Expanding the Scope of Internal Audit

Auditors provide assurance, advice and insight on the system of internal controls over the more significant risks to enterprise objectives.

Internal controls provide the basis, the foundation, on which management and the board rely as they manage and direct the organization to success.

The typical audit assesses and tests the controls over transactions and how they are originated and processed: their completeness, validity, accuracy and recording. We may also audit risk and governance practices, and how information and systems are protected.

But is that missing the boat?

Are we (and risk practitioners) failing to provide valuable assurance, advice and insight on what may be even more important to successfully achieving objectives?

Expanding the Audit Scope to Include Decision Making

Organizations succeed or fail as the results of the decisions they make.

Those decisions include:

Defining the purpose of the organization, what it desires to accomplish over the longer-term
Deciding what strategic goals and objectives should be set for the period, including how each member of the management team will be compensated
Identifying the strategies that will enable them to achieve their objectives
Managing the organization every day, making tactical decisions such as:
- Who to hire
- Who to fire
- Sales prices for the organization’s products and services
- Which vendor to select
- When to purchase what, for delivery when, in what quantity
- When to release a new product
- How and when to implement new or updated technologies
- Where to invest funds
- At what level to set credit limits, derivative position limits, etc.
- … and so on

When Grant Purdy, an individual for whom I have great respect, left his position as CRO at BHP Billiton, he entered the world of consulting.

He told me that he was frequently engaged to help an organization upgrade its risk management program. But when he met with management, he didn’t ask them about risk. Instead, he asked them how they made decisions. Very wise!

Internal auditors may identify, test and assess the internal controls around the information management might have (such as performance and risk reports) when they make decisions.

But we don’t usually ask how they use that information — if they use it at all.

I have seen surveys that say that most decision-makers not only don’t use all the valuable and relevant information that is available, they don’t even know it exists.

This is what I suggest:

When you are conducting an audit, ask the manager how they make their decisions — such as which vendor to use, which staff to assign to a project, or which price and contract terms to negotiate.
Ask them whether they have all the information they need to make an informed and intelligent decision. Do they involve others who might be affected by their decision or have useful information that should be considered?
Review that information and consider whether there are adequate controls over its:
- Completeness
- Accuracy
- Currency
See whether management is actually using the available useful information to make their decisions.

While I don’t recommend second-guessing what the manager decided, consider whether their decision was reasonable given the circumstances (e.g., the business need, the time available to make the decision, who is available to provide additional perspectives, whether the manager has the authority to make the decision, etc.) and the relevant information.

In other words, assess the controls around the major decision-making process. Do they provide reasonable assurance that informed and intelligent decisions are made, taking the right level of the right risks to achieve enterprise objectives?

It’s still risk-based auditing, but instead of only auditing the controls over transactions, you audit the controls over major decision-making. You audit the controls over the risk of poor decisions.

Learning Opportunities

Conference