You can’t audit this!
I have heard that in one form or another over my career.
The first came when I was an internal audit manager for a financial institution. The senior vice president for Human Resources said she was a big supporter of internal audit, but my team and I couldn’t audit her area.
I asked why and she explained that since none of us had any experience working in HR, we didn’t have the competence (my word) to perform an audit of HR.
I was able to get her to give us a chance. We might not be experts in running HR, but we were experts in processes, risks, and controls. When I asked where she had a problem, she pointed me to one that had been troubling her for months. I had one of my team (who had recently completed a class in operational auditing) perform the audit. He soon identified the process problem to her great surprise. She was so impressed she wrote both of us a letter of commendation and took me to lunch, letting me drive her Cadillac!
Years later, when I was leading the internal audit at Tosco, one of the IT managers told me I couldn’t audit their very old financial system. It was too complicated. I had fun with that, as I was able to read the COBOL code and identify a number of their coding errors. Internal auditors can easily be underestimated.
A more serious situation arose when Tosco started trading in derivatives to hedge its commodity purchases and sales, with an occasional speculative position taken under the close supervision of the CEO.
This was a significant source of risk to the company, and I knew that none of the current staff had the necessary experience or training to audit the related processes. We could audit for compliance with policies and procedures, but we wouldn’t know whether they were the right ones for the business.
I hired an expert to lead the first audit with me as his assistant and pupil. He was a former manager of trading operations and now specialized in consulting and performing such audits or reviews. I added my audit expertise, and we got the job done. Our main issue was the need for upgraded policies and procedures, both to provide discipline over the trading and to ensure appropriate accounting. Over time, I got specialized training myself, weaned the consultant off the payroll, hired people with experience auditing trading operations, and built a strong competency within the team.
I have taken this approach many times, hiring an individual with experience in the business operation to supplement the team. For example, I did it with audits of sales contract management, procurement, the tax department, and white hat hacking. One technique used by many CAEs, including me, is to borrow subject matter experts from the business (in a different area to ensure there are no conflicts) and use them as guest auditors, adding experience and insight to the audit team.
The most recent challenge came in the last week, when my good friend Alexei told me that internal auditors didn’t have the competency to perform an effective audit of risk management.
I disagree, but the cynical Norman wants to ask him a question first:
“Alex, how many organizations have effective risk management, what you would call RM2, leaders agree it is helping them make quality decisions and take the right level of the right risks for success?”
I think he will reply that it’s a small number.
Most organizations are managing a list of risks instead of managing the business, They fail to recognize in their program that sometimes you need to take more risk to achieve success. Instead they believe that every risk needs to be managed or mitigated.
So cynical Norman thinks that auditing risk management and reaching an opinion on its effectiveness at the great majority of organizations is very easy! It is quickly evident that risk management is a compliance activity at that organization; most if not all executives fail to see much value in it to them or the business.
The auditor should conclude that risk management is not effective in helping leaders run the business. The far more difficult question to answer is why. The auditor adds value when he or she can point to the changes necessary to bring it to an acceptable level of maturity.
In other words, it is insufficient to audit for compliance with risk management policies and procedures when those procedures are not helping the organization succeed in doing anything other than manage a list of risks.
I and many others hold the Certification in Risk Management Assurance (CRMA) from the IIA. Does that certification automatically mean that we have the experience and competence to audit risk management?
No. (I have the ability based on my experience, not because I have a CRMA). I know of several auditors (whom I will not name) who hold the CRMA but have never audited risk management and I doubt they have a sufficient understanding of effective risk management to do it well.
But that doesn’t mean it can’t be done and done well. It just takes people who appreciate what effective risk management looks like, understand the business, and can use their common sense.
If the internal audit team doesn’t have individuals with the required experience and understanding, they can bring on a consultant to help them. For example, a company could hire Alexei or one of my other friends around the world! (Although I helped one audit team with high-level advice – including to use the maturity model in Risk Management for Success – I am trying to be retired so won’t take on any projects of length).
There are other areas where an internal audit may be a challenge, even for the largest internal audit department.
Last week, I met an old friend in San Francisco. She is a CAE for who I have great respect.
I mentioned that I thought auditing ‘talent management’ (how you ensure you have the right employees to run the organization for success) is hard. She thought it was easy, as her company has many processes to address the risk/need. Her team can audit those processes.
I see it differently. When I lead my SOX Masters training, we talk about the fact that the attendees’ companies all have processes for hiring, training, performance reviews, and so on – yet none of them would want to rely on them to ensure that every control is performed by competent individuals. Rather than test controls in those processes, we rely on walkthroughs and tests of specific controls where we assess the experience and knowledge of the individuals performing the key controls.
The difficult question to answer in an audit is whether the processes implemented by the business provide reasonable assurance that its objective(s) will be achieved.
While hiring programs may provide reasonable assurance that individuals with the potential to excel are hired, when they turn out to be less than stars it is difficult to change them out. It’s a sad reality.
Talent management is also inextricably linked to the ability of management to lead and inspire excellence.
Can it be audited? I believe it can, but it’s not always that easy.
You can audit for compliance with policies and procedures. But auditing for effectiveness requires more judgment and experience.
You have to be able to assess whether those policies and procedures are the right ones, providing reasonable assurance that the related risks will be managed at an acceptable level.
This is where specialized expertise and experience comes in handy.
A similar situation arises with cybersecurity. My friend and I disagree on this as well. She is correct that there are processes and policies that we can audit against. But how can you reach an opinion as to whether the right level of security is in place for the business and its risks – especially when threats and hacker techniques are changing all the time?
With the right people and the right approach, I think you can audit pretty much everything. I was able to audit creativity in the Marketing function at one company, believe it or not.
What do you think?
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
I completely agree. I had my risk management audited 3 times and every time instead of commenting on the deficiencies in RM2, which there were plenty, auditors insisted on more glorified RM1 and complained RM1 wasn’t RM1-insh enough. I had one idiot write long passages on how missing cells in a risk register was a huge issue. I also think no point auditing processes that don’t exist, I once had auditors audit project risk management before it was integrated into project decision making and performance management, all sorts of silly comments received.
Can audit anything as long competent person is on the team and the process exists.
Thanks, Alex.
You can audit processes that don’t exist – as long as your opinion says that they are missing! For example, you go to audit a business unit and the leaders say they don’t think through the risks to their major system implementation. The process doesn’t exist. The auditor points out the need for such a process.
In fact, when I audited Marketing’s creativity process, I found they had none – no way to tap the organization (especially those close to the customer) for ideas.
Not sure I agree, to audit something that doesn’t exist an auditor needs to have a pretty clear idea what it should look like, i.e. be a subject matter expert. And if you already have a subject matter expert on an unfinished process, why would you audit it, you just use SME to design the process right. No scope for auditing.
Alex, the purpose of an audit is to provide assurance, advice, and insight on the management of a risk. If there is no process and the risk is not being managed, there is a need for the auditor to say so.
I guess. Normally if the process doesn’t exist and someone has been tasked to get it right it is usually obvious that risks are not managed, I would feel silly if auditors had to state that
Alex, where it is serious, the board and top management need to be informed. If management is on top of it, the audit report should say there is a risk but management is aware and plans are in place to address it. Often, that is not the case. In fact, very often!
Right on – I am a retired CIA, CFE, CISA and currently the Chair of the Internal Audit Committee of a 45,000 student County K-12 School District with an $800+million budget. The teachers and unions all say we can’t audit academic programs, school operations, etc. because our audit staff are not teachers. But we finally got the Board to let us audit several selected schools as a stand alone operation, just like auditing branch operations in a business. I am forwarding this article to some of our doubters. Keep in mind most government agencies have no performance measurement systems, performance dashboards, etc. Their only performance metric is whether there are still funds in the budget to spend. Thus I don’t consider them managers since they don’t measure performance, but we are working on it. I have seen the same issues with marketing-driven firms that throw money at advertising and marketing programs without measuring objective, accurate returns.
If an organisation has objectives it should have appropriate processes to deliver those objectives. Those processes should also include controls to manage the risks threatening the achievement of the objectives and opportunities benefitting the achievement of them . It should therefore be apparent to an auditor checking on the effectiveness of controls to deliver the objectives, that processes are missing.
It is therefore possible for a non-specialist auditor to ask, ‘Where are your objectives?’; Where is your identification of opportunities and risks? Where are the controls to manage these opportunities and risks?’ A specialist may then be needed to assess the adequacy of the answers and check the existence and operation of the controls.
As for the auditing of talent management and recruiting, the effectiveness of these processes should be apparent from the results delivered, hence ‘FloridaBuff’s’ concerns when performance management systems are not in place. Thus the auditor should be looking for: the communication of objectives down to an individual level; measurable targets set for the individual to achieve these objectives and a formal appraisal between the manager (appraiser) and individual to discuss the achievement of these targets. There is also a need for a process to collate the results.
Simple questions can, as already pointed out, be illuminating.
With respect to talent management, just ask managers and executives whether they have the team they want and need.
Norman, ‘whether they have the team they want and need.’ is fine if they are competent managers and executives. If they are not, they want staff who are unlikely to present a threat to themselves but need staff who will challenge. So I would also add, ‘With respect to talent management, just ask teams whether they have the managers and executives they want and need.’.
Norman, with respect to hiring and talent management you said: “You can audit for compliance with policies and procedures. But auditing for effectiveness requires more judgment and experience.” Aren’t criteria, qualifications and experience developed which are inserted into the hiring processes or procedures to help evaluate and select talent that will be effective, and those hiring processes or procedures then could be audited?
David, yes you can do that but how many companies have the talent they need? How many are constrained by the ability of people to find candidates and/or the salary limitations imposed on them? How many find that new employees don’t turn out as well as they hoped and then cannot fire average employees>
Interesting arguments. Audit is common sense, identify what is it that we want to do? Identify the risk of doing it and also the risk of not doing it. Ask the leadership are we dealing with those risk, if yes how and if not advice to implement controls to manage them. Then test the effectiveness of those controls and Report back to the management. It doesn’t matter who area’s we audit as far as we ask the right questions we are good auditors!
Recently i audited Exploration and Drilling Department in one of the renowned oil and gas companies in KSA. they had the same argument and asked my education and they were amused and asked me then how i was going to audit something i didn’t have education or prior experience. But as the time passed they realized and agreed how many gaps they had in their controls.
Well done!
This is practical and easy to understand! I believe we can audit lots of things. Thanks so much.
Bull’s eye, Norman! This is a cogent roadmap for auditing virtually any operation or activity across myriad kinds of organisations. While well known to most experienced auditors, these tenets need reinforcement esp. for auditors starting out on the journey and sometimes unsure on how to respond to challenges on grounds of supposed domain competency. Also, we may cry ourselves hoarse that audit is a largely domain agnostic activity, except for some niche work for which appropriate resources can always be marshalled, but careless managements and esp. recruiters will persist, unfortunately, in defining auditors’ JDs and requirements as narrowly as possible. It’s an uphill task and constant battle to allay such misconceptions.
Great article, thanks! I had a fair share of this kind of comments in my life as an internal auditor. The challenge is when we as auditors start aligning with such comments and box ourselves into ‘bean-counting’. We need reminders of our role and abilities! I also agree that auditing talent management is complex. Apart from ‘hiring for success’ practices, there is also a matter of talent retention and that will open up all sorts of questions around org culture