• First Reference
  • About us
  • Contact us
  • 24th Annual Ontario Employment Law Conference 📣
  • Blog Signup 📨

First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

  • Home
  • About
  • Archives
  • Resources
You are here: Home / Business / Don’t forget to audit controls!

By Norman D. Marks, CPA, CRMA | 2 Minutes Read May 9, 2018

Don’t forget to audit controls!

To audit controls ensures management can detect the issues and the detective controls used are adequate.
audit controlsThere’s a lot of talk about auditing culture and other significant sources of risk.
I am all for focusing our audit plan on the risks that matter to the enterprise as a whole.
But, let’s not forget that we need to be providing assurance on whether management has the right controls to address those sources of risk and whether they are operating effectively.
A survey or other assessment of the current state, whether of culture or something else, seems to have value.
But it is transitory value. It is an assessment at a point in time. Time marches on and how do we know the conditions we found don’t change as well?
Similarly, there’s a lot of talk about using data analytics as an audit tool to identify potential problems. It also appears to have value. But does that value last?
Years ago, there was a healthy debate on how to audit environmental compliance (the debate may continue, I don’t know).
The two sides to the debate were:

  • Perform an audit that assesses the current state of compliance
  • Perform an audit that assesses whether management has a system of internal control that provides reasonable assurance of compliance

I was and remain very firmly in the second camp.
Not only does this avoid having to express an opinion as to whether the organization is in compliance or not (consider the problem if they are not in compliance), but our work has continuing value.
I feel the same way when it comes to auditing culture, cyber, governance, or any other source of enterprise risk.
Help management fish for a lifetime (we can but hope) rather than feed them fish for a day.

  • Does management understand the culture existing within and across the enterprise?
  • Do they know whether it is consistent with what they need (whether it be risk-taking, ethics, compliance, teamwork, customer orientation, or any other dimension)?
  • How do they know when it changes?
  • Do they have adequate controls to ensure the above and then to take actions as necessary?

The same concern applies to data analytics used by internal audit to find issues.
Unless it is part of a fraud investigation assigned by the board to internal audit, I would prefer to have management detect issues and audit assess whether those detective controls are adequate. Internal audit should not be performing controls. They should be auditing the controls.
What do you think?
Do you share my view that the drumbeat for internal audit to use analytics to find issues is taking us in the wrong direction?
Do you agree that internal audit should not directly assess culture but instead audit how management ensures an appropriate culture?
I welcome your comments.

  • About
  • Latest Posts
Norman D. Marks, CPA, CRMA
Norman has led large and small internal audit departments, been the Chief Risk Officer and Chief Compliance Officer, and managed IT security and governance functions.

He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.
Latest posts by Norman D. Marks, CPA, CRMA (see all)
  • The agile organization - May 17, 2023
  • Internal audit and ESG: My opinion - April 24, 2023
  • Was Silicon Valley Bank a failure of risk management? - March 28, 2023

Share this:

  • Click to share on Twitter (Opens in new window)
  • Click to share on Facebook (Opens in new window)
  • Click to share on LinkedIn (Opens in new window)
  • Click to email a link to a friend (Opens in new window)
  • Click to print (Opens in new window)
  • More
  • Click to share on Reddit (Opens in new window)
  • Click to share on Tumblr (Opens in new window)
  • Click to share on Pocket (Opens in new window)
  • Click to share on Mastodon (Opens in new window)

Article by Norman D. Marks, CPA, CRMA / Business, Finance and Accounting, Privacy / assessing risks, audit controls, business objectives, culture, duty of the audit team, fraud, risk to objectives, risks

Get the Latest Posts in your Inbox for Free!

Electronic monitoring

About Norman D. Marks, CPA, CRMA

Norman has led large and small internal audit departments, been the Chief Risk Officer and Chief Compliance Officer, and managed IT security and governance functions.

He retired in early 2013. However, he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.

Footer

About us

Established in 1995, First Reference is the leading publisher of up to date, practical and authoritative HR compliance and policy databases that are essential to ensure organizations meet their due diligence and duty of care requirements.

First Reference Talks

  • Home
  • About
  • Archives
  • Resources

Main Menu

  • About First Reference
  • Resources
  • Contact us
  • 1 800 750 8175

Stay Connected

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

We welcome your comments on our blog articles. However, we do not respond to specific legal questions in this space.
We do not provide any form of legal advice or legal opinion. Please consult a lawyer in your jurisdiction or try one of our products.


Copyright © 2009 - 2023 · First Reference Inc. · All Rights Reserved
Legal and Copyright Notices · Publisher's Disclaimer · Privacy Policy · Accessibility Policy