SUPPORT CENTER
Q&A 1st Qtr 2000

DATE:   03/31/2000

QUESTION:  My team members don’t take the TSO’s seriously. We complete them at the end of the audit. Any thoughts to help me?

ANSWER: Assuming that you are using RBIA as designed, this practice blatantly states that the auditors on your team are manipulating your performance metrics. Since the Audit Executive is a member of the teams and cannot be disconnected from them, the Audit Executive is condoning this practice. Since the Audit Executive is also a member of the audit leadership team of your department, you have a serious ethics issue in your department.

I’m sorry, but I do not know how to solve this problem at your level. My only advice is for you to think about leaving the audit group. You cannot win in an audit department of unethical people.

DATE:  03/29/2000

QUESTION:  By attempting to help our executives "move the ball forward" (Peter’s words!), our public accounting firm auditors have made a statement to the audit committee that we are not independent? What are your thoughts.

ANSWER:  Neither are they. A recent bombshell disclosed that 80% of the partners in one public accounting firm owned stock in the companies that they audited! The business world laughs at their claims of "independence" - they are paying the same firms millions of dollars to build the processes and systems that their audit work relies on!

The vice presidents in most companies equate the audit world’s "independence" to "no skin in the game". Most executives do not pay any attention to people who have no skin in the game. You work for the executives, your success is tied to their success, your retirement and rewards are linked to the company’s success, your career is controlled by them and they can out source you if you don’t add any value. There is no way that you are "independent". Focus your energies on applying the RBIA concepts of helping your audit customers be successful - i.e., help them move the ball forward.

Don’t push the concept of "independence". The public accounting firms have created too much collateral damage around the independence concept. Instead, focus very heavily on the concepts of "objectivity", a "healthy dose of skepticism" and the critical RBIA concept of "evidence to the standard of proof". Let the theoreticians on the sidelines argue about "independence".

DATE:   03/22/2000

QUESTION:  Is it inappropriate to describe the Audit Executive's role on a self-directed audit work team as a role of leadership where she has the authority to make or impose decisions for the team when appropriate? Or does this explicit leadership role undermine the role of the the self-directed work team?

ANSWER:  The Audit Executive is a member of the General Auditor's  leadership team of the audit department.  In this role they are leaders of the audit department.    Their title automatically places them in the role of a "leader" - of the department and of their teams.

Audit Executives are also members of each team in their own right.  This role places them in the same position as any other team member on a self-directed work team.   They are accountable, with everyone else, for the quality of the end product as measured by the team's TSOs.  They should do whatever they can to help their teams be successful - just as any team member would.

Please recognize that RBIA Audit Executives have significantly more duties than SME team members -  they simply do not have the time to participate in every team as much as they would like - they have to allocate their time on the basis of how comfortable they are with the SMEs on each team and the sensitivity of the risks being audited.

The issue is how do Audit Executives behave on their self-directed teams and how does the team react to them.  Remember that appointing a "team leader" is a contradiction in terms on a self-directed work team.  Remember also that "leadership" will automatically arise on any team - you cannot suppress leadership.

Therefore, I would expect the Audit Executive to exhibit leadership when it is appropriate for them to do so, just as I would expect each SME on the team to exhibit leadership when it is appropriate for he/she to do so.

Some examples where the Audit Executive would exhibit leadership would be in providing 1) input to the team regarding Vice President's interactions and executive level corporate politics,  2) input on any issue where the Audit Executive is a SME in their own right, 3) help to a team that is struggling.  None of the above violates the concept of self-directed work teams.

What does violate the concept is situations where the Audit Executives start telling everyone on the teams what to do - perhaps because SME's are waiting to be told what to do!  If this happens, you are back in the hierarchy.  Audit Executives simply don't have the time to do that as well as all their other functions. 

Audit Executives also have two other equally important roles on teams.  First, just like any other team member, they should do whatever is necessary - grunt work not excluded   - to help their teams meet their TSOs.   Secondly, if the team becomes so dysfunctional and irrational that an audit department commitment to a Vice President in the company has no hope of being met, it is appropriate that they step in and start directing and commanding activities in order to meet the commitment.  This is a serious situation.  You would
have a serious personnel problem in the department if this happens.  The General Auditor should be involved and personnel changed out.  It is an admission that someone is too hung up on status and roles and doesn't want to work on teams.

An Audit Executive is NOT a traditional "Audit Manager".  Audit Managers manage audits.  They focus inwardly on their audits.  Audit Executives manage relationships with Vice Presidents.  They focus out in the business where the risks are.  Don't confuse the two concepts or try to equate them.

QUESTION:  I am doing an essay on statistics used in auditing and am having problems coming up with advantages to using statistical sampling in auditing, apart from the fact that it is much cheaper to sample than to test the whole population.  I was wondering if you could help me by telling me why you use statistical sampling in auditing.  Any information would be much appreciated (note...I have found there to be variable sampling, attribute sampling, and dollar-value sampling).  Thank you.

ANSWER:  If you are reviewing electronic transactions or records, it is not cheaper to take a sample. It is easier to write a program to look at 100 percent. It is also safer since you avoid the need to make an inference.

Statistical sampling is dangerous and I have seen a lot of auditors burned from its use. It works in the public accounting world where their role is to make an inference about a financial account balance that management has presented to them. They use statistical sampling to make an inference about the validity of that balance, all the time knowing that they are not guaranteeing the accuracy. Public accounting attest statements typically contain wording such as "fairly represents, in all material respects..." Materiality is defined as being plus or minus 5%. In large corporations, you can bury a space shuttle launch within 5% of their asset balance!

If you are auditing business risks, you can get into big trouble with statistical sampling since you are not protected by the "materiality" of your opinion. We always try to look at 100 percent if the data is electronic. If you cannot get to 100 percent electronically, and have no choice but to use statistical sampling, we strongly suggest that auditors utilize the services of their company’s in house statistician. Most auditors do not have the level of statistical knowledge needed to be on safe territory when it comes to using statistical sampling to assess risks, especially if the area is politically sensitive.

Your focus should not be solely on statistical sampling. It should be on the evidence to the standard of proof needed to have your findings and observations accepted by the vice presidents of the area that you are auditing. This may involve a level of testing effort far greater than what statistical sampling can provide.

QUESTION:   Can I rely on an edit program to provide Accuracy of Input controls?

ANSWER: "Edit" is a very dangerous word in control language. Don’t automatically jump to any conclusion based on an edit unless you do the following:

1) Identify the business risks that you are dealing with, and the limits of risk which governance is prepared to accept. This will lead you to identify the significant data elements that must be accurately captured by the system. If these data elements are wrong, you will not have the integrity of the data that you need to manage the process. An edit program is a tool to help ensure the integrity of those data elements.

2) Are the significant data elements that you identified being edited? Which specific edits are applied to each data element? Is this enough?

3) As an auditor, you have to actually test that the edits are currently in place and working. You cannot rely on system documentation - it may not be current.

4) What manual procedure is working with the edit program (program procedure) to investigate and correct the edit rejects?

Remember that before you can say that any control is adequate, you must understand the business risk and the limits of risk that you are dealing with. You cannot understand the business risk until you understand the business objectives that you are trying to accomplish.

DATE:  2/29/2000

QUESTION: Our public accountant’s won’t accept RBIA? Any suggestions?

ANSWER: They are playing games. What your public accounting firm likes or dislikes about the way you do internal auditing is irrelevant. They do not pay your salary. It is critically important, however, that the vice presidents of your company and your audit committee are very satisfied with the way you do internal auditing.

Remember that your public accounting firm has a very narrow, specific focus dictated by laws which were passed in 1933 and 1934. Their function and the way they do things is not focused on the concept of value. Their existence is protected by SEC regulations. You are an overhead cost function. Your only protection is the consistent delivery of value greater than cost to the people who control the destiny of your company - your vice presidents. RBIA is designed around value, not regulation.

If your public accounting firm requests that you do specific things in order to offset their fee, etc, your General Auditor needs to make a business decision concerning this. Where you are performing such tasks to offset fees, etc., it is appropriate for you to comply with the way they want it done for those specific tasks. Make sure that your vice presidents understand the difference between the value added concepts of your internal audit work and the SEC regulation mandated work you are doing for the public accounting firm.

DATE:  02/21/2000

QUESTION:  What do you recommend as the best size for an audit?  We are having a lot of trouble meeting our date commitments on our TSOs?

ANSWER:  Sounds like your audits are too big.  Try breaking them down into 200-300 hour audits.  Use the RBIA Management Control Structure Tool before you start doing a whole lot of audit work at the Performance level. 

It is easier, and builds confidence faster, to meet objectives on smaller projects - than on huge ones.

DATE:  01/20/00

QUESTION:  Our audit managers don't document anything.  When they meet with senior people in our firm, they do not produce interview notes.  Is this OK at their level?

ANSWER: No.  Interview notes with senior managers are part of the audit documentation.  The absence of such interview notes impacts the team's competent and sufficient evidential matter requirement.  This is a problem for the General Auditor to address.  It also sounds like the audit managers are not fully engaged members of your teams. 

Please recognize that there are some issues they may not be appropriate to document.

DATE:  01/13/00

QUESTION:  I am involved in what could be called a "discovery" audit.  The audit customer has framed the audit objective as:  determining how a 3rd party manages our production volumes, then assess risks.  Preliminary in-house telcoms suggests that at least 4 internal depts (located in different areas around the country) have some duties in watching how this outside party manages our production volumes.  Internal Governance will need to be audited in addition to auditing the transactions of the outside party.  How do I use the RBIA process to manage this internal/external audit without spending a large amount of time?  It is clear to me that the combined knowledge of the internal auditees is insufficient to flesh out all risks and issues.

ANSWER:This is a perfect audit for RBIA. It can be done in stages (audits) with the first one being very inexpensive. Your initial focus (audit) should not be trying to make assessments of governance, or attempting to analyze volumes at the detailed level. I suggest that you start at the MANAGEMENT level and identify the person - VP level - responsible for the relationship with the third party vendor. In discussion with this executive, obtain their sense as to where they see the risks with the vendor being.

Then ask their management team what their process is to manage those risks, i.e., identify and test the Management Control Structure. You may find that management has those third party risks under control and their is no more value for the cost of going any further (given your scarce audit resources). Report and stop the audit.

Experience tells me, however, that third party vendor arrangements are not managed well, especially if they transcend organizational boundaries, since any one department manager will assume that managers in other departments are taking care of the relationship. By default, no one is and problems start occurring. The response of "I rely on internal audit to tell me" is all the evidence that you need to confirm that no one is managing the relationship effectively. Management is responsible for controls. Management is responsible for establishing and ongoing monitoring of controls over third party vendor relationships. This Management Control Structure audit fits perfectly with your "discovery audit" thinking.

If you receive the above response and confirm that there is no Management Control Structure in place, your Audit Executive and V.P. have the following options to pursue:

• Partner with the V.P.’s management team (consulting project) to establish a Management Control Structure - this will involve you in the governance issues.
• Do a separate audit at the detailed PERFORMANCE level to determine how bad it is - bearing in mind that this audit will likely be costly. At this stage, you may need to obtain some temporary subject matter expertise to help your team given your comments about the combined knowledge of the internal auditees.

Some statements in your question I would like to address:

• "The audit customer has framed the audit objective as" - The "audit customer" should be at a V.P. level. Even so, they don’t frame audit objectives - it is a joint decision between the V.P. and the Audit Executive.
• "Audit objective" - there are no audit objectives in RBIA - they are replaced by Team Success Objectives.

DATE:  1/10/00

QUESTION: Can I do an audit without identifying a specific Audit Customer?

ANSWER: No. This implies that audit is auditing what audit wants to audit. Your scarce audit resources should be allocated to addressing issues and risks that threaten the ability of someone in the company to meet their business objectives, i.e., be successful. Even if a request for an audit comes from an outside party, e.g., regulators, external auditors, etc., you should identify a V.P./officer level customer responsible for the issues/risks which you are addressing.

The Best of the Best for 2006

RBIA Gold Medal
Ms. Martha Mimica, Florida Power & Light

RBIA Silver Medal
Mr. Bill Egan, Scotts Company

RBIA Bronze Medal
Mr. Dan Ashley, Qwest Communications

Congratulations!
prior year winners

SOX 404 RISK CONTROL MANAGER 2.1 SOFTWARE


a cost effective way
to document controls

AUDIT TEAM MANAGEMENT
SYSTEM (ATMS) SOFTWARE


best value available for
small audit groups

Updated: February 2, 2007