jump to navigation

Share My Pain… December 18, 2010

Posted by Audit Monkey in The Joy & Pain of Internal Audit.

By popular demand, a post regarding the joys and pain of Internal Auditing.

First a little revelation to set the scene. Audit Monkey’s period of unemployment recently came to an end and I’ve been temping in the back of beyond. The pre-employment bureaucracy has beggared belief. While I have no objection supplying documentation for money laundering purposes, the agency performing the checks also wanted a personal reference.

“Oh please”, everyone knows that employers do not supply personal references as if the former employee proves to be a doughnut in their new employer, a nasty Court action for false representation may ensue, no pun intended.

Pre-employment checks complete, I’ve got to see how another Internal Audit Department operates and as Steve Tyler (he of Aerosmith fame would say), “imagine my surprise!”

Audit Monkey was asked to complete the audit testing for one review. One would think this would be an easy task but alas, no. The planning was incomplete. Not all the actual controls and processes were documented. So when notionally when I was supposed to be testing, I was actually documenting the system so I could then audit it! Yet other controls were over documented, with superfluous supporting examples on file and I had to try to decipher what was and wasn’t relevant.

Worse still, due to the lack of documentation on actual controls, several of the test schedules were written based on assumptions (sic) how certain processes and systems may operate. As a consequence, some of the tests I was supposed to complete were irrelevant but time was wasted trying to arrange testing, meeting the point of contact, only to discover that I’ve been lead a blind alley.

The other bind has been the use of audit checklists. I’m not keen on the use of audit checklists in the planning process because I think checklists are no substitute for independent thought and reasoning. If an auditor has to be reminded or prompted to look at the Risk Register for relevant risks during the planning process for a review, then in my book you shouldn’t be auditing.

If the checklists were simple ‘yes, no or n/a’ questions, I would mind but on this occasion, these were of ‘Gibbon-esque’ proportions. Again, time was spent obtaining supporting documents to fulfill the checklist requirements (which in all reality wouldn’t be looked at in any great depth because with experience, you know what the usual risks and howlers will be for certain processes) when I could have progressed with the real job of auditing. I reckon I’m going to encounter ‘checklist hell’ in the New Year and it isn’t going to be a harmonious relationship.

I could mention other items which frustrated me, like the client changing their mind on the specific areas to be reviewed but there you go. Anyone reading this is probably thinking “why didn’t you mention any of your problems to the client?” I did to a certain extent but I think they wanted things doing their way and no deviation.

You can probably guess that this episode in Audit Monkey’s life didn’t have a happy ending and I don’t think it is over just yet.


1. ITauditSecurity - December 19, 2010

Cheers for the monkey! Hopefully you’ll have more to write about now.

I loved the pun. Had to reread to find it, which makes it even funnier. Which is why, of course, one says “no pun intended” so that small minds like mine, which miss it initially, can return to the scene of the rhyme and enjoy it.

My last couple of audits were very similar, with more time spent documenting than auditing. In one audit, the number of key controls dropped by half by the time I was done, even though the group responsible for the controls had reviewed the controls TWICE at my request to ensure it was accurate and ready to test. Well, 2 months later, it’s ready. I can’t wait to send them the bill.

What I really struggle with is how some audit departments document the findings in 4 different formats, all slightly different, so every time there’s a change, it ripples through the audit until a tsunami wave of changes appears, destroying hours of work in an instant.

I’m not against slicing and dicing the data to different audiences, but let’s agree on the findings and how they should be presented, what the mitigating (or is that irritating) controls are, and how severe the issue is BEFORE we package it in 4 different flavors, none which will be palatable to anyone.

At that point I remind myself I’m paid for every hour of it, so I’ll endure.

Congrats again, good monkey!

2. Audit Monkey - December 19, 2010

One comment in reply which springs to mind. One of the reasons why I was pleased to be made redundant from my previous permanent job was the new Head of Audit was into documenting every fart that flew. There is no need. Documentation does not equal good work or good practice.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: