Skip to Content
Internal Controls

Auditors and Risk Management

Matthew Leitch | July 1, 2003

On This Page
Audit checklist with a red pen and checmarked box

New SEC rules say that companies cannot describe their controls as effective if there is even one "material weakness." This means companies must try to eliminate as many weaknesses as possible and publish a clean report. Internal auditors can help in this risk management process.

If you are an external or internal auditor, please don't read on. I'm about to give away our secrets to the rest of the world. If you are not an auditor—for example if your background is mostly in insurance—and you want to understand what auditors believe, how they work, where their weaknesses are, and what they contribute, then read on. It's time to meet the auditors.

What Sort of People Are Auditors?

External auditors tend to be qualified financial accountants assisted by their trainees. Big firms also employee specialists who are not accountants, such as computer security and project management experts, though they are slightly less common now that people increasingly believe external auditors should not provide other services to their audit clients.

Internal auditors tend to be former external auditors mixed with people from just about any background conceivable. Some internal auditors go on to take up management roles in the companies they audit, but others move from management into internal audit.

The training for auditors, especially external auditors, emphasizes working in compliance with regulations and official standards of work. The regulations on financial accounting are complicated and require careful interpretation. There are also extensive written standards for internal and external auditing. As a result, auditors have tended to focus on compliance with standards and written procedures.

What Are Auditors Good At?

Auditors are good at going to see for themselves. They are usually skeptical and good at digging up dirt and revealing the things managers would prefer to keep hidden.

Despite sometimes having a reputation as dangerous to meet, they are usually people who help spread good ideas. They network across their organization and with their friends at other organizations. They attend conferences to learn what is happening. When they find good ideas in their company, they tend to spread them. They also bring new ideas from other places into their companies.

Auditors will review almost anything important to their organization—not just financial matters.

Internal and external auditors fight for their independence and take ethics very seriously. That doesn't mean that all auditors are ethical and independent, but it does mean that most are much more aware of the issues than people in other roles.

External auditors often rely on work done by internal auditors and, when they do, they check that the internal auditors have sufficient standing and independence within their organization to speak the truth without fear.

Professional institutes for auditors and accountants usually provide personal help for members with ethical issues and lots of guidance. Trainee public accountants, for example, are encouraged to think of themselves as accountants first and employees second. Whatever their boss wants, they have certain duties to their profession.

Auditors spend most of their time looking at internally arising risks and their countermeasures. Auditors soon learn how and why people make mistakes and behave dishonestly. In these areas of operational risk their knowledge is often excellent.

What Do Auditors Believe?

Like all specialists, auditors believe that the things they are concerned with are broader and more important than the rest of the world realizes. Auditors are concerned with "internal controls" and what they call "risk management."

Auditing is yet another profession that has come to see itself as all about risk management. This happened mainly during the 1990s. They see a "risk" as anything that could have impact on an organization achieving its objectives, and things done to cope with risks are "internal controls." Originally, "internal controls" meant checks like bank reconciliations and double entry, but now the term is much wider and its boundaries are indistinct.

Auditors tend to focus heavily on internally arising risks, especially risks arising from incompetence or dishonesty. When something goes wrong they tend to say it was because of failure to follow internal control procedures while other people are more likely to point to externally arising problems.

How Do Auditors Work?

The trend in internal and external auditing during the 1990s and more recently has been toward more risk assessment and more flexible and focused reviews.

For example, over the last 3 years PricewaterhouseCoopers (the world's largest audit firm) has introduced an audit approach called "Towards Performance Auditing" which has taken the firm far beyond the accounts department and directly financial risks. They now interview managers across a business to find areas under pressure, for it is here that the risks of financial misstatement are highest even if the means of misstatement is not immediately clear.

In a similar spirit, internal auditors have begun to develop their work plans by starting with their organization's corporate risk register (which they often helped to produce) and doing reviews to provide assurance on the key perceived risks. This has pushed them into new areas and a wider range of reviews than ever before, which sometimes creates difficulties.

Internal audit departments vary in how helpful they are to the people they audit. The old-fashioned style was for internal audit to be a police force, conducting reviews, issuing reports, and making recommendations for improvements that had to be acted on. This sometimes led to confrontations. The modern style is typically to be more facilitative. Although internal auditors still issue reports, they often get some of their evidence by asking auditees to assess their own risks and controls, and some auditors no longer make recommendations themselves, though they will facilitate auditees devising improvements and later track progress.

What Are Auditors Not So Good At?

The risk analysis done by, or facilitated by, auditors tends to be much less sophisticated than risk analysis by people in insurance, safety, policy analysis, and medicine, for example. Quantification, where it is attempted, tends to be guesswork and undermined by basic technical errors.

Another weak area for many auditors is lack of design ability. Auditors do a good job of spreading ideas but they tend to have far less creative ability than typical engineers, system builders, and architects, for example. Auditors check work done by other people, often against standards laid down by someone else, and this does not develop their design and problem solving skills.

Consequently, although auditors often make suggestions or recommendations, they tend to be obvious and lack detail, too often amounting to a call for more documentation.

What Does the Future Hold for Auditors?

Auditing is getting more attention than ever thanks to Enron, Worldcom, and the outrage that they stirred up. The Sarbanes-Oxley Act includes a requirement for internal controls over financial reporting to be assessed annually with the conclusions of the assessment published and attested to by external auditors. This has increased the pressure dramatically.

At the same time, many internal auditors are changing the way they work, away from routine examination of internal controls, and toward a more flexible audit of all types of risk appearing on the corporate risk register. Although auditors feel this is a good direction, it is somewhat experimental and does create some difficulties.

One trend that may become more important is for organizations to set up a team of internal control specialists whose role is to help managers design, develop, and implement good control systems. They may do reviews, but the objective is very different from internal audit. This allows internal auditors to concentrate on what they do best, which is independent assessment, rather than getting stuck into design.

The new rules announced by the Securities and Exchange Commission (SEC) on May 27, 2003, may accelerate this trend. The rules say that companies cannot describe their controls as effectively if there is even one "material weakness." Many companies will use the extra time they have been given to try to eliminate as many weaknesses as possible and publish a clean report. While auditors can help with this, ultimately, you cannot audit your way to corporate health. Someone has to have the creative solutions to problems that have often lingered for years.

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.