A Simple Test for Your Internal Auditors


July 4th always brings me fond memories of Peter Osterio, our founder. Peter was an Australian who moved to the USA as an adult and became a naturalized citizen. He had very strong feelings about being a US citizen. He often said he would pay for a one way airline ticket to anywhere in the world for anyone who didn’t appreciate the opportunities and freedoms the United States offered its people.

While going through the company archives, I found an article written by Peter over six years ago. It is a good test internal auditors should take periodically to assure they are adding value. I hope you enjoy it.

God Bless America and Peter Osterio!

Liz Meyers, CPA, Lead Instructor

A Simple Test For Your Internal Audit Department

 by Peter Osterio, March 2005

Try this simple test to determine how effective your internal audit department is, especially if your company is in a cost reduction mode in order to compete.  Add up the number of audit report recommendations your team has made to eliminate over control and reduce excessive cost.  If the answer is zero, or every audit report has recommendations to add additional controls, your internal audit department is strategically positioning itself on the wrong side of business realities.  Sadly, traditional internal control and internal audit approaches are unable to deal with over control situations.  They are derived from the government mandated, public accounting approach that is based on billable hours.  Billable hours by definition adds cost.  There is no basis on which to reduce costs.  Companies must reduce costs to survive in the current marketplace.

For a second test, look at every audit report finding and recommendation and put the words “So What?” next to each one.  Is there a clear linkage between a recommendation to improve controls (increase costs) and a specific business objective?  Is there a clear linkage between the amount and cost of the recommended control and amount (limits) of risk that Governance level of the company is prepared to take?

If not, there is a very real chance that the audit department is working on the basis of either “something went wrong, therefore, we need a control” or is simply following a checklist developed by some outside organization. The problem is that the people who produce the outside checklists are not responsible for your company’s survival in the marketplace.  Making control recommendations based on something went wrong…”telegraphs” how disconnected the audit function is from the realities of the business world.  Regardless of the quantity and quality of resources that a company has, things will always go wrong (risks) in the ultra competitive, constantly changing business world that we live in.

Be aware of audit groups that claim that they do not have to consider the business objectives.  Their argument is that the reality of the business world is management’s problem, not internal audit’s and that audit is independent.  This is silly.  Audit is an overhead cost and like all other overhead costs must conduct all its activities being cognizant of the realities of the market place the company competes in.

Our Risk Based Integrated AuditTM approach is specifically designed to work within the above realities of the business world.

Helpful Hint:  Put “So What?” next to every finding or recommendation on your audit report.  Make sure you can explain how your finding or recommendation will relate to accomplishing a specific business objective by keeping a specific risk within the limits approved by Governance.

“Advice is what we ask for when we already know the answer but wish we didn’t.”

–  Erica Jong

Link to the original newsletter article