Академический Документы
Профессиональный Документы
Культура Документы
Citrayudha Komaladi
From:
Sent:
To:
Subject:
Importance:
High
Internal Auditor
In 1513, Niccolo Machiavelli wrote in The Prince, "There is nothing more difficult to plan, more
doubtful of success, nor more dangerous to manage than the creation of a new system. For the
initiator has the enmity of all who would profit by the preservation of the old institution and merely
lukewarm defenders in those who would gain by the new one." In a very real sense, changes
proposed by an internal auditor are viewed in the same way as a new system.
Most organizations are not staffed and managed by Machiavellian conspirators. Instead, they are
typically composed of intelligent, well-intentioned individuals who are committed to seeing the
organization succeed. So how do internal auditors get these good people to embrace changes
recommended in the audit report?
Suppose you've put some effort into landscaping your front yard and take pride in its appearance.
Your neighbor, a representative from the homeowners association, comes to your door and says the
yard falls below neighborhood standards. He also says he has put together a fertilizing, watering,
and maintenance schedule that, along with other suggested modifications, will bring the yard up to
standard. Like most people in this situation, you would likely resist the recommendations or perhaps
implement them grudgingly and do the bare minimum required to meet association guidelines.
By contrast, suppose this neighbor never knocks on your door to discuss the landscaping but instead
invites you to his house for a barbecue one weekend. While at the event, you compliment the
neighbor on his yard and say you wish yours were as lush as his. He tells you that his lawn grass
variety is the same as yours; the secret is in the fertilizer and watering schedule, which he happily
shares with you. In this scenario, would you be more inclined to follow his suggestions?
The success of audit reporting is determined largely by the attitude and specific approach with which
internal auditors carry out their duties. When handled appropriately, and with sufficient tact, the
reporting process can proceed as smoothly as a backyard barbecue. Five rules, in particular, can help
auditors not only achieve greater reporting effectiveness, but also bring about positive organizational
change.
5/25/2010 10:14 AM
Page 2 of 5
Page 3 of 5
understands that internal auditing has no choice but to do so. Auditors do have a choice, however, in
determining how reporting issues are framed.
When auditors find a significant effectiveness or efficiency issue, they must obtain agreement and
buy-in from the individuals who would implement recommended changes. Effectiveness issues are
not black or white. They pit the auditor's opinion of effectiveness against that of the client who does
the job day in and day out. If the auditors do not reach an agreement with the client but still want to
make a recommendation, they are forced to butt heads with personnel who are intimately involved
with the processes in question.
Pursuing effectiveness and efficiency issues aggressively with upper management typically results in
one of two possible outcomes. In the first scenario, the auditor accomplishes nothing because the
personnel doing the job every day possess more credibility on judgment calls than the auditor. From
then on, clients will likely be discouraged from cooperating with the internal auditors a side effect
that may well spread to other areas of the organization.
In the second scenario, the auditor wins the battle but loses the war. Although the auditor may be
able to convince management that a change is necessary for the good of the company, the clients
forced to implement this change may become hostile toward members of the audit department.
Clients will likely seek ways to prove the system change is unnecessary, unworkable, and
counterproductive. In the end, there is a strong likelihood they will return to their old methods and
procedures.
To avoid unnecessary, relationship-damaging conflict, internal auditors need to choose their battles
carefully. They must try to convince clients to recognize the wisdom of fixing problems identified
during the engagement. If these efforts fail, and the problems represent a serious control issue, the
auditors need to apologize for the stalemate and explain that they are obliged to report the problem
and the risk associated with it. If the issue is not control related, the auditors should let it go there
is no point in creating ill will when little upside potential exists. Internal auditing can still mention the
issue informally to management and discuss the benefits of making a change, but this discussion
should not be placed in the report. If managers see value in the idea, they will address it on their
own.
When auditors report a control weakness without reaching agreement with the client, they must
handle the report with care. They need to explain why the control is not in place and why those
running the process believe they should not implement the control. In many instances, resource
constraints prevent clients from responding to control needs. The auditor's job is to ensure that
management is aware of the deficiency and the risk associated with it, and explain both the severity
and likelihood of the risk as clearly as possible. Controls cost money, and management must decide
if it wants to spend that money or simply treat the risk as a cost of doing business.
Page 4 of 5
objective and keeping their work on a professional plane. Moreover, they must be sure to give clients
credit for their positive achievements, rather than only discussing problems or weaknesses.
The old homespun expression many of us learned from our mothers remains valid: "You catch more
flies with honey than with vinegar." A positive approach and positive language draw people into
dialogue; a negative approach usually results in walls erected to keep auditors and their new ideas at
a distance.
RULE 5: BE INFORMATIVE
To ensure clients read and clearly understand report content, internal auditors must pay close
attention to the document's substantive content and structure. Reportable issues need to be
developed fully and presented in a cogent manner. Moreover, audit reports need to be persuasive,
especially to readers who have not received any prior exposure to the audit.
The most effective, best-crafted audit reports are based on well-developed, detailed comments. To
ensure comments are informative and useful, internal auditors can follow the development criteria
found in Sawyer's Internal Auditing, 5th Edition, which cites five audit-comment elements:
The criteria are the rules, principles, or guides that lead the auditor to believe a problem may
exist. Auditors must have a clear understanding of criteria to articulate them to others.
The condition explains what's being done (i.e., the client's process), focusing only on the
facts. The description should be communicated clearly, without judgmental language.
The cause helps explain any deviations from the criteria and account for why these deviations
exist.
The effect answers the question, "So what?" That is, what are the potential consequences of
the condition? Without a cogent effect, the auditor has not established that a problem exists
and does not have a valid audit comment.
The recommendation describes the actions for management to consider. The internal auditors'
job is not just to "throw rocks" but to help find solutions. They must find an agreeable
solution to the condition, or an approach to finding a solution, to which all are parties are
willing to commit and follow.
Auditors should also consider a sixth element not covered in the Sawyer text the response.
Management needs to be comfortable with not only the ideas discussed but also with how those
ideas have been presented in the report. Responses give management an opportunity to provide
feedback on the report findings. Moreover, that feedback helps auditors gauge the effectiveness of
their work.
Each of these elements is essential to effective detailed audit comments neglecting to incorporate
any one of them will leave readers wondering why reported issues require change or whether the
changes suggested would lead to improvement. Detailed comments are the foundation for the
summary report to senior management and the audit committee, and internal auditors must keep
this audience in mind when drafting them. The summary should contain the auditor's conclusions
and opinion and convey the essence of the detailed comments. Auditors should keep the summary
brief, ensure the content is accurate, and focus on presenting solutions, not problems.
Page 5 of 5
When conducting their work, internal auditors need to remember that they are part of the
organizational team. Practitioners should approach each engagement with a cooperative mind-set
and continually seek ways to help other employees and make their jobs easier. They should
remember that, for many clients, auditing can be seen as an intrusive, disruptive process. After all,
internal audit work essentially boils down to walking into employees' personal workspace, looking
over their shoulder, and making value judgments on their performance. Any engagement can be an
intimating proposition for the audited group, and the power wielded by internal auditors should be
handled responsibly.
To obtain optimal results, auditors must conduct themselves in a way that encourages clients to see
them as a trusted counselor. As agents of positive change in the organization, auditors need to
become valued insiders not outsiders who cause others to put up their guard and resist
constructive change.
To comment on this article, e-mail the author at lawrence.deberry@theiia.org.
Internal Auditor
www.internalauditoronline.org
5/25/2010 10:14 AM