World-class Internal Audit by Norman Marks

We were a world-class audit team. There is always a need to change and seek improvement. Solve departments solve their problems. Learn to be innovative in your work. This book features highlights of my career. Hopefully, the reader will be able to gain insights. Learn from your mistakes and learn from those I made too.

In the Beginning. I joined PwC straight out of college. I learnt to treat audit partners with respect. Gutter Brothers were an audit firm. Back then, I was just labelled as an ‘other’, which was even a lower rank than the receptionist. I was doing an apprenticeship by then. Respect must be earned through your actions.

I learned a valuable lesson from this. No matter how high you see yourself, how magnificent you look in the mirror of your vanity, others may see you as a pompous nitwit or worse. – Norman Marks

Another situation, many years later, reminded me never to think too highly of yourself. – Norman Marks

I am obdurate. Later on, I worked under a number of audit seniors and supervisors. One of my appraisal was rated as below average and that I was ‘obdurate’. My manager thought that I was inflexible. He believed that I was stern. Asking questions was a must. I asked to ask managers why must I do certain stuff. Do not follow the procedures last year blindly as last year’s work might not be done properly. Never simply follow a checklist without understanding what it is about. Simply use standard audit programs as a tool and a checklist. It is important to understand and appreciate the business. This is a powerful checklist. Keep asking ‘why’.

I believe very strongly that only when people have a solid understanding of why something needs to be done will they do it well. – Norman Marks

Too much quality. Sometimes, people in positions of authority do not have the right experience and ability. Learn to use analytics, trends and rations as an audit technique. Use performance indicators to detect unusual patterns in inventory level. Analytics is useful to save time during the audit. Once, the audit partner said my work-papers were great but I took too much to perform the work. Time taken to perform the work was a cost to the client. My work was apparently ‘too good’ and it didn’t have to be that that good. For internal auditors, the focus on documentation is not as great as for external auditors. IA’s work is not reviewed by examiners or regulators. Our audit opinion is for internal use. Internal auditors are rarely sued. If there are dispute in findings, it is important to have working papers as evidence. Interpreting the audit findings is also an issue. Working papers are crucial if there is a fraud investigation. You can review by talking to the audit team. If external auditors are going to rely on internal auditors’ work, documentation is important. Creating working papers should not be very ‘costly’ and the time wasted could be used for another audit. Apply ‘stop and go auditing’. This means extending the audit if risk was higher than expected but shorten an audit if the risk was lower than anticipated. Sometimes, cutting short an audit is useful. The CAE must balance the value and cost of developing working papers.

There is no way that audit documentation should take such an enormous percentage of total audit engagement time. If my internal auditors spent more than 10% of their time on working papers, I would need to know why. – Norman Marks

The value of criticism. I was good at flow-charting and completing ICQs. I received a lot of comments from the CAG specialist and requested for a meeting with him. All the review notes made sense. Luckily, he was patient and explained what I had done wrong and what should have been done. Later, I re-did the working papers and in future, I did not receive that many review notes. I realized that my flowcharting systems was lacking. I needed to have a better grasp of the fundamental principles. Technical skills are important too. I respected the CAG specialist and learnt a lot from him. Criticism can educate and change you. Later, I was hired by the CAG team as they were impressed with my knowledge.

The value of writing and teaching. I loved history. I was a gifted programmer and knew how to use the computer auditing sessions. To my superiors, I was an expert in the subject manner. For new technology, it is best to implement in stages. IT systems must be built on a solid foundation. The foundations and fundamentals don’t change. For example, you must understand internal controls, risk management, IS, cash management etc. Later on, I was interested in microprocessors. Tell people why the tasks they are doing are important. Avoid technical language and use ordinary English. In order to teach, you have to learn the fundamentals. Therefore, there is huge benefits for learning to teach. Use examples and diagrams when teaching.

The value of Curiosity and Research. I was the IT auditor for a large insurance firm. Keep asking and make sure that audit tests are not run on old data or old systems. From then now, I had a keen interest in ITGC. Sometimes you need to look deeper and not be fooled by the name of a system or report. Someone could have changed the name of the report but the data was not relevant. My common sense impressed him.

The executive attention span. I drafted ICQs to those programmers who had power to change many elements of the IT environment. There was once when I had to explain my work to a senior partner but I realised that he was not paying attention. I realized that once I had hesitated, the senior partner stopped listening to me. Senior management wants you to explain your point succinctly and quickly. They don’t like to hear things that they don’t want to hear. He wanted to size me up. Senior management only wants to know whether there are any issues in the audit. You should conclude what the effectiveness of controls meant for the organization as a whole.

You are how others see you. I was about to receive my annual evaluation from David. However, apparently, I had offended a senior colleague of David. I appeared arrogant in front of that colleague. When I approached my other colleagues, I realized that that was what they were saying about me too. Charisma is important in audit. When climbing the corporate ladder, you need to learn to be a charismatic leader.

Showing that you are the best at what you do may win you a job, but will rarely win friends or influence people. If we are to be successful, we need to surround ourselves with people who are interested in our success as well as their own. Arrogance turns them away. – Normal Marks

The search for charisma. I learnt charisma from leaders during my short stint in the US office. A large part of it is smiling. You need to behave in a way where people find it appealing. Demonstrate that you place value in your staff and you can trust them. Everyone is valuable and interesting in their own way. I have been enlightened by conversations. You should talk to everyone if you want to find out more about the organization’s problems. Listen to people on the ground. Show respect to others and listen well.

I have learned that people love those who will listen to them. You can be charismatic by listening actively, showing respect and attention to another’s views. – Norman Marks

The Root Cause. You cannot report the symptom. You need to dig to the root cause of the problem. Keep saying ‘why’. This is the 5 ‘why’ method.

If the auditor reports a problem that is only a symptom, management is unlikely to take the actions necessary to fix the problem permanently. Only when the root cause is treated, rather than the symptom, is the deficiency addressed. – Norman Marks

Do we speak the same language? The English spoken in America and England have slight differences. For instance, to the British, ‘ta’ means ‘thank you’ to the British people. Make the effort to speak clearly so that others can understand you. Do not assume that everybody understands each other. Take responsibility for what you say.

WIIFM. Sometimes, if you want to climb the corporate ladder, connections matter. Is this behaviour consistent with your values and principles? It was against my principles to steal others’ credit. People usually only care about themselves. They think in this perspective ‘What’s In It For Me?’ You need to understand how people act. Over time, playing office politics will create enemies.

Where do I go from here? I decided the life of a partner was not for me. The opportunities and salary are more important than the title awarded to you. You must look forward to the next role before jumping in.

Only take a job when you see yourself excited and running towards it. Don’t take a job just to escape your current position. – Norman Marks

Wearing a White Hat. People make mistakes and controls are important.

Awkward Days. If you can’t trust people, you can’t expect them to be loyal. If you have a bad boss, you will see that people will start leaving.

When you can’t trust your own people, especially when there is no good reason for mistrust, they will neither trust you nor owe you loyalty. – Norman Marks

Some measure their value and effectiveness by the number and significance of their audit findings. I measure my value and effectiveness in terms of how management trusts and looks to me to help them be successful. – Norman Marks

A great but unlikely compliment. I wanted to move into line management before wanting to consider whether to be an IA head. The CAE should report administratively to senior management and administratively to the Audit Committee. Compensation for the CAE should be set by the Audit Committee. Internal auditors should be experts in internal controls and processes. Workload assignment is important.

When to suggest an answer. It is good for auditors to have some line experience. First, one needs to assess the design of the controls. Learn to create a control matrix. The control matrix can help you make an assessment and prevent excessive audit. Be wary of backlog requests. Do not be quick to suggest answers before understanding the problem. Do not suggest a solution if you know just the symptom.

Learning about Limits. Common sense, together with logic, can help one accomplish a lot in life. Sometimes, it is better not to set limits for yourself. If you enforce the HR policies too strictly, some people might not like it. This might make you more enemies.

Empathy. Walk in someone else’s shoes before you criticize them. Understand what others are going through and the challenges they face. Walk around and ask others how they are doing and show some concern. When they know you care for them, they tend to be more loyal towards you. Sometimes, you need the humanistic and caring approach of management.

Empathy, understanding what it was like to walk in the auditees’ shoes, would help me craft a report with recommendations that were practical, business-oriented, and achievable. Having empathy would help me influence and effect the change I desired and felt was necessary for the business. – Norman Marks

The Customer. It is important to follow-up with the customer and update them if the query is still in progress. The person who made initial customer contact should take ownership of the case.

The lesson was that hiring motivated and experienced people may cost a little more per person, but they need little supervision or management, are far more productive, and in general create products that are practical, relevant, and useful to the business. – Norman Marks

The Best Job I ever had. The best way to know a job is through a network. Tosco did well due to strategic management decisions. I was given room to grow as the head of Internal Audit. IA should be able to effect change and adapt to changing business conditions. The staff need to be talented and also be able to communicate well.

Hiring the Best. I started off as the CAE with no staff under me. Eventually, I hired 3 experienced people. In IA, both hard and soft skills are necessary. In addition, being intelligent and having a curious mindset is necessary. Auditors need to think for themselves. During the interview, ask what the candidate reads. Ask the candidate audit-related questions and dig out more information on him. Think about a situation where you have never encountered before. A way to approach auditing is to evaluate the risks and to better manage them. Sometimes, if the risk are at an acceptable level to management, then no further testing is required. Having experienced staff is important.

Too many auditors are trained not to think. They are told to follow an audit program or checklist that somebody else created. – Norman Marks

Humility and Respect. I was the director of IA at Tosco. Even if you are very senior, always act with humility and respect. Trust your employees to work diligently. I was proud of the management team, who placed people ahead of profits. Listen from people who can offer different perspectives. People like to feel empowered and respected. IA was seen as a path to business. Create a fun environment so that people will stay.

The risk-based IA plan. Learn to build up your audit universe. Always practise risk-based auditing. Sometimes, a full-scope audit can use up too much of your resources. Later, I understood the concept of ‘opportunity cost’. Your audit plan can have relative ranking of risk factors. I included risks within each business unit and compared them across the enterprise. Focus on the more significant risks to the organization. There are endless possibilities of audit. I was able to substantially cut down the audit time required. The more audits you do, the more risks you are able to assess. One average, one audit member could complete up to 12 audits per year. Learn to perform an ERM first, before developing your audit universe. In the past, nobody talked about ERM. The whole point is to discuss on the wide-range of activities for the organization.

My first frauds. Over the years, I have performed many investigations. Sometimes, companies want to protect the fraudster because he is still a valuable member of the organization. Do not commit ‘white lies’ as they may have serious repercussions moving forward. Limit the people in the ‘know’. Do not jeopardise people’s career if they are under investigation. Sometimes, they might actually be innocent. Anyone is capable of committing fraud, even your close friend. It is important to keep investigations confidential, so as not to affect others’ reputations. Never assume guilt unless you have sufficient evidence.

Not all auditors hate risk. Management can decide how much risk to take, but auditors can challenge this. IA should not try to eliminate every risk that they see. Do your audit customers smile? It is not about eliminating risk, but about taking the right risk. There needs to be security over the batch jobs. It is essential to take a business perspective when it comes to auditing.

Internal auditors should understand that business is not about avoiding or limiting risk, it is about taking the right risk. I have learned that all internal auditors should consider themselves business people who have a job as internal auditors. Their work should be intended to contribute to organization success, not just point out deficiencies or “findings”. – Norman Marks

Loretta and Wow! Audit Projects. As IA, you can make the person’s job more interesting by making better use of their manuals and documents. Learn to reinvent your work. Make every project a ‘Wow!’ project. IA needs to talk to people to understand the risks that the organization faces, and what are the risks and opportunities. Spend time to talk to people on the ground. Timeliness is important. Long meetings are unproductive in nature and should be avoided. Auditors must talk in the language of business executives.

Why do I need to write an audit report? One needs to demonstrate empathy. You need to care about the success of the team. The report is a vehicle of communication. It benefits the management and the audit committee. Clear communications are easily understood. The report must be clear and concise. Management and the AC wants to know the following: 1) Is there anything they need to worry about?; 2) Are there any issues of such significance that somebody in senior management should be monitoring how and when they are addressed?. Manage on ‘exception’. After reading the first few paragraphs, you should be able to obtain the correct information. An opinion can be expressed on a written scale, 1) Satisfactory; 2) Needs Improvement; 3) Unsatisfactory. Management just want ‘high-level’ information. The goal is to effect improvement and not to keep reporting issues. Risks must be managed effectively. If management corrects the issue before the report is issued, I can drop the finding. Is it necessary to organize a closing meeting? I am looking out for information to make IA communications more accurate. If you know one audit report might affect other areas of the business, it is possible to share the findings with that area of the business.

Auditing Forward. IA must be independent and objective. Evaluate and improve the control and governance processes. Auditing forward means being involved in forward looking activities and ensure that controls are in place. Controls should be implemented before ‘production’ phase. This is more of a consulting project. IA’s success has to be inter-wined with success of project implementation. Going live without testing is potentially high-risk. Identify areas where the project is most likely to experience pitfalls. IA can value add if it can improve the company’s future. Telling about problems in the past can help, but only to a limited extent. Be agile and learn to change the IA plan swiftly. Know that business environments can change. Obtain monthly operating reports and key metrics so that analytics can be performed. Business leaders like IA who can value-add.

Effecting Change. Some IA functions measure their success by the number of recommendations made and % of findings accepted by management. The number of audit findings should diminish over time. IA must target the root cause and actions needed to fix the problem. By right, all recommendations should be accepted by management. Measure quality through the change that is made. The number of significant findings should be decreasing over time. IA should enable organizations to take corrective actions. ‘Does internal audit help you identify the need for change and improvement in the business, and then to get those changes made?’

Leadership. People need to have confidence in you. You cannot fake who you are. Always be the best that you can be. Show respect and listen to others. Give credit to your team members. Ask questions that make people think hard. I have received good feedback from those around me. Try to mentor others and to help their careers whenever possible. People need to think for themselves. People from the Big 4 are trained not to think. This sort of thinking needs to be reversed. There is a difference between a boss and a leader. Leadership is about providing direction, implementing plans and motivating people. Leadership styles can be modified and tailored according to the situation. Trust and loyalty are really crucial. Be loyal and build strong teams. Understand what motivates your staff and where they want to go in their careers. Always be there for your employees. A leader is supposed to motivate employees so that they can perform to the best of their ability.

Working with difficult people. Sometimes, you will meet people who dislike you on a personal level. If you want to be successful, you need to learn how to work with difficult people. There is nothing much you can do but apologize sometimes. Sometimes, you may enter a workplace with a high degree of politics. At times, you might not be able to change a difficult situation. In that case, the best thing to do is to leave on a good note. You can take courses on how to deal with difficult people. Learn to listen to angry people talk. Eventually they will simmer down. Being heard is almost like being loved. Being alone can allow the person to calm down. Always try to be professional and polite. There is little to gain if you keep criticizing the other person. Difficult people are difficult for a reason. That is because they may have something to hide.

Working for a Difficult Region. It is ridiculous if you need management permission to perform the audit. IA should be given full access and co-operation. If bonuses are tied to number and severity of audit problems, people will clean up data and be extra vigilant when dealing with auditors. Sometimes, people do not see value in IA. Do not have the aim of disciplining others.

Organizational Culture. CAEs should be concerned with the organizational culture. Is there a culture of integrity? Is the culture appropriate for realizing and delivering value? The CAE must stand tall. Sometimes, when the CAE reports bad news, the CE might want the CAE to be fired. There might be a culture of manipulation of books and earnings management. There must be a strong tone from the top. Do not have the culture of ‘cooking the books’. If there is, it could be a good idea to leave.

The expansion of internal auditing. Pay attention to contracts audit. Sometimes, there can be loopholes that may be exploited. Investigations should only be performed by well-trained personnel. Determination of whether fraud is committed is a legal responsibility. Do not believe that guilt is present until all evidence is in. Audit must be performed to check compliance with licensing terms.

World Class Internal Auditing. This means being an IA function that few are aware of and not many people adopt. Do not simply follow best practice. Always audit forward. Embed your IA team in all major initiatives. An effective leader should support the team and provide adequate resources. There are disadvantages with inexperienced auditors. Focus on important risks and do not waste time on immaterial activities. Do not try to make someone else look bad. There are 14 attributes to a world-class IA. 1) Be praised by AC and top management. 2) A cool place to work (Build a bonding spirit). 3) The department people want to transfer to, but hate to leave. 4) Where people think (observe similar situations in other companies; be creative and resourceful; standardized audit programs may not be applicable for all; learn to challenge norms). 5) Where people are set free to choose an audit approach that stimulates and develops, as well as getting to the heart of the problem – tackling the root issues head on. Auditors must get to the root cause of the problems, which tend to be people. Sometimes, people make mistakes because they are overworked. 6) The source of projects that are noticed, that will be told to the team’s grandchildren (major business improvements). 7) The internal consultants of choice and a source of talent. 8) At the exit interview, the manager says ‘thank you’ sincerely (Listen to your customers. If they value you, you are in a much better position). 9) Fully leverage the organization’s risk management process (automation, base audit plan on risk-adjusted risk universe (ERM etc)). 10) Fully leverage advanced continuous monitoring and auditing capabilities – as part of a risk-based audit program (perform analytics, employ technology for advantage, crowdsource etc. 11) Where the CAE sends a message to the CEO asking to chat, and the CEO comes to the CAE’s office (Learn to listen well). 12) Expanding into new and cool stuff, even if not traditional audit areas, such as process improvement, six sigma, audit of risk management and governance (use the LEAN concept to reduce waste, inefficiencies etc). 13) Where internal auditing is seen by management as a competitive advantage (see the value add in IA). 14) Where the CAE is never satisfied (learn from other CAEs, think outside the box).

After all, our job is not to score points telling people how many mistakes they made. Our job is to help people understand whether things are OK, and, when they are not, work with them to effect the necessary changes. – Norman Marks

Celebrating mistakes. Do not live in fear of making mistakes. However, one should learn from their mistakes or it might become an issue in future. However, there are some weaknesses that one must accept. Make adjustments to your behaviour. Sometimes, what appears to be negligence may not be so. Stop before reacting. Learn from your mistakes in order to help you succeed.

Looking back and forward. Not many IA departments assess and provide assurance on effectiveness of risk management. Very few consider governance issues. It is simply not just a ‘check the box’ function. Too many ACs don’t understand the potential of IA. IA practices must continue to improve. Business environments are getting more complex.

Audit checklist on a desk, with tick against audit satisfactory


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s