Category Archives: Audit is Interesting

Internal Audits – Auditing a Process Based QMS

As with any change to the international standard ISO 9001, or one of its ‘cousins’, like ISO/TS 16949, AS 9100 there’s an opportunity to review and improve the way an organization implements these requirements.

One important requirement, the internal audits, should be focused on the processes of the quality management system and recurring questions auditors have include; “How do I audit a process?” “Which processes should I start with?” and “How will I know if the process is effective?”

In the coming issues, we’ll be taking a look at practical answers to these questions and more. To start with, we’ll investigate how to get organized when planning and preparing to audit a business process……

A process can be defined as “activities which transform inputs into outputs”. One might add, “under controlled conditions”, since we usually want to be able to predict a (good) result! From this definition, we know a number of things already about any process, they have:

  • Input(s)
  • Output(s)
  • Activities
  • Controls

This is helpful, but heading off to do an internal audit with 4 topics on our checklist is unlikely to help us reveal if the process is working as intended. As auditors, we have to develop a better understanding of what an effective process requires to deliver a satisfactory outcome for the organization and its customers.

Most business processes have some form of goal or objective assigned to them, so that performance can be determined. This might be focused externally on customers’ needs or internally to the organization. And it’s usual that these goals and objectives have a measurement associated with them. If the process is working effectively, it’s by these performance criteria that an auditor can tell what’s being achieved.

In addition, it’s desirable to produce a consistent result; therefore, the process must be under control. Most of us know the wailing sound (output) made by a loudspeaker, when the microphone (input) is placed too close to that speaker – it’s called feedback! You can certainly measure the sound level, but the process is out of control! Our business processes need controls to ensure that things don’t get out of hand.

Process controls for the activities are accomplished many ways;

  • People – competent, aware and trained
  • Equipment – maintained, (calibrated, if necessary for measurement)
  • Methods – procedures, work instructions, (as necessary, under document control)
  • Materials – approved, available, identified, etc.

In listing these control criteria, our list of audit topics has grown quickly, and we must also consider some other controls which must be in place; – documentation controls, non-conformance, records generated from the process, corrective/preventive actions and improvements.

The challenge of preparing for any audit is the sequence in which to place these, so that we can gather useful information about the process, rather than just a number of facts, since creating a simple list of these topics is not as helpful. There are a number of ‘visual metaphors’ which have been used as tools to assist auditors. One unique approach has proven successful in helping auditors to organize these topics in an appropriate sequence – the ‘Football©’.

Internal Audits – Auditing a Process Based QMS
Internal Audits – Auditing a Process Based QMS

The use of this tool to ‘visualize’ the path an internal auditor should take when auditing a process has a number of advantages;

Comprehensive planning – so that all relevant controls are considered, in their correct sequence (the above is an example applicable to a manufacturing process). Structure to audit checklists or questions – they follow the appropriate process flow. This allows information to be gathered and used later to verify performance.

It can assist an audit manager with ensuring the assigned auditor (s) do the relevant research of those requirements and controls, so that they develop better understanding of them, before the audit interviews. The auditor has a ‘bigger picture’ to audit and is therefore more likely to see systematic issues.

Evaluation of actual process performance to the objective(s) as well as compliance of the QMS.

Better time management, adherence to audit scope etc.p>

By populating the various ‘bubbles’ (in the example) with the details of the organization’s management system and/or customer requirements etc., the auditor is able to get a clearer understanding of the expected outcomes. They are better able to identify opportunities within the management systems, as a result.

It is often easy for an internal auditor to be ‘drawn off track’ when evaluating the other criteria and controls (depicted by the football’s ‘laces’) which can affect a process – calibration for example – and the football assists the auditor in defining the ‘boundaries’ at which point they must decide to return to the normal process flow.

In review, conducting process based internal quality management system audits can be an overwhelming task leading only to a report based on compliance only. The use of a planning tool like the football, to map out an auditor’s strategy, leads to far more effective and efficient audits and focuses the auditor on validating the results of the process, to the plan.

In the next edition, we’ll take a look at which processes may be more ‘important’ than others and how to go about scheduling internal audits to consider them.

JP Morgan Whale Trade Losses: Important Lessons For Auditors And Risk Professionals

Some more information has come to light on the more than $7 billion “Whale Trade” derivative losses at JP Morgan—that total being comprised of an amount of over $6 billion in losses on the trade and a further amount of almost $1 billion in fines.

In an article on Bloomberg entitled JP Morgan’s Biggest Mistake, author William D Cohan provides us with somewhat of an insider’s overview on the problems that led to the Whale Trade losses—his sister-in-law sat on the Audit Committee. This article summarizes some of Cohan’s main points and identifies the lessons that auditors and other risk professionals should be learning in order to avoid making similar mistakes.

1. The culture within the organisation was such that senior trading managers not only refused to report the losses but they encouraged others not do so—that was until of course those losses became too big to ignore. As Cohan noted in his article:

“Then we learned that inside the bank there was (still is?) a culture of paranoia and secrecy that encouraged traders to hide their mushrooming losses.”JPMorgan-Chase

The main lessons here are as follow:

a. Culture and values, rewards and incentives, fear and sanctions play the most important role in determining how and when rogue trading takes place, the extent of the delay in reporting losses, how those losses are reported as well as their ultimate size.
b. Fear and the perception of sanctions that might follow an error or mispricing are enemies of good banking. In general, human factors are more important than all others in establishing an appropriate and reliable management reporting framework.
c. Management should work to create a set of values within and throughout their banks that positively encourages the free flow of information at all times without fear of the consequences.
d. An effective whistleblowing policy is also essential for ensuring that everyone performs and reports issues in accordance with stated policies.
e. As a point of reference, it should also be noted that one of the problems at Lehman Brothers was that Dick Fuld was so powerful that his reporting managers were fearful of telling him things that he did not want to hear—until of course it was too late.

2. The article states that traders were allowed to misprice their trading portfolios within the bid offer spread. While this may be true, mispricing of a portfolio within the bid-offer spread is unlikely to cause $6 billion in losses. Instead, it is more likely that the greater portion of this loss was in fact due to the earlier reports of changes in the pricing and risk model used for valuing the relevant trades which in effect reduced the reported losses. The lessons for auditors and risk professionals are thus as follows:

a. Establishing appropriate validation and change control procedures over pricing and risk models are extremely important.
b. Risk management should document and explain any changes in pricing and risk models in terms of how they impact the firm’s position and p/l. These should be reported to senior management at the highest level with an explanation of why such a change is deemed necessary.
c. For major trading portfolios, the change(s) in 2 above should always be accompanied by an external and independent evaluation of the changes and should include an overall assessment as to the validity of or necessity for such a change.
d. More importantly and especially in the case of major trading portfolios, no changes in pricing and risk models should be made or accepted into the financial records without first obtaining the specific approval of senior management.
e. Generally, an external and independent validation of risk models should be performed on a periodic basis in order to ensure that their performance is consistent with previously established criteria.

3. The traders were the main source of pricing for the portfolios in question. JP Morgan has since instituted a procedure where three independent pricing sources have to be obtained. The lessons here are as follows:

a. Again, wrong pricing would be more likely to cause large losses than any mispricing within the bid-offer spread.
b. It has always been a cardinal rule that traders should under no circumstances be able to provide their own prices. How this was overlooked or circumvented within JP Morgan is very difficult to explain. Independent Pricing and Valuation or IPV is one of the bedrocks of modern product and risk control within banks.

4. The article notes that an early warning sign as to what was happening came when a demand of $520 million in collateral was made by the counterparties on the other side of the trades within the portfolio. This $520 million collateral demand was a much higher figure than the losses being reported at the time. The lessons here are as follows:

a. It is vitally important that management and operations control are able to reconcile in some way the demand for more collateral or margin payments with movements in the trading p/l.
b. In addition to the above, there should be controls that place management on notice for any large amounts of collateral transfers or cash payments to counterparties on behalf of a particular trader, trading portfolio or trading desk.
c. As a point of reference, it should be noted here that the Nick Leeson debacle at Barings was in a large part due to the fact that management was unable to reconcile margin payments and the demand for cash with what was happening on the trading floor.

5. There was a $237 million loss in one of the spreadsheets used by the traders. The lesson is:

a. The use of spreadsheets for pricing and valuing products should be kept to an absolute minimum—too many trading rooms are still too dependent on their use.
b. Spreadsheets should be subject to the same validation, change management and independent valuation controls as other pricing and risk systems (see 2 above). Some may argue that the controls over spreadsheet should be even more stringent due to their relatively insecure operating environment.

6. JP Morgan is being forced by the Securities and Exchange Commission (SEC) to admit wrongdoing. As noted earlier the bank has been fined almost a $1 billion and its former traders are facing criminal charges. What does this all mean?

a. In the post financial crisis era regulators and prosecutors are much less forgiving of any lapses in governance and internal controls.

Jonathan Ledwidge is the author of the book Clearing The Bull, The Financial Crisis And Why Banks Need A Human Transformation (iUniverse)


Generating a Big Impact with a Small Audit Staff-Strategy VI

Strategy #6: Advisory or Consulting Engagements Can Be “High Impact” Too

The events of the past decade — Enron, WorldCom, Sarbanes-Oxley, and the global financial crisis, among others — have enhanced recognition of the fact that financial controls are important. But value-added consulting engagements such as assessment services, facilitation services, and remediation services also can add value and improve an organization’s operations in a big way. Consulting engagements are likely to be high impact because they generally are the result of management requests for needed services such as counsel, advice, facilitation, process design, and training.

Assessment engagements are those in which the auditor examines/evaluates a past, present, or future aspect of operations and renders information to assist management in making decisions. Examples of these engagements include assessing the risk of a physical security breach, evaluating a proposed reorganization plan, assessing proposed internal controls, or estimating total costs of decentralized acquisition.

Facilitation services are those in which auditors assist management in examining organizational performance for the purpose of promoting change. In a facilitation role, auditors do not “judge” performance. Instead, we guide management in identifying organizational strengths and opportunities for improvement. Examples include strategic planning support, business process reengineering support, benchmarking, performance measurement, and control self-assessment.

Remediation services are those in which the auditor assumes a direct role designed to prevent or remediate known or suspected problems on behalf of a client. Examples include developing and delivering training courses, reviewing or drafting proposed policies or systems, and augmenting operating personnel.

From Richard Chambers, CIA, CGAP, CCSA

Generating a Big Impact with a Small Audit Staff-Strategy V

Strategy #5: Measure Results

A major key to ensuring a big impact is simply to measure our own performance. By keeping track of measures such as return on investment, cycle time, customer satisfaction, and the percentage of our recommendations that have been implemented successfully, we can measure how well we are doing at meeting our goals.

As internal auditors, we expect operational management to measure their results, yet we often fail to take the same actions ourselves. When was the last time you looked at all the costs of doing an audit — not just internal audit’s personnel and travel costs, but also the costs to operating personnel in terms of time for interviews, walk-throughs, and report reviews? If you look at the total costs from management’s perspective, were your audits a good value? Each individual audit report may or may not have a big impact, but at a minimum your audit plans should demonstrate value relative to costs. If internal audit is not a good value, it is time to re-think the audit planning process with a keen eye for value-per-dollar- spent.

This is strategy 5 of 6.

From Richard Chambers, CIA, CGAP, CCSA

Auditors and Creativity


“We’ve always done it this way” and “This method always worked successfully in the past” don’t cut it anymore.

The business landscape is littered with wounded — or terminated — organizations and individuals who failed to challenge existing methods and practices; and internal auditing departments and internal auditors are no exception. Internal auditing departments that do not stimulate and reward creative endeavors are more likely to be threatened by outsourcing, budget cutbacks, and staff turnover. On the other hand, internal auditing departments that do promote innovation and creative problem solving are more likely to give their organizations the kind of help they need to succeed in an environment that has never been more challenging and competitive.

Creative Auditors — An Oxymoron?

We’ve all heard it. Whenever it’s implied that auditors have an ounce of creativity, someone will invariably ask, “Isn’t that an oxymoron?” And it’s not always outsiders who make the joke. Even some auditors apparently share the view that auditing isn’t creative, that it’s, well, boring — which helps to explain why so many talented individuals leave auditing, never become auditors, or wish they were no longer auditors. Of course, there are some internal auditors who genuinely like all aspects of their jobs; but the profession loses far too many innovative thinkers and future leaders.

A recent IIA survey revealed that the number one ethics issue facing internal auditors is “undue reliance on prior years’ audit programs and workpapers.”(1) Why do auditors rely so heavily on old workpapers? Why are the same audit programs automatically repeated each year? Why are the workpapers organized the same way? Why aren’t auditors more imaginative?

One explanation for the dearth of creativity in auditing is that most auditors have had minimal, if any, training in creative thinking. In fact, the auditing culture usually encourages opposite behavior. Auditors are taught to learn and enforce the rules, such as those governing internal controls, policies and procedures, laws and regulations. Although this work is clearly challenging, it does not usually involve creative thinking.

Creativity is not an innate talent that one either has or doesn’t have. Creative thinking can be taught and learned, just like sales or public speaking. Of course, some people have more natural ability than others, but that’s true of almost everything in life.

Creative approaches can be applied to almost everything internal auditors do. For example, creative techniques can help in finding new ways to:

* Strengthen the quality of audits.

* Improve efficiency.

* Provide value-added service to operating departments.

* Increase service to management and the audit committee.

* Enhance professional credibility.

* Improve working conditions.

In Michael Hammer and James Champy’s best-selling book, Reengineering the Corporation,(2) they state that “Redesign . . . demands imagination, inductive thinking, and a touch of a craziness. In redesigning processes, the reengineering team abandons the familiar and seeks the outrageous. Redesign asks the team members . . . to suspend their beliefs in the rules, procedures, and values that they’ve honored their whole working lives.” If auditors want to participate in this process, the traditional auditor mind-set must be abandoned, and audit approaches must be continually reexamined to ensure efficiency and quality.

The Creative Process

A self-assessment of strengths and weaknesses can help auditors and others who want to improve their creative skills. According to creativity guru Roger von Oech, the creative process involves four stages:

1. Explorer. The Explorer searches for new ideas — good or bad, rational or outrageous, serious or silly. Many, many ideas are needed to find innovative solutions to problems and challenges. As a famous philosopher once said, “Nothing is more dangerous than an idea when it is the only one you have.”

2. Artist.

The Artist takes existing ideas, provided by the Explorer, and molds or transforms them into entirely new and unique ideas.

3. Judge.

The Judge weeds out bad ideas and attempts to find workable, feasible solutions.

4. Warrior.

Finally, the Warrior implements the new ideas. Armed with a game plan, persistence, and diplomacy, the Warrior leads the battle against the many forces that resist change.

Each of the four steps is required if innovation is to occur. The most successful persons excel in all four areas, or they find others who complement their weaknesses.

Auditors often consider themselves weakest in the first two categories — the key ones for producing new ideas. Conversely, most auditors rank high in the “Judge” category. Auditors are skilled in evaluating different alternatives, shooting down unworkable ideas, and playing devil’s advocate, which means that, for most auditors, skills need to be improved in the other three categories.

The Creativity Toolbox

“Flashes of inspiration” seem to occur unexpectedly, and not always at the precise moment when you need them. When the auditing budget has to be reduced by 30 percent — without sacrificing quality — the ideas are needed now. A systematic method for stimulating new ideas can help.

Every auditor should build a personal “toolbox” to use whenever new ideas are needed. This figurative “box” should contain tools (idea stimulators) of all shapes and sizes. Some should be easy to use; some may be more sophisticated and require training.

The toolbox can even be used in one’s personal life. The same concepts that work in the business world can be applied to almost any situation. For example, a few fantastically clever costumes — the kind that win the Best Costume awards — always seem to show up at Halloween parties. Where do these ideas come from? Are the wearers just naturally creative? Possibly, but it’s more likely that they used creative toolboxes.

A Halloween toolbox might include a dictionary, for example. Each October, the toolbox’s owner might spend an hour scanning the pages in search of ideas. If a word leaps off the page, it’s written down (Explorer). Once a sheet of paper is filled, the person reviews the list and combines words to produce new ideas (Artist). Then, options are narrowed, based on factors such as cost (Judge). Finally, after reaching a decision, he or she purchases materials and prepares the costume (Warrior).

The result? On one Halloween, several friends dressed as Mount Rushmore. They walked together under a large, white sheet. Their faces, sticking out from four holes, were painted white, and each wore a powdered wig. The costume was a huge hit, and the idea didn’t require a visit to North Dakota, just the use of a simple tool, the dictionary.

An endless variety of tools can be stored in the auditor’s toolbox. Those already in use, such as prior audit workpapers, audit programs, and discussions with peers and other groups should not be discarded; but the toolbox needs to be bigger and better. It might include brainstorming sessions, process flow mapping, outsiders’ opinions, and other options.

Brainstorming Sessions

Brainstorming certainly isn’t new; but not everyone knows that brainstorming sessions produce optimum results when they are divided into two phases. In the first stage, ideas must be solicited and recorded without judgment or criticism. Under normal conditions, auditors may be hesitant to suggest new ideas that could appear stupid; but in the brainstorming environment crazy ideas are encouraged, since a dumb idea may spark a great one (the piggyback concept).

Once this phase is completed, participants should then focus on practical solutions. This is typically viewed as the “Judge” phase, but “Artist” possibilities should not be overlooked. In other words, as objections are raised, participants should search for ways to address them if the fundamental idea has potential. Many objections can be overcome if the team is determined to find new approaches.

While brainstorming may work best in groups, individuals can also “self-brainstorm.” To increase the odds for success, the individual must discipline himself or herself to produce ideas. For example, if the self-brainstorm is geared at rethinking the approach to achieving an audit objective, the auditor might commit to writing 10 completely different ways to accomplish the goal. Even when the task seems impossible and some of the ideas seem ridiculous, the determined brainstormer persists.

Sometimes “opposite thinking,” where the brainstormer lists 10 ways to achieve the opposite objective, can be productive. These ideas can lead to breakthroughs because the thinker has to explore radically different thoughts.

Process Flow Mapping

Since most audits are comprised of processes, this technique is an excellent tool to improve quality, efficiency, and service. The process flow map can be executed on a large sheet of paper or a blackboard.

Each step in the process and the estimated completion time should be listed, and the steps that add value and those that do not should be identified. Most participants are surprised at how often extensive effort produces little, if any, value.

What adds value in an audit? Activities that provide audit evidence or increase service levels — nothing else.

For example, the Exhibit illustrates the basic process for sending confirmations. Which steps add value? Just one: evaluating responses, or performing alternative procedures. No other step provides audit evidence or improves service.

So, can these steps be eliminated? Obviously not. But, these are examples of the kinds of areas that should be targeted when reduction of hours is under consideration. Using process flow maps in groups will almost invariably stimulate discussion and new ideas.


The saying “It’s difficult to see the picture when you’re inside the frame” illustrates a valid point regarding creative thinking. In Reengineering the Corporation, the authors write “It would be asking too much to expect [insiders], unaided, to overcome their cognitive and institutional biases and to envision radically new ways of working. Left to their own devices, a team made up of insiders will tend to recreate what already exists, with perhaps a 10 percent improvement. They will remain within the frame of the existing process, not break it. To understand what is being changed, the team needs insiders; but, to change it, the team needs a disruptive element. These are the outsiders.”(3)

Outsiders, such as audit efficiency consultants, can bring fresh perspectives and specialized expertise in areas such as benchmarking to internal auditing departments. Outsiders can also serve as a catalyst for action, unencumbered by office politics. The views of outsiders can provide the impetus for staff members to begin to look at old problems in new ways.

Other Options

There is room in the creative toolbox for many other resources, including more advanced techniques such as time compression studies, synectics, and mind mapping. A variety of books, software, training seminars, and audiocassettes can spark innovation. Simple tools, such as trade magazines or newspapers, can be powerful, too.

Just as a carpenter selects the appropriate tools for a project, auditors must choose the appropriate tools in each situation. The choice of tools depends on many factors, such as the nature of the problem or challenge, time constraints, and the availability of other persons and resources.

Overcoming Resistance to Change

Innovative ideas are useless if they are never implemented. To enact change, creative auditors must be determined to overcome frequent roadblocks. Anticipating and identifying obstacles are the first steps in conquering them.


Time pressure is a major killer of creativity. Just think about it. Will a better audit program be devised in five minutes or one hour? Robert Kriegel, in his book If It Ain’t Broke, Break It,”(4) points out that “As a result of our time famine, we go for early closure on important issues, grabbing at the first ‘solution’ and running with it.”

This is a real concern because many auditors do face enormous time constraints. These pressures explain why critically important functions, such as planning, are often neglected. First, planning is a nonurgent task and can usually be delayed. Second, it is difficult to devote sufficient resources for planning, including the time required for generating ideas, when reports must be delivered, phone calls returned, workpapers reviewed, and other tasks completed. So, even when time is allotted for planning, the process is often rushed and effectiveness is limited.

To combat this problem, auditors should be passionate, even obsessed, about planning. Unfortunately, most auditors do not naturally possess this enthusiasm, so adequate time needs to be budgeted for planning, and performance evaluations or incentive programs should reward those who devote time to planning, especially when time is limited.


The fear of various forms of punishment stifles innovation. Fear of failure also prevents many auditors from trying new ideas. Thus, the best auditing departments and audit teams promote a culture that removes such fears. Risk-taking may not be appropriate during fieldwork, but it should be encouraged, for example, in brainstorming sessions.


When change is proposed, egos are often at stake. Auditors must, therefore, polish their diplomacy skills. If an auditee is threatened and can hinder progress, he or she should be allowed to save face, which is sometimes an exercise in creativity itself. One technique is to stress how the current situation is different than the past and therefore requires different actions.

Lack of Cooperation

There are some who resist and fight change for selfish reasons. Creative ways must be found to overcome such resistance. Just as common are situations where others are simply not interested or are too busy to help.

In these circumstances, the auditor must be determined and persistent. No magical formulas exist. The only recourse is to rely on a can-do mentality. Creative auditors do not make excuses — they find ways to get the job done!


Creative auditors have a huge advantage over those who lack this expertise. Internal auditing departments should train auditors to be creative and promote a culture where creativity flourishes. On an individual basis, auditors can distinguish themselves by proposing new and innovative approaches to many aspects of their responsibilities.

Generating a Big Impact with a Small Audit Staff-Strategy III

Strategy #3: Benchmark for Success

Benchmarking is simply a process for comparing the performance or practices of one internal audit organization to another. It can be done either formally or informally, and it is particularly important for smaller internal audit shops, where the CAE may be somewhat isolated from the expertise of other experienced audit professionals.

As a CAE leading small shops, I found The IIA to be an extraordinary resource in connecting me with CAEs of similar sized audit groups. We frequently compared internal activities, processes, functions, or operations. I relied on benchmarking to facilitate improvements of my shop and to accelerate change, using tested and proven practices and identifying areas for improvement. Some of the objectives of benchmarking are to examine performance across organizations and industries in search of practices that are new or innovative. It also can be useful for involving process owners or for convincing skeptics of the need for change. (Remember the salary survey my colleague was reading? It seemed to convince him of a need for change, in salary at least.)

A few of the more common types of internal audit benchmarking include comparing audit charters, comparing briefing materials for new auditors (and for new audit committee members), comparing audit planning processes, and comparing audit reports and reporting processes. Many audit shops also participate in formal benchmarking programs, and small audit shop CAEs are turning increasingly to The IIA’s new AuditExecutiveCenter as a resource.

This is strategy 3 of 6.

From Richard Chambers, CIA, CGAP, CCSA

Generating a Big Impact with a Small Audit Staff-Strategy IV

Strategy #4: Improve Internal Audit Processes

Some of the biggest impediments to internal audit productivity are ineffective and inefficient processes. Large audit staffs can afford a certain amount of inefficiency. Small shops cannot. As a profession, we still have quite a bit of work to do in this area: Despite the fact that we are experts in reviewing operations, quality reviews often indicate that internal audit organizations can improve processes for planning (both annual and at the engagement level), conducting engagements, documenting results, reporting results, monitoring results, and for quality controls.

One common objective is to reduce engagement cycle time, or the time required to complete an audit. During the past century, delivery of news information has progressed from monthly, to weekly, to daily, to hourly, to the present, when news is delivered instantly to your cell phone or desk. Our customers are becoming conditioned to speed, but unfortunately, internal auditing has not kept pace.

Timeliness is a journey that begins with the survey phase and includes planning and fieldwork, concluding with the final report. Some of the reasons for long cycle time include an extensive survey phase, scope or objectives that are too broad (or that grow over time), poor plans, inefficient methodology, uncooperative activity personnel, limited expertise, staffing constraints, excessive evidence/workpapers, delays in writing draft reports, an inefficient editing process, untimely supervisory reviews or quality assurance processes, extensive legal reviews, delays in receiving final approval for release of draft reports, delays by activity personnel in providing a response, or delays in resolving disagreements.

Unfortunately the consequences of long cycle time can be disastrous: poor customer satisfaction, out-of- date audit results, diminished value of products, or even diminished value of the audit organization itself. In internal auditing, the work never stops, so it’s important to remember to wind up older projects before the audit information can become stale.

This is strategy 4 of 6.

From Richard Chambers, CIA, CGAP, CCSA