SUPPORT CENTER
Q&A 1st Qtr 2002

DATE: 3/25/02

QUESTION: I have just joined an audit group from a project management position in the company. I attended a recent RBIA overview session that you did for an IIA chapter. Your concepts of costing out each audit and ensuring that there is commensurate value for the cost makes logical sense to me since this is how the business world operates. However, the auditors that I work with do not want to track the cost of their audits. They do not even want to complete time sheets nor account for how they spend their time. They say that auditors do not do this. Is this thought process common in the audit world?

ANSWER: Just like in society at large, there are internal auditors who do not believe that they are accountable for delivering value to their organization greater than the cost that they incur and will hide behind all kinds of audit theory to justify their position. They just commit to "do audits" but do not commit to delivering any specific value to the business, by a specific date nor for a specific cost.

Thankfully, these audit departments are slowly disappearing since the business world is becoming increasingly intolerant of the cost of such audit departments since they do not demonstrate any value.

If you are in one of these audit departments, you are in a prime position to inculcate some more business like thinking around the disciplines of value, time and cost. Since you have business experience, you know that the kiss of death of any overhead cost function is its inability to deliver something of value, on time and on budget.

I must warn you, however, that if the General Auditor has no intention of being held accountable for delivering anything of value, by a specific date and for a specific cost, you are fighting a losing value. The General Auditor has every right to determine the philosophy of the internal audit department.

DATE: 2/26/2002

QUESTION: Can you manage an RBIA audit department without knowing about how RBIA works?

ANSWER: No. RBIA audit departments are structured differently than traditional, hierarchical organizations. The management theory that works in those organizations, i.e., set objectives, assign tasks, review and follow up, will really destroy the value and productivity that RBIA can deliver if you attempt to "manage" an RBIA department in this manner.

RBIA works on the basis that internal auditors are smart, educated and knowledgeable people who, in teams, are entirely capable of "managing" their own audits for which they are held accountable. The traditional "do these tasks, tick and tie" work is demeaning. RBIA frees up the leadership team to focus on more critically important roles related to working with the audit customers - the senior executives of your company who determine your value.

If the management of the audit department do not understand this fundamental difference, and its implications, they will unintentionally do things that will destroy the value and productivity that we guarantee RBIA will deliver.

DATE: 2/19/2002

QUESTION: How do you create a TSO for a consulting project on which you are merely partnering with management?

ANSWER: You cannot create a TSO for a consulting project and expect non internal audit department members of the team to be bound by it. You just do not have the authority to do that.

There are, however, two things that you should encourage. First, and most important, is to make absolutely sure that all the team members have a solid understanding of what the end product will look like (as opposed to "what we are going to do", the budget and the due date. You will have to work with the person who is leading the team to do this and it needs to be done diplomatically. It is part of projecting internal audit as "experts" in team work.

Secondly, it makes sense to create an "internal" TSO for the audit team members only. This TSO should NOT be circulated to the remaining non-audit team members but should reflect the above deliverable, budget and due date.

The obvious response from the auditors on the team will be that they are being held accountable for internal TSO's when they are only members on a team lead by management people and cannot control the outcome or the process. While true, this is the reality of the business world. All of us, at some point, are assigned to teams and held accountable for results when we have no line authority over our fellow team members. This is exactly how the leadership team of a company works. It places a lot of pressure on the quality people that we have in internal audit departments to step up to the plate and demonstrate how well we can work with management and other team members to make things happen!

QUESTION: How do you see I/A's role during a systems development project?

ANSWER: Concerning the Systems Development Project, I assume that the Audit Executive and the VP have agreed to some type of internal audit involvement.

The best way to attack systems development initiatives is to do it in separate projects. At the start of the development effort, I would suggest that you perform a Governance Audit of how the project is set up. The TSO's would be very specifically related to Governance over the project. You can keep this fairly small and focused and quick. Use the Governance laminated quick reference card for guidance.

If you determine that Governance is in place and operating effectively, I would question the value of spending a lot more audit resources on the project, especially if you have a small audit department. The fact that Governance is in good shape would indicate to me that the project has some measure of success and there is a mechanism in place to correct any problems.

If Governance is not in place, then you have two options. The first, and most preferable, is to partner with the development teams to establish governance and other processes, as well as partnering on teams to look at controls at the Performance level of the development project.

The second option is to do another audit focusing on the Management level. Use the Business Function Analysis tool to do this audit. Hopefully this may lead to additional partnering initiatives with management to resolve issues.

Avoid doing detailed audits at the Performance level. While it is natural for Vice Presidents to want audit to "look at the controls" in new development initiatives, do this by partnering on teams lead by management. This will help reenforce the critical message that management is responsible for controls, not internal audit.

DATE:  02/13/02

QUESTION: Our Audit Executives are having trouble establishing an effective working relationship with senior managers in our company. What can you suggest to help us?

ANSWER: There are two things that you should do before your Audit Executives (AEs) start working with their assigned vice presidents. 1) Stop doing the things that upset senior people about internal audit, and 2) do the preimplementation marketing to the Audit Committee and the Vice Presidents (I talked about each in the RBIA seminar)

Assuming that this has been done, there are only really two options. One, is that your executives motives are less than honorable or, 2) you have the wrong people playing the AE role. Either situation is not good and is a problem for the General Auditor to address.

Please do not attempt to do RBIA without addressing 1) and 2) above. "Implementing RBIA" guide -- available elsewhere on this web site - will help you with the marketing.

DATE:  01/31/02

QUESTION: Do you still think that we should help vice presidents be successful in light of the Enron situation?

ANSWER: Yes. The Enron facts are still emerging. Remember that an internal audit department exists because the people running the company are people of ethics and integrity and have a vested interest in doing the right thing and doing things right.

If this is not the case, no internal audit function, whether in house or outsourced will ever add any value. The last thing that unethical and low integrity people want is an internal audit department using RBIA that is focused on the major business risks. In that situation, they would outsource internal audit so they can control, under a legal contract, what audit can and cannot look at.

DATE:  01/07/02

QUESTION: We are an internal audit department for a bank and it seems that all we do is complete audit procedures mandated by the government regulators. We want to use RBIA to add value, but will the regulators approve its use?

ANSWER: It is up to your General Auditor and your Audit Committee to decide the audit approach that your department follows, not the federal regulators. Where the law requires that you complete specific procedures, you do so and write that off as a cost of doing business.

The real issue becomes the role of internal audit that your General Auditor and the Audit Committee of your Board requires. If they want the bare bones, minimal cost audit function then you simply do the minimum required by the regulators. However, this doesn't really add any value and you can do this with minimally trained, minimally educated and minimally qualified auditors.

If however, your General Auditor and the Audit Committee see the role of the internal audit department as adding additional value to the bank in terms of it meeting its business objectives, then RBIA can definitely be used to accomplish this goal. You just have to recognize that it will be in addition to the work mandated by the federal regulator.

The Best of the Best for 2006

RBIA Gold Medal
Ms. Martha Mimica, Florida Power & Light

RBIA Silver Medal
Mr. Bill Egan, Scotts Company

RBIA Bronze Medal
Mr. Dan Ashley, Qwest Communications

Congratulations!
prior year winners

SOX 404 RISK CONTROL MANAGER 2.1 SOFTWARE


a cost effective way
to document controls

AUDIT TEAM MANAGEMENT
SYSTEM (ATMS) SOFTWARE


best value available for
small audit groups

Updated: February 2, 2007