Creativity is the use of imagination or original ideas, but it’s not that important for internal auditing. After all, the main thing auditors have to do is know the rules that set the criteria for review, check transactions and business activities to see if people and systems are doing what the criteria requires and document discrepancies. Since the criteria are set by management they are indisputable and compliance with regulations is non-negotiable. Accounting and financial reporting rules are non-negotiable either and internal auditors don’t write the rules; they make sure the rules are enforced. So little room for creativity or original ideas, right? Wrong!
Business dynamics are changing rapidly, and internal auditors must realize that the criteria (i.e. what constitutes “the expected practice”) is often changing, how audits are performed, how results are communicated, what recommendations are appropriate, and the timeline for remediation, are often changing too. Internal auditors must change, adapt, and be responsive. But how?
Creativity (or artistry) and auditing have been seen for too long as mutually exclusive. An artistic auditor, accountant, or compliance officer were considered an oxymoron! That is no longer the case.
Creativity in internal audit can be applied in every phase of the internal audit cycle.
Defining the Scope
Historically auditing was done one fiscal year at a time. That was the legacy of external audit, which signs off on financial statements at year-end. Some reviews were even shorter; only one quarter worth of transactions to verify some financial controls were operating as expected. In internal audit it is becoming increasingly apparent that operational, and certainly strategic risks, are not limited to three or twelve-month cycles so creativity and open-mindedness are useful to determine what is in, and what is out, of scope. Consider the following examples:
- The increase in accidents at the factory could be due to lax training that originated when the company trainer retired 18 months ago and new hires since then have not received adequate workplace safety training.
- The higher employee turnover may have started two years ago when new managers stopped getting supervisory training, and performance evaluations were just filed away without being examined by anyone in Human Resources.
- Construction projects and IT development initiatives started running into significant cost overruns, delivering late and being prone to shoddy workmanship four years ago when progress reports became optional, project managers were assigned based on availability rather than fit for the project, and budgets were assigned based on political clout, not documented need.
Developing the Testing Procedures
Instead of downloading a checklist, or merely replicating prior internal audit programs, internal auditors should brainstorm what procedures would help answer the fundamental questions:
- What are the objectives of the area being audited and are they being achieved efficiently, effectively and economically?
- How do we know if all the relevant risks, including fraud, IT and security-related, have been identified and mitigated appropriately by the related controls?
- Sampling or 100 percent testing: Internal auditors historically chose samples to review transactions, but in an increasingly digitized world, why not look at the entire population? Are the tests performed to see if objectives are being achieved and verify the risks are not materializing (including the risk of fraud), or is it just to perform a control-based audit that confirms the control is being performed regularly? Testing the entire population can provide deeper insights than a sample can, especially if the sample is not statistical. It is best to be creative when selecting the data and most effective analytical procedures.
- When there is a problem in a sample, identifying what is unique to all those items and examining that triggering event. It may also be helpful to pull all transactions with that same characteristic, time of day, shift, operator, vendor, or customer, to see how big the problem is. This quantification is also helpful to make the finding more persuasive and build a business case that is more compelling for action.
- Root cause analysis. Internal auditors should avail themselves of the many tools available for root cause analysis, so they avoid the “this is broken, fix it” approach to writing audit findings. The 5 Whys, Cause and Effect Diagram, Is-Is Not Method, Affinity Diagrams, are all effective tools for root cause analysis that promote creativity and can be used individually or as a group.
- Is the department still writing text-heavy, jargon-laden, clumsy-sounding reports? When was the last time internal audit asked the audit committee if the reports meet their needs, or showed the audit committee different formats, including some with charts, graphs and figures? Internal auditors are increasingly being creative and revising the layout, format, tone and visual appeal of their reports.
Internal auditors can no longer approach situations from a binary perspective. The following are some binary-type questions and the limitations of such an approach:
- Did the document have a signature showing approval? Yes/No. Well, lots of documents are signed without a review. It is called rubber-stamping.
- Did they do a reconciliation? Yes/No. Many reconciliations are mathematically incorrect, but they look fine because “a plug” is made so it ties out.
- Did employees have an exit interview upon departure? Yes/No. Also important is asking why these individuals left. Would the departing employee consider returning? Did the person leave under duress? Notes are not always reviewed either, so sexual harassment and other workplace dysfunctions persist because it was not asked about, or it was not acted upon even though it was disclosed.
- Is the amount accurate? Yes/No. Yes, but the purchases are unnecessary, and the purchased items were delivered to a non-company address anyway.
- Was the amount posted in the correct period? Yes/No. But was the amount reversed in the next or a subsequent period because the merchandise was defective, not requested or the contract was rescinded indicating revenue manipulation?
Identifying present and emerging risks requires imagination. Finding innovative ways to examine risks within thousands or millions of transactions requires creativity. Looking for anomalous transactions that could indicate abuse or fraud by someone who knows the controls requires “thinking like a fraudster”. Envisioning patterns that correlate one event with another, and an action with its effects, requires visioning. Writing reports that convey the appropriate tone, and captures the attention of the audit committee and senior management is an art. There is ample room for creativity in internal auditing and embracing this approach will add value to every engagement.