Traditional Auditing is good but not sufficient
Traditional internal audit methods and approaches may have yielded reasonably good results for decades after management discovered and instituted the internal auditing function. Increased complexity, unimaginable scale and breath-taking speed of doing business left the internal auditor using only traditional tools gasping for breath. The internal auditor reinvented himself by adopting sampling methodology, computer assisted testing, analytics to screen massive data, trend analysis and more. However, with growing human ingenuity and greed, it may be increasingly difficult for the internal audit fraternity to deliver internal audit output that matches expectations of stakeholders and society at large using the present suite of audit procedures. The human ingenuity in breaking through the myriads of controls ethically or unethically, with the objective of merely challenging the system or defrauding the organization, has thrown up unprecedented challenges for the management and the internal auditors.
In India, the currency notes and coins made way for electronic payments and now the electronic payments may be fast replaced by the Retail Digital Rupee recently introduced by the RBI – just imagine, if the internal auditor still believes in counting cash by physical verification of currency?? We have also seen the typed hand-delivered postal letters being replaced by faxes and emails and now by sharing of scanned images over WhatsApp – can the internal auditor still rely on the paper trail and neatly filed physical documents in these times of seamless electronic exchanges and digital trails?
Through this blog, I wish to share some of the unconventional methods derived from lateral adaptation that are fit to be added to the internal auditor’s toolkit – these require creativity, are easy to implement and are sure to add excitement within the IA team as also deliver delight to the key stakeholders. Be it blunders or plunders, these methods will help in uncovering some of them, with minimal efforts.
Need to look beyond
Management and auditors alike cannot regulate human behaviour and books of accounts don’t reflect human emotions and behaviour. Regulations and policies are made with the intent of regulating human behaviour and cultivating ethical culture in the organization, however, situations, control deficiencies and circumstances create exceptions and opportunities to commit unintended blunders or even frauds. Auditors form their insights and opinions based on information reviewed and made available from the records maintained by the management. If they go beyond the books of accounts and standard audit procedures, they may discover additional facts and information that be valuable for their opinion making.
Risk Assessments have limitations
One of the most significant tools in the auditing evolution has been Risk Assessments. Stakeholders and auditors, alike, realised that 100% transaction auditing is not a robust solution, so contemporary audit methods lay emphasis on risk assessments and risk-based approaches to narrow down on vulnerable areas thereby providing early warning alerts to the Board and Audit Committees on what can go wrong; however, they have limitations in the form of management and auditor’s ability to anticipate all critical risk factors impacting the organization. If the risk assessment is not comprehensive and creative, Boards and Audit Committees may err even more in case of un-predictable human behaviour.
Combining market research techniques with internal audit activities
There is no full proof auditing approach, however, internal auditors should be empowered by the Boards to go beyond the books, records, and pre-set templatized auditing approaches. Internal Auditors also have the responsibility to seek due authorization to use innovative techniques beyond the standard audit procedures to supplement the quality of audit findings.
Introducing customized mystery reviews, target surveys, scenario play, and snap checks would be good auditing supplements that may provide meaningful insights to auditors and management on the behaviour of people. Mystery reviews, target surveys and snap checks have the potential to unearth deep rooted cultural and behavioural issues that may go unnoticed for several years. If management empowers the internal auditors to carry out such reviews in addition to the popular auditing methods, they will provide auditors with the opportunity to first-hand experience process, products, and services from a customer/ employee perspective, better known as reality check!!!
Author has used mystery reviews successfully as part of internal auditing activities to discover behavioural outliers. Procurement is one of the most vulnerable processes in any organization and mystery vendor visits help discover behavioural patterns of buyers. Targeted surveys of exited employees provide very good governance insights that are so difficult to identify in business-as-usual auditing situations. Decoy customer visits unravels several customer service facts that may not be imagined in a risk assessment matrix.
Combining internal auditing with market research techniques would provide a great combination to improve the overall audit output. While fraudsters have no boundaries, can auditors be bound by templatized audit approaches?
@Managements -Empower your internal auditors, to go beyond the mandated auditing boundaries!
@Internal Auditors – discover new techniques and tools to enhance audit quality and be ready to challenge the mandated boundaries!!
Internal Auditing – Venturing beyond mandated boundaries
P.S. Have you fastened your seat belt?
Organising BCAS RRC – Learnings for Internal Audit
A bag full of ideas… An Internal Auditor’s journey
Internal Audit: A Case for Advocacy