Lazy auditors | Norman Marks on Governance, Risk Management, and Audit


Internal auditors don’t always have to work harder than others, but I do want them to work smart.

I have seen what I would consider lazy practices over the years and more recently in comments on LinkedIn.

Here are some examples:

  • “Give me a checklist or audit program that I can use.”

This is lazy because the scope and audit approach for every audit needs to be refined every time to address what matters today and will matter tomorrow, rather than what mattered in the past. Assuming (and we know what that means) that the individual who developed the program in the past has it right for today is lazy.

It is especially lazy when it is a document downloaded from the internet or passed to you by somebody in a different company.

Use it as a basis for your own work, perhaps, removing and adding tasks as needed – after thinking it through carefully. But it is usually better to start with a blank sheet and an understanding of the risks that matter and the controls in place to address them. Only then, perhaps, use somebody else’s work to challenge yours.


  • “This is true because the standard/framework/book says it is.”

It is so much better to think for yourself. I have seen LinkedIn comments saying that something is necessary or true because this or that standard says so. Well, sorry, but you need to…
