The Too Much and Not Enough within Internal Audit: Total Quality Auditing? Data Revealed

The true test of trainings, particularly when new concepts are introduced, is the feedback of the attendees. In my case, it is the feedback of highly proficient, extremely intelligent, professionally certified (many extremely professionally certified) internal auditors. I would like to think that this evaluation comment is representative of the thousands of auditors I reached in 2019 through my Total Quality Auditing? (TQA) trainings:

“You are articulating ideas that I’ve been trying to communicate for years, and I really appreciate the work you’ve done to propel the internal audit function towards the future and actually adding value.” 

Here’s the thing, if this comment was unique, I wouldn’t have based an article on it. And I am not trying to brag either. The fact is, I seemed to have hit a nerve with internal auditors that truly believe they are not adding enough value to their organization. And they want to be. They want to start looking for the future, major risks and stop looking at the past, minor peanuts. They have a common desire to find new, fresh, relevant, and compelling ideas for adding real value. And they have a desire for using meaningful tools, providing and implementing common sense solutions, and impacting the overall success of their organization.

So, the good news is that the TQA concept and techniques were very well received. The not-so-good news: based on my own survey data, the concepts are only being marginally applied by internal auditors today (the true reason for this article). They are perhaps being held back by traditional audit leaders, traditional boards and audit committees, or even traditional management that wants to keep them at arms-length (okay, maybe at many arms-lengths) in their customary “bad cop” role within the organization.

From “Cop” to “Crossing Guard”

TQA is based on the principle that improvement to culture, products, or services cannot be “inspected (audited) in” after-the-fact and that excellence is not the result of “finding the bad ones and throwing them out” after-the-fact. Because after is “too late, ineffective, and costly.” (All quotes by W. Edwards Deming, the founding father of Total Quality Management – or TQM.)

In other words (my words), it is time for internal auditors to stop being the cop that visits the scene after the incident. It is time for them to be the proactive crossing guard that helps others avoid incident. It is time to stop fighting fires all the time, as the true accomplishment is preventing the fires from starting in the first place. 

As I state in my TQA book, the goal of internal auditing should be to reduce the need for audits, not to do more audits. And while everyone I talk to very much agrees with this progressive, proactive, preventative, internal audit approach, only 8% of those surveyed describe their function as proactively influencing the future at their organization. Yes, you read that right: EIGHT percent. 

From “Needles” to “Haystacks”

Don’t like the police or firefighter analogies? How do you feel about farmers? Because after numerous conversations, ample reading of professional publications, and much sifting through polling data and survey results, one thing is clear: 

Internal auditors today are spending too much time looking for a needle in an existing haystack and not enough time figuring out how to improve or change the haystack. 

Congratulations, you have officially made it to the “too much” and the “not enough” part of the article the title eluded to. Hopefully it wasn’t too much like looking for that needle in that haystack. For each of the six TQA points of focus: Ethics, Standards, Feedback, Lean, Balance, and Leadership, you are about to get a taste of what else my training attendees have told me. You better sit down for this. 

Too Much and Not Enough: “Ethics”

Internal auditors universally agree that ethical behavior is important for an organization’s ultimate success. They agree that customers want to get their products and services from ethical organizations, employees want to work for ethical organizations, and investors want to invest their money in ethical organizations.

But while auditors universally agree about the importance of ethics, integrity, and honesty, they still seem to have too much trust and not enough skepticism and understanding that human beings are fallible. They all seem to think since they aren’t working at Enron or WorldCom, they are safe from ethical risks. 

I take this as my opportunity to present study after study that shows that people are not as ethical as they think they are. (If you don’t believe me, read The (Honest) Truth About Dishonesty by Dan Ariely or Blind Spots by Max Bazerman and Ann Tenbrunsel. All are distinguished professors and ethics researchers.) When left to their own devices, people will rationalize away questionable, unethical, behavior. However, the good news is, research also shows us that individuals will favorably respond to ethical values if they are clearly stated, understood, communicated, and expectations are continually reinforced through trainings, processes, and leaders’ actions. 

But the bad news (again), is not enough time and energy is being spent by auditors on influencing or promoting an ethical culture. Barely half of the internal auditors I surveyed have even read their organization’s Ethics Policy. Only 9% participate in any way in educating employees relative to ethics. Only 15% of their organizations have a Chief Ethics Officer position (which arguably could be the most important role at a company today) and 61% report that ethics is only sometimes on the minds of their organization’s leaders or is flat out not on their minds at all.

I’m not going to stop the statistics there, because I feel strongly that ethics is one of the top risks at any organization today, and I’ll repeat, not enough time and energy is spent on it. Each participant at my live seminars also completes a “Workplace Ethics Survey” I have developed. There are 15 questions that cover all the typical functions of a business and the potential for ethical missteps in each area. Think padding expense reports, falsifying financial reports, or existing conflicts of interest. And guess what this survey data shows us? Only 3% of auditors surveyed believe there are no ethical issues at their organization. The other 97% admit it is happening somewhere.

Ethics is not a soft issue, it is a major risk. And internal auditors have plenty of opportunities to increase their contribution and mitigate the risk. They can monitor culture and leadership by conducting surveys and obtaining feedback. They can lead ethics communications and trainings, embed integrity in personnel processes, ensure pay and performance systems promote ethical behavior, and advocate for zero tolerance ethics policies. They can insist in their involvement in all ethics breaches and perform investigations to identify root causes. Oh, and they can read the darn ethics policy (I can’t believe I have to say that, but I do). 

This is Ethics the TQA way. (I promise not all of the TQA points of focus will be as long as this one, so keep reading.)

Too Much and Not Enough: “Standards”

The most powerful tool in any organization regarding behavior is a document usually called the “Standards of Conduct” or “Code of Conduct.” Such a document, when used effectively, defines the specific behaviors that reinforce the organization’s values (like ethics, above) and supports achievement of the organization’s objectives. 

Without standards that are both well-thought-out and properly administered – meaning, enforced with corrective action procedures to ensure compliance, it is a free-for-all environment. Every world class organization has a standards document that defines the policies, procedures, acceptable behavior, and consequences, if breached. Yet, 56% of internal auditors surveyed believe the standards of conduct are not useful and/or not widely referenced within their organization. Guess it is safe to say, that 56% does not work at a world class organization.

If robust and enforced standards assist in the accomplishment of organizational goals, internal auditors are missing a huge opportunity to safeguard its effectiveness. Only about half report auditing the effectiveness of the standards (if they exist) in any way. And only 7% of auditors are aware of breaches of the standards of conduct every time they occur. Auditors are spending too much time on hazelnuts and not enough time on coconuts (yes, I googled the world’s smallest and largest nuts, just to prove this point). And in most cases, we don’t even know about the coconuts. 

“The big problems are where people don’t realize they have one in the first place.” – W. Edwards Deming

Internal auditors can influence behavior by ensuring the standards exist, they support overall organization values and objectives, they are widely communicated and reinforced, and above all, they are consistently and equitably administered. Oh, and they can insist in their involvement in all standards breaches and perform investigations to identify root causes.

This is Standards the TQA way. (I told you they would get shorter.)

Too Much and Not Enough: “Feedback”

TQA customer feedback has two main purposes: 1) to identify organizational risks and improvement opportunities to develop a meaningful audit plan, and 2) to identify ways for internal audit to improve its effectiveness. 

TQM is all about the focus on meeting or exceeding customer needs and consistent, controlled processes to meet those needs. It seems to me this is pretty straightforward and internal auditors generally agree these are legitimate activities and objectives. Yet, there are still too many internally developed audit plans (that look a lot like past years’ plans) and there is not enough time spent obtaining input from internal audit’s customers regarding current and future risks and improvement opportunities. In fact, 53% of auditors say their plan is mainly built on an internal assessment. 

Although there are many ways to solicit feedback, it is generally recognized that surveys are an efficient means (i.e., a controlled process) to do so. However, less than half of internal audit functions appear to use surveys at all to ask about risks, culture, processes, controls, or compliance in general, and when they are used, they are typically directed only at managers and above. What about all of the other employees at your organization? You know, the ones that work on the front lines and actually know the biggest issues and risks faced?

Now is not the time to “select a sample.” Internal auditors can obtain full populations of data (e.g., risks) by surveying all customers. And then build a valuable audit plan that truly exceeds customer needs.

And on the note of exceeding customer needs, what better way to find out how you are doing at that goal, then to ask? Everyone seems to agree (even every company we shop at, restaurant we eat at, airline we fly on, agrees) that sending a feedback survey is an effective means of measuring performance and to improve effectiveness. Yet, only 46% of audit functions appear to be gathering feedback today. 

As Tom Peter’s says: “Every unit should be formally evaluated by other functions concerning usefulness, effectiveness and value added to the enterprise as a whole.” It’s time internal auditors were evaluated much like their auditees. To ensure you’re a benefit to the organization, not just a cost. To ensure you’re adding real value.

This is Feedback the TQA way.

Too Much and Not Enough: “Lean”

Let’s get right to the point. Lean auditing is all about eliminating waste in internal audit processes. We want our organizations to be lean, our audit customers to be lean, so let’s practice what we preach. Now you ask, where do you start?

We’ve already started. The number one way internal auditors can be lean is to gather feedback to create a meaningful audit plan, based on the right risks. But when asked if their audit plan today covers the right risks, only 6% said yes. SIX percent. When asked if there were engagements on their audit plan that add no value, 34% said definitely… 51% said potentially. You can do that math. 

And let’s explore activities outside of the audit plan itself, how about actual audit engagements? 85% of auditors surveyed think their engagements are too long. And most agreed that the output, i.e., the audit report, was also too long and unproductive. 75% of auditors have access to less than half of the systems at their organization in order to independently and efficiently pull and review data, and 60% of auditors admit they are not using or not efficiently (or effectively) using data analytics tools today. That’s why I told you to sit down earlier.

After I present all the factors of internal audit waste and the characteristics of lean auditing, I ask auditors if they have an opportunity to be more lean. 80% say absolutely. The answer indicates that internal auditors are spending too much time and energy on things that are not important or not working.

Do we need to talk peanuts again? There is too much auditing hazelnuts and not enough improving coconuts. There is too much reporting and not enough communicating. Internal auditors need to “Value Map” their processes to ensure every-little-thing they do is adding value to their stakeholders. They need to concentrate on the greatest risks, improve processes, and solve problems for customers. Major on the majors. Focus on the coconuts.

This is Lean the TQA way. 

Too Much and Not Enough: “Balance”

If you thought the last section was lean, just wait for this one. There is just one question that gets at the heart of the TQA Balance point of focus: Are internal auditors too close to their customers or not close enough?

Sure, auditors need to act professionally with independence and objectivity, but in order to add real value, I believe they need to get closer. It’s critical to implement an appropriate balance of traditional auditing, with risk management and consulting work (identifying risks, suggesting solutions, and helping to solve problems). And when I say balance, I may actually mean throw yourself way-off-balance. Throw yourself into consulting. Remember TQA is a preventative, proactive, progressive audit concept. This is that progressive piece shining through. 

When auditors were asked how much time is spent on consulting activities today, the majority answered less than 25%. But when asked if they think they have an opportunity to add more value by consulting, 74% answered absolutely. There is an obvious disconnect between how auditors are balancing their time and how auditors can best add value at their organizations.

I believe auditors think and act too much as a necessary, unavoidable cost center and not enough as business entrepreneurs, measuring themselves by what they contribute to the organization that they serve. There is too muchidentifying of problems (traditional auditing) and not enough effort on helping to fix problems (progressive consulting). There is too much focus on doing more audits and not enough focus on improving the reliability of processes in order to decrease the number of audits.

Internal auditors need to change their perspective and build a reputation of collaborative consulting on process improvements (that eliminate the need for audits). 

This is Balance the TQA way.

Too Much and Not Enough: “Leadership”

“The most effective Internal Audit leaders are making an honest effort to work themselves out of a job.” Don’t let my quote scare you. This works in everyone’s job, not just ours. But it does work particularly well for us.

My theory on internal audit leadership is that we need to be more ethical, more gritty, and earn more respect. Let’s start with ethics. When auditors were asked about their personal and professional ethics, they all rated themselves very high. This is a good start, but keep in mind, none of us is as ethical as we think we are. (And remember more than half haven’t read their organization’s Ethics Policy, yet most likely signed something saying they did.) But for the sake of this article, we’ll assume that the ethics of auditors is not a problem. So, on to grit.

Angela Duckworth, the author of Grit: The Power of Passion and Perseverance, has defined grit as having a passion for what you do, focusing on important things, overcoming obstacles, being obsessed with adding value, and getting more done with less. And only an astounding 18% of internal auditors think they have enough grit. Not enough.

My definition of respect is whether people come to you for advice and counsel. When auditors were asked whether their customers “seek them out,” “run the other way,” or “somewhere in between,” 80% answered the latter two buckets. 20% is not enough.

What can internal auditors do to increase their grit and respect? Remember the peanuts. Deliver your function with the passion to do things that sincerely matter to your customers and add real value. Focus on exceeding your commitments and being the best at what you do. And never stop in your quest for personal and professional development.  

This is Leadership the TQA way.

The Future of Internal Audit

According to the data I collected over the past year, everyone agrees: The beneficial product of auditing is not issuing the report; it is the eliminating risks and solving real problems at our organizations.

In order to do this, and in order to change the other statistics I presented above, we have to change our actions. I believe the future success of internal audit rests with us. It rests in the ability to apply the techniques within each TQA point of focus, which were built on the proven principles of TQM. Instead of focusing on the past, attempting to uncover deviations, it’s time to focus on the future prevention – proactively reducing risks and improving organization effectiveness, without waiting to react to a crisis. 

Bottom line: there is too much catching and not enough coaching today.

The future of internal audit lies in coaching stakeholders to focus on culture, ethics, and conduct at their organizations… in collaborating with customers and obtaining the right feedback… and in applying lean techniques and balancing work to focus more on valuable consulting. And while I have the utmost respect for “cops” who catch the bad guys, it is time we realize this is not the role we need to fill at our organization. The ethical, gritty, respected, future audit leaders are instead coaching their organizations to victory. 

If this topic interests you, please join Audit. Consulting. Education. LLC for our 2020 Total Quality Auditing Webinar Series starting January 21st! Read more about the webinars at www.TotalQualityAuditing.com.

12 webinars, 12 CPEs (2 in Ethics, 10 in Auditing), 50 minutes a month, and you will end 2020 with a Total Quality Mindset!