Are You Kidding Me?

A couple of years ago – when McLeod Governance had a couple of minutes to spare – we asked the following question on the LinkedIn Institute of Internal Auditors group page:

What is the one thing as an auditor that frustrates the hell out of you? 

I was trying to work out a list of usual and unique frustrations of being an auditor to better understand how we can engage with our stakeholders.

The conversation went on for nearly a year and there were over 130 contributors.

It was a fascinating insight into what it was to be an auditor.

So today McLeod Governance is shamelessly going to lift without credit to the original authors some of the answers provided.

Let’s we walk over the jagged bottles on the footpath of annoyance in the life of the auditor.

Here are some of the comments we received from LinkedIN

People thinking that all an internal auditor does is “compliance police.”

The biggest frustration for an I.A. is when his boss thinks (or says !!!) “You are here just because law mandates it, you are just a cost center, so try not to bother too much people that let this company survive and let your wage be earned”

When people believe the role of internal audit is to perform audits rather than provide assurance

When internal audit put independence ahead of effectiveness

When internal auditors say they must not review and consult on new initiatives, because it will impair their independence

When CAEs tout the effectiveness and world-class nature of their department because of all the money they save, but fail to assess risk management

When CAEs are complacent and stick their head in the sand instead of becoming the rock stars of change

I get tired of explaining to auditees that we are not overly concerned about the historical error made or who was responsible for it but that now it has been identified we are more interested in improving the controls to prevent it occurring again.

I love it when auditors complete an audit without considering IT. If there’s no IT then thats probably a recommendation in itself.

Biggest frustration is in having to explain what an Internal Auditor does. Does an Accountant, a Doctor, a Teacher, a Lawyer, a Policeman have to explain what they do? No!   So, why are we not getting our message across about what our profession does. As a profession, we need to promote ourselves more LOUDLY! Stand up, be controversial, speak out, get our leaders onto TV and in newspapers, represent and present, engage with political and business leadership, sell ourselves much better…all that pent up frustration is now out there!! Just fell off my soapbox!

My biggest frustration is: when auditees answer with the sentence “But we are doing the job in this way, like, since forever” This does not mean it is the right way! I hate when people are afraid of changes. Argh….

When the audit committee expects the auditors to put the plan in front of them with input from the business – and everyone is concentrating on the tier 1 stuff whilst nobody looks at tier 2 where the real risk lies because no one is looking at it, instead of the Audit Committee taking a cold hard look at where it considers the key risks to the entity to lie and engaging the auditors to provide assurance that those risks are managed – after all the AC are experienced senior managers who ‘should’ be expected to provide an external view on key risks that may be overlooked by internal management.

When the department is staffed excessively by people from the business who understand the business, but have little or no knowledge of fundamentals of internal auditing and are so prone to “group think” that the audit reports provide false assurance rather than independent, objective assurance.

When audit departments claim to perform in accordance to the IIA’s International Standards for the Professional Practice of Internal Auditing, but the majority of their staff have no idea what the Standards say or where to find them. Linked to this “group membership” of the IIA which appears to legitimize the claim, but with no requirement for the staff to undertake any IIA training or examinations.

When the auditor does the audit “because it’s on the plan”… but doesn’t understand why it’s on the plan and ‘why now’ is the right time and therefore cannot iterate those things coherently to the stakeholders.

When audit teams claim top quartile/world class performance on the basis of positive feedback from auditees who received good opinions, and KPIs that indicate prompt issue of reports, rather than being able to demonstrate positive effect on bottom line of having improved risk management, business efficiency and governance.

When auditors don’t understand that providing objective, independent assurance, “that effective governance is in place and ensuring that risks are managed according to a defined risk appetite”, to our stakeholders (the Audit Committee) is our remit, and instead tries to please the business.

When audit opinions are negotiated on the basis of “it’s better to give a positive opinion and get the business onside, than give a negative opinion and make enemies of them, because then they won’t co-operate with us next time around”.

When auditors/compliance checkers and internal self assessors perform ‘tick the box compliance’ reviews and claim to provide assurance, without considering whether or not compliance to a potentially “design ineffective” framework provides effective and efficient risk management.

When auditors confuse “consultation” with “facilitation” and thus claim that they cannot perform a value adding activity by coaching the business in the right direction and working with them real time on ensuring the right control framework goes in, rather than reviewing it after the fact and pointing out all the errors that shouldn’t have been made.

When people see internal audit as a stepping stone to a career, rather than a profession in it’s own right.

When an executive says” is this part of internal audit ?”

Having someone ask about adding to the scope (scope creep) once the audit is nearing completion — Good one, especially when the scope is reviewed several times prior.

Auditee’s resistance towards the Auditor when it comes to information sharing

After the audit has been finished and all findings have been addressed the auditee is asking: Am I in the good books now? ….

When a new manual or rulebook that comes out has an article stipulating that the Internal Audit is responsible for the monitoring/supervising of the implementation of the written procedures… And you tell them over and over again… People do not understand what we do…

Being perceived as a lesser evil from the external auditors or regulatory authorities…

People reading laws in a “creative” manner, often proceeding in grey areas of certain laws that can be interpreted as unethical or at times illegal

Auditees complaining on top management meetings (in rare cases, but going on for months after the final report is issued, usually by people with questionable moral and ethical values that see controls as an evil that will make them do more work) about the recommendations in the action plan, after having agreed to and signed the action plan…

Prioritizing output with little or no focus on controls, and presenting it as an extraordinary achievement…

When IA is more concerned about the theoretical controls rather than considering practical applicability and the comparative benefits of that control.

In a nutshell when IA creates more of a trouble than a benefit!!

When people who matter ask “What can an internal auditor bring to risk management?”

When clients (auditees) still stick to the ‘policeman’ image of an auditor, even as the auditor is trying her level best to transit to a more facilitative, risk-oriented approach (not an easy task in itself)

When management requisitions a ‘very important/prioritised’ audit project and then sits on the draft findings for months, not allowing finalisation

When internal audit is asked to demonstrate ‘value added’ by way of each penny saved/earned, instead of realising the importance of the core assurance role

When key people want to just skim through significant audit findings at fora, to ‘get it over with’ as quickly as possible, and then come back on the same issues asking “Where were you?”

In Summary

If that doesn’t stop you in your tracks and make you think about what it is to be an internal auditor, McLeod Governance is not sure what will.

Subscribe to Receive Our Email Updates

  • This field is for validation purposes and should be left unchanged.