To audit controls ensures management can detect the issues and the detective controls used are adequate.
There’s a lot of talk about auditing culture and other significant sources of risk.
I am all for focusing our audit plan on the risks that matter to the enterprise as a whole.
But, let’s not forget that we need to be providing assurance on whether management has the right controls to address those sources of risk and whether they are operating effectively.
A survey or other assessment of the current state, whether of culture or something else, seems to have value.
But it is transitory value. It is an assessment at a point in time. Time marches on and how do we know the conditions we found don’t change as well?
Similarly, there’s a lot of talk about using data analytics as an audit tool to identify potential problems. It also appears to have value. But does that value last?
Years ago, there was a healthy debate on how to audit environmental compliance (the debate may continue, I don’t know).
The two sides to the debate were:
- Perform an audit that assesses the current state of compliance
- Perform an audit that assesses whether management has a system of internal control that provides reasonable assurance of compliance
I was and remain very firmly in the second camp.
Not only does this avoid having to express an opinion as to whether the organization is in compliance or not (consider the problem if they are not in compliance), but our work has continuing value.
I feel the same way when it comes to auditing culture, cyber, governance, or any other source of enterprise risk.
Help management fish for a lifetime (we can but hope) rather than feed them fish for a day.
- Does management understand the culture existing within and across the enterprise?
- Do they know whether it is consistent with what they need (whether it be risk-taking, ethics, compliance, teamwork, customer orientation, or any other dimension)?
- How do they know when it changes?
- Do they have adequate controls to ensure the above and then to take actions as necessary?
The same concern applies to data analytics used by internal audit to find issues.
Unless it is part of a fraud investigation assigned by the board to internal audit, I would prefer to have management detect issues and audit assess whether those detective controls are adequate. Internal audit should not be performing controls. They should be auditing the controls.
What do you think?
Do you share my view that the drumbeat for internal audit to use analytics to find issues is taking us in the wrong direction?
Do you agree that internal audit should not directly assess culture but instead audit how management ensures an appropriate culture?
I welcome your comments.