Home > Risk > Are internal auditors missing the boat?

Are internal auditors missing the boat?

November 13, 2023 Leave a comment Go to comments

As auditors, we provide assurance, advice, and insight on the system of internal controls over the more significant risks to enterprise objectives.

Internal controls provide the basis, the foundation, on which management and the board rely as they manage and direct the organization to success.

The typical audit assesses and tests the controls over transactions and how they are originated and processed: their completeness, validity, accuracy, and recording. We may also audit risk and governance practices, and how information and systems are protected.

But is that missing the boat?

Are we (and risk practitioners) failing to provide valuable assurance, advice, and insight on what may be even more important to successfully achieving objectives?

Organizations succeed or fail as the results of the decisions they make.

Those decisions include:

  • Defining the purpose of the organization, what it desires to accomplish over the longer-term
  • Deciding what strategic goals and objectives should be set for the period, including how each member of the management team will be compensated
  • Identifying the strategies that will enable them to achieve their objectives
  • Managing the organization every day, making tactical decisions such as:
    • Who to hire
    • Who to fire
    • Sales prices for the organization’s products and services
    • Which vendor to select
    • When to purchase what, for delivery when, in what quantity
    • When to release a new product
    • How and when to implement new or updated technologies
    • Where to invest funds
    • At what level to set credit limits, derivative position limits, etc.
    • … and so on

Grant Purdy is an individual for whom I have great respect. After he left his position as CRO at BHP Billiton, he entered the world of consulting. He told me that he was frequently engaged to help an organization upgrade its risk management program.

But… when he met with management, he didn’t ask them about “risk”.

No, he asked them how they made decisions! Very wise!

Internal auditors may identify, test, and assess the internal controls around the information management might have (such as performance and risk reports) when they make decisions.

But we don’t usually ask how they use that information – if they use it at all!

I have seen surveys that say that most decision-makers not only don’t use all the valuable and relevant information that is available, they don’t even know it exists!

This is what I suggest:

  • When you are conducting an audit, ask the manager how they make their decisions – such as which vendor to use, which staff to assign to a project, or which price and contract terms to negotiate.
  • Ask them whether they have all the information they need to make an informed and intelligent decision. Do they involve others who might be affected by their decision or have useful information that should be considered?
  • Review that information and consider whether there are adequate controls over its:
    • Completeness
    • Accuracy
    • Currency
  • See whether management is actually using the available useful information to make their decisions.
  • Are the decision-makers affected by bias, adversely affecting their decisions?

While I don’t recommend second-guessing what the manager decided, consider whether their decision was reasonable given the circumstances (e.g., the business need, the time available to make the decision, who is available to provide additional perspectives, whether the manager has the authority to make the decision, etc.) and the relevant information.

In other words, assess the controls around the process for making important decisions. Do they provide reasonable assurance that informed and intelligent decisions are made, taking the right level of the right risks to achieve enterprise objectives?

It’s still risk-based auditing, but instead of only auditing the controls over transactions, you audit the controls over major decision-making. You audit the controls over the risk of poor decisions.

If we only audit controls over transactions and processes (including their protection), we may be missing the boat!

What do you think?

  1. Anonymous
    November 13, 2023 at 10:55 AM
    Reply

    You are correct. Accurate, relevant, valid, and complete information supporting the decisions to invest hundreds of millions of dollars is often missing. Furthermore, it would force auditors to “value” rate, (e.g. focus on the quality of info driving decisions driving value) not risk rate the universe and focus on the future, not the past. The “follow the money’ rule applies to audit planning as well.

    • Norman Marks
      November 13, 2023 at 11:18 AM
      Reply

      Adding to that is whether that information is even used!

  2. David Griffiths
    November 13, 2023 at 11:16 AM
    Reply

    You are right Norman – but you don’t go far enough.
    All staff make decisions. They may be mundane, (How do I fill this box with these items?’) but they are decisions.
    Internal audit should therefore be asking all staff on every audit the questions you have asked above plus:
    Do you know what decisions you should be making?
    Do you know what decisions you should you refer to others?
    Have you been trained in decision making?

  3. Anonymous
    November 14, 2023 at 10:32 AM
    Reply

    Yes, agreed. According to Chatbox: ‘Yes, the internal auditor has a responsibility to assess and evaluate the risk of poor decision making within an organization. They play a crucial role in identifying and mitigating risks associated with decision-making processes, including evaluating the effectiveness of internal controls, assessing the reliability of financial information, and ensuring compliance with laws and regulations.

    While the internal auditor does not have direct control over decision-making, they provide independent and objective assurance to management and the board of directors regarding the effectiveness of risk management processes. They can make recommendations for improving decision-making practices and help management understand the potential risks and consequences of poor decision making.

    Ultimately, the responsibility for decision-making lies with management and the board of directors, but the internal auditor’s role is to provide assurance and guidance to help mitigate the risk of poor decision making.’

    • Norman Marks
      November 14, 2023 at 10:36 AM
      Reply

      I wonder who wrote that?

  4. Anonymous
    November 14, 2023 at 2:50 PM
    Reply

    I agree, definitely an area to be audited. I would focus on auditing the decision making process around the major decisions, as you Norman rightfully wrote. Day to day decisions should be made by following certain procedures, for example why certain vendor was chosen should be the result of following the criteria outlined in the request for quotations, also the decision who to hire should be based on following the hiring procedures, etc. Questions arise when a decision is made outside of the prescribed processes.

  5. Anonymous
    November 14, 2023 at 3:51 PM
    Reply

    Agree more needs to be looked at in auditing decisions made. Providing assurance on decision making has its complexities, in some cases the decisions not made pose greater risk. Then the basis for decisions are sometimes not fully documented. Sure a good balance of assurance across decisions made, execution and monitoring can only be useful. Difficult to audit transactions and bring out real causes for issues without understanding the supporting decisions.

  1. No trackbacks yet.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.