
The first of these is Super Auditor?, a.k.a. SA?. I have selected a ruggedly handsome individual which of course is in keeping with our own personal personas who are in the audit game. We are all, either ruggedly handsome or fantastically beautiful of course in all different ways. Here he is now and he will be a part of all of our future adventures. He is also highly skilled in data analytics and as a result is tremendously efficient and effective and has no problem at all measuring his value back to the organization after every audit event. He is also a CCARDA and CERMDA certified by Virtual Governance Institute in the fields of Audit and Risk Data Analytics and ERM Data Analytics. He misses very little and is never predictable in the context of what is next on his agenda.
The next of the clan will be Soupor Auditor? a.k.a. ITtS?. This of course stands for I’ll Take the Soup. The reason is of course that when ITtS shows up he hasn’t got the first clue as to what is really going on in the business because his boss sent him out there with no risk assessment, no planning, no preparation nor data insights. He is just taking up space, and valuable time away from the people who are trying to run the business.
He is a rookie, and waiting for his first paycheck so he can get a new piece of tape for his glasses. Keep an eye on him though, he is now a homely little caterpillar, but will gradually become a butterfly in the months to come.
A very key person in the organization is Edith Ruth Montgomery a.k.a. ERM. She is the Chief Risk Officer, a very clever young woman and extremely well versed in data analytics as applied to ERM as she also is a professional possessing a CERMDA designation from VGI.
Super Auditor views her as a critical ally in understanding the key risks of the organization and the KRI’s (Key Risk Indicators) that are critical to analyzing the risk as well as forecasting emerging risks.
Her biggest challenge is to try and keep her boss from taking on too much risk for the organization and also to effectively manage the risks that are already in play. This is no small job and it keeps her very busy.
Oh, oh, don’t look now, but here he comes, the boss himself, Risk I Business. Pronounced Riskee Business? a.k.a. Risk In Business. He is a classic in that perhaps he bites off a little more risk than he can chew, virtually all of the time. He is going to present significant challenges to the gang based on the way he runs his business and makes his decisions.
Now last but not least the critical player in all of this is our lovable K-9 companion known as Data Analytics Dawg? a.k.a. DAD?. DAD is the one that brings the business intelligence to the mix. The data is everything as people in the organization eventually start to realize including this stellar cast of characters. SA and ERM are already in the know but are having a difficult time convincing the rest of the group. DAD is going to help them do that. Two great qualities that DAD possesses are that he is super cool, or sick or whatever the expression of the day is and he can talk. Not bad for a dawg. In the coming months he is going to have a number of creative ways of looking at things using data analytics. He is also going to be a critical part of people being educated in the uses of data so that they can be certified as a CCARDA?, CERMDA?, or as a CFADA?, Certified in Fraud Auditing Data Analytics from who else, VGI. Now let’s kick of the discussions with a good discussion topic.
Defining what we do: The Definition of Internal Auditing
The IIA definition of Internal Auditing is as follows:
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
I want to take some time here in initiating this blog to clarify the key elements of this definition and to explore what they really mean. Let’s take the words in the definition and clarify their meaning in our chosen profession of auditing.
Independent means you always call it like you see it no matter who likes it or who does not. You never politicize, diminish the importance of, nor bury an issue simply because it might “ruffle some feathers”, that is what auditors do, we are feather rufflers. As my first General Auditor taught me, you always raise the issue and he would support us, because the minute you don’t raise it and someone knows that you know and did not say it, they have you. From that point forward they will just squeeze your neck whenever it suits their purposes to get what they want. You will have no credibility at all anytime in the future.
Being Independent is not easy but it is the essence of being an Auditor of any type. I have been involved in two major fraud discoveries in my career, once as a part of a team and once as the Chief Audit Executive. In both cases senior management was confronted, in both cases the external auditors sided with management and in both cases, and in one case destroyed the evidence. I and others left the building on both occasions. We however, never compromised our independence.
Objective Assurance and Consulting this is of course the evaluation of controls and the most valuable of all services consulting or fixing the process. I have heard people actually argue in auditing that we can’t do consulting or we won’t be independent. Obviously that is incorrect; they are in the very same sentence. It is how you do it that is the secret, and that is using data and fact based analysis as well as process analysis tools. Just think of it this way what good does it do to put a bunch of controls on a broken process, none at all. You must use consulting and objective assurance in every audit to first repair with Management’s assistance, the root cause of the process or business failure and then control it once the process is stable and functioning as intended. We used these tools in every audit.
Add Value that can never be done by claiming “look at the things we might have prevented”. Nobody cares nor will they ever buy that argument of invisible value. You cannot add value if it cannot be measured. It cannot be measured if you don’t have a starting baseline of data and a fact and data based result to measure the results of the improvements made as the result of the audit. NO DATA, NO VALUE! This is a very simple analysis if you think about it. After all would you really buy an invisible car or would you like to actually sit in it and experience all of the nice things that you are going to enjoy when you drive it. These concepts are taught in every one of my classes.
Improving the organization’s operations is the most critical thing that we can do in conjunction with management. If they don’t already, auditors have to start to realize that the numbers come from operations that underlie the financial results. Therefore when there are issues that cause the financial results to be less than satisfactory the root cause is in operations and must be fixed there. I am not sure that the people who believe that these issues can be fixed by putting more controls over the financial reporting process really understand how businesses operate.
Improve the effectiveness of risk management, control, and governance processes is the key observation in the last paragraph. The key message here is easily overlooked but it was one of the key concepts expressed in this definition. The priority is the issue of most importance. As can be clearly seen risk is first then controls. Risk is the key to everything. Yet when SOX compliance raced forward at full speed risk was ignored as it still is today, with passing lip service
then controls became the central focus. Incorrect and totally backwards as it has always been, yet this is common practice in auditing. It would be interesting to know how these practitioners answer the question, How do you know what the control should be or how it should be structured if you don’t know what the risk is? Physical or Logical, internal or external, technological or non it makes a significant difference as regards the controls employed.
Quite honestly in my opinion, the IIA has the definition exactly right and it has been so for years. The key issue that I see is that I don’t believe that in many respects audit practitioners are doing what this definition requires in each and every instance, nor in every audit event. Follow my proprietary approach to process based auditing and you will learn how to audit in concert with the definitions requirements.
In this blog we are going to concentrate on progressive audit and risk management techniques that need to be utilized today to keep pace with the challenges of 21st century companies. They will be data centric and if you employ them every time you audit you will accomplish the definition above. Everything that will be presented will be methodologies that support the IIA Definition of Internal Auditing and will be the most effective and efficient methodologies available.
Virtually everything today is data-centric. This is what we are going to be discussing in the coming months and providing precise examples of how data should be employed in auditing and risk assessment. See you next time.
Audit Right, get data-centric!
See you next time, when we will discuss the crucial issue of Petty Cash. I will answer the two key questions regarding it. First, did it get the name from Richard Petty the world famous race driver; or Second, Is It Really Petty and why it may not be? You won’t want to miss that!!!