A survey targeting internal auditors in the US that was recently conducted by the MIS|TI training institute [LINK] turns out some partially disappointing results but the survey's conclusions aren't entirely unexpected. Before leaping into what auditors are doing, the survey also probed what auditors believe are the most critical skills they should possess to be effective at their work:
50% of all auditors see communication skills as a core skill auditors should possess, narrowly followed up with 49% ranking critical thinking as a vital attribute, which ranked as far more important than business knowledge struggling to acquire more than 29% of voters interest.
To make it as an auditor, auditors believe you need to be a critical thinker who can communicate. When it comes to actually doing the work, 91% of auditors claim to perform an assessment before launching into an audit but only a few (around 15%) are adjusting the focus of their audits towards material threats. Less than 42% plan to use analytics in their audits and fewer than 14% will be auditing corporate culture.
2017 Internal Audit Priorities | MIS Survey [LINK]
None of this is too surprising as it is a well known phenomena that audit techniques designed from the Risk Based Audit domain are only bedded down in a handful of audit practices.
The Institute of Internal Auditors has been attempting to encourage auditors across the planet to engage in Risk Based Audit methods for some time now [LINK] but technical problems often persist when auditors try to perform either the risk assessment exercises or when they attempt to integrate the 1st, 2nd and 3rd line of defense so that information about risks flow in a uniform manner between the silos of risk management.
One of the biggest complaints auditors voice and it featured in this survey as well, goes along the following lines:
"Those risk assessment processes can be resource-intensive in and of themselves, generally involving surveys, face to face interviews and data analysis over the course of months" ... "Trying to stay close to business risks can also mean frequent audit plan revisions over the course of a business year"
I have the following take on such complaints. There is an initial 'time cost' when new practices are introduced into just about anything, including novel audit methods but there is another way of looking at this. This time or resource cost should be seen as an investment, not a burden and while such work will inevitably extend the audit duration when practices are first introduced, future audits will become more efficient and effective. Materially aligning any audit to the real challenges or risks a business unit faces will deliver higher quality audit results overtime and as auditors become more familiar with the risk assessment techniques, these benefits generally occur for less effort.
Investors, strategists and auditors should all be familiar with the concept that most shortcuts in life come bundled with a compromise and in that sense, you won't improve the quality of your audit without investing into the practice.
I would like to give credit to Norman Marks for his published comments on "do internal audit departments focus on what matters" [LINK]. I follow Norman Marks often and find his blog postings particularly interesting, on the mark and informative. In respects to his recent commentary, I have yet to read it in the context of this article because I wanted to publish my own thoughts first before being affected by his opinion. Now that I am published here, I am going to shoot back and peruse his posting in detail.