One of the most powerful words for an auditor is one of the shortest: “why”.
We should always ask an individual performing a control why they are doing it.
Even if we know why, if the individual doesn’t know why that can affect their ability to perform the control properly, on a consistent basis.
If their answer surprises us, it’s an explanation that is different from our understanding, it should be a learning opportunity – for us as well as them.
We should never accept an answer of “because they told me to do it this way,” or “because that’s the way we have always done it.”
Yet, when I ask internal auditors why they do things the way they do, I get those answers:
- Because that’s the way we have always tested a control.
- Because the IIA Standards tell us to.
- Because the regulators require it.
- Because the external auditors require it.
- Because the audit committee expects us to.
- Because my manager told me to do it.
- Because that’s the way it was done last year.
- Because it’s in the audit plan.
- Because it’s in the audit program.
- Because I heard it was required at an IIA conference.
- Because it’s accepted “best practice”.
- Because it’s in the budget.
- I don’t know.
None of these are good answers.
None of them will survive further investigation.
For example, the IIA Standards do…
